You're reading from Burp Suite Cookbook - Second Edition

Product typeBook

Published inOct 2023

PublisherPackt

ISBN-139781835081075

Edition2nd Edition

Tools

Burp Suite

Concepts

Penetration Testing

Author (1)

Dr. Sunny Wear

Assessing Authorization Checks

This chapter covers the basics of authorization, including an explanation of how an application uses roles to determine user functions. Web penetration testing involves key assessments to determine how well the application validates functions assigned to a given role or individual user, and we will learn how to use Burp Suite to perform these tests.

In this chapter, we will cover the following recipes:

Testing for directory traversal
Testing for Local File Inclusion (LFI)
Testing for Remote File Inclusion (RFI)
Testing for privilege escalation
Testing for Insecure Direct Object Reference (IDOR)

Technical requirements

To complete the recipes in this chapter, you will need the following:

OWASP Broken Web Applications (BWA) VM: the OWASP Mutillidae application
Burp Suite Proxy Community or Professional (https://portswigger.net/burp/)
The use of a PortSwigger account to access Web Security Academy (https://portswigger.net/web-security/all-labs)
A Firefox browser configured to allow Burp Suite to proxy traffic (https://www.mozilla.org/en-US/firefox/new/)
The wfuzz wordlist repository from GitHub (https://github.com/xmendez/wfuzz)

Testing for directory traversal

Directory traversal attacks are attempts to discover or force-browse unauthorized web pages usually designed for administrators of the application. If an application does not configure the web document root properly and does not include proper authorization checks on the server side for each page accessed, a directory traversal vulnerability may exist. This type of weakness allows an attack to perform system command injection exploitation or arbitrary code execution.

Getting ready

Using OWASP Mutillidae II as our target application, let’s determine whether it contains any directory traversal vulnerabilities.

Ensure that Burp Suite and the OWASP BWA VM are running, that Burp Suite is configured in the Firefox browser (or use the Burp Suite browser), and that you are viewing the OWASP BWA applications.

How to do it...

From the OWASP BWA landing page, click the link to the OWASP Mutillidae II application.
Open the login screen...

Testing for LFI

Web servers control access to privileged files and resources using configuration settings. Privileged files include files that should only be accessible to system administrators – for example, the /etc/passwd file on Unix-like platforms or the boot.ini file on Windows systems.

An LFI attack is an attempt to access privileged files using directory traversal attacks. LFI attacks include different styles, including dot-dot-slash attacks (../), directory brute-forcing, directory climbing, or backtracking.

Getting ready

Using OWASP Mutillidae II as our target application, let’s determine whether it contains any LFI vulnerabilities.

Ensure Burp Suite and OWASP BWA VM are running and that Burp Suite is configured in the Firefox browser used to view the OWASP BWA applications.

How to do it...

From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
Open the login screen of OWASP Mutillidae II in the Firefox...

Testing for RFI

RFI is an attack that attempts to access external URLs and remotely located files. This kind of attack is possible due to parameter manipulation, a lack of server-side checks, and a lack of whitelisting for outbound traffic at the firewall level. These oversights may lead to data exfiltration of user information to external servers controlled by an attacker.

Getting ready

Using OWASP Mutillidae II as our target application, let’s determine whether it contains any RFI vulnerabilities.

Ensure Burp Suite and OWASP BWA VM are running and that Burp Suite is configured in the Firefox browser used to view the OWASP BWA applications.

How to do it...

From the OWASP BWA landing page, click the link to the OWASP Mutillidae II application.
Open the login screen of OWASP Mutillidae II in the Firefox browser. From the top menu, click Login.
Find the request you just performed within the Proxy | HTTP history table. Look for the call to the login...

Testing for privilege escalation

Developer code in an application must include authorization checks on assigned roles to ensure an authorized user is not able to elevate their role to a higher privilege. As an attacker, frequent targets for accessing elevated functionality include parameter tampering, forced browsing, and authentication bypass. These types of privilege escalation attacks may potentially occur by modifying the value of an assigned role or parameter value and replacing that value with another. If the attack is successful, the bad actor gains unauthorized access to resources or functionality normally restricted to administrators or more powerful accounts.

Getting ready

Let’s use the Privilege escalation via server-side prototype pollution PortSwigger lab, which is located in the Prototype pollution section of All labs, as our target application. We will attempt to find a weakness in the Node.js inheritance hierarchy to elevate our privileges within the appli...

Testing for IDOR

Allowing unauthorized direct access to files or resources on a system based on user-supplied input is known as IDOR. This vulnerability allows us to bypass authorization checks placed on such files or resources. IDOR is a result of unchecked user-supplied input to retrieve an object without performing authorization checks in the application code.

Getting ready

Let’s use the Insecure direct object references PortSwigger lab, which is located in the Access control section of All labs, as our target application. We will attempt to find a direct object reference used as a value to a parameter, manipulate it, and access information that should normally not be seen.

Log in to your PortSwigger account and navigate to the following URL: https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references. Ensure Burp Suite is running and sending traffic through either Firefox or the Burp Suite browser.

How to do it...

From the...

The rest of the chapter is locked

You have been reading a chapter from

Burp Suite Cookbook - Second Edition

Published in: Oct 2023Publisher: PacktISBN-13: 9781835081075

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at €14.99/month. Cancel anytime

Author (1)

Dr. Sunny Wear

Dr. Sunny Wear is a web security architect and penetration tester. She provides secure coding classes, creates software, and performs penetration testing on web/API and mobile applications. Sunny has more than 25 years of hands-on software programming, architecture, and security experience and holds a Doctor of Science in Cybersecurity. She is a content creator on Pluralsight, with three courses on Burp Suite. She is a published author, a developer of mobile apps such as Burp Tool Buddy, and a content creator on courses related to web security and penetration testing. She regularly speaks and holds classes at security conferences such as Defcon, Hackfest, and BSides.
Read more about Dr. Sunny Wear

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages