On Patrol

Many automated web security tools are available in the market today, but even the best of these tools have limitations. Many web vulnerabilities are difficult – or even impossible – to detect without human interaction. Some of the best tools for web security analysis take the form of a browser (with a few simple add-ons) and an attack proxy. This article describes how attack proxies work and shows how to look for web vulnerabilities using the popular attack proxy Burp Suite.

Attack proxies vary in functionality, price, and reliability, so for consistency, I'll use Burp Suite throughout these examples. Burp Suite includes a tool for intercepting traffic (the "proxy" module itself), as well as modules for spidering sites, repeating and manipulating individual requests, sequencing random values, decoding traffic, and more. Each of these components provides unique insight into the application's functionality and security ramifications, but all require an intelligent person to decode the results.

Installation and Configuration

After you download the free edition of Burp Suite [1], simply double-click the .jar file to run the file. Once the application is running, click Proxy  | Options , and check the Proxy Listeners Section (Figure 1) to identify the IP Address and port the proxy is listening on. The default port is 127.0.0.1:8080.

Figure 1: Options tab within the Proxy section.

For the rest of the exercise, you'll need a browser (Firefox), two Firefox extensions (Cookies Manager+ [2] and FoxyProxy Standard [3]), and Burp Suite for the testing. Once these tools are installed, you should see a new icon to the right of the URL bar, indicating the status of the Firefox proxy. Similarly, you can access Cookies Manager+ in the Tools bar, which lets you easily identify cookies, values, and associated data. With Burp running and browser extensions installed, right-click the FoxyProxy icon (in red), click the Options tab, then select Add New Proxy (Figure  2).

Figure 2: Adding a new proxy setup within FoxyProxy.

Using the data from the Burp proxy, insert the IP address and port for a new proxy configuration, type in a proxy name, and click Accept . Once back on the main browser page, right-click on the FoxyProxy icon to cycle through proxy configurations and enable the newly created proxy. In testing the new settings, type in a URL and verify that the proxy is intercepting the request, as shown in Figure 3.

Figure 3: Testing Firefox and Burp with new proxy settings.

Burp Suite Basics

Once you have Burp Suite installed and configured, take a moment to look around. The most common and basic function is the proxy, which allows you to intercept HTTP(S) requests from the browser to the site you are testing. As packets are intercepted, you can modify parameters, cookies, and other data, and you can filter packets within the proxy to include or exclude similar packets (Figure 4).

Figure 4: Including and excluding requests to given hosts and IP addresses.

The Spider tab allows for the spidering of sites through link identification and scraping of pages in the Robots.txt file. Spidering is a vital piece of any security assessment, because it can yield administrative access pages, test functions, or other pages that were not intended to be published. Similar to the Spidering tab is the Target tab, which allows whitelisting and blacklisting of pages within the target scope, as well as viewing of spidered pages in the site map (Figure 5).

Figure 5: Target scope set in Burp Suite.

Describing the scope properly makes it easier to identify rogue pages and helps you better isolate useful pages in other areas of Burp Suite. Nearly all modules support isolating analyzed sessions to those in the target scope.

The Intruder section lets you set any values within an HTTP request as insertion points for a given variable. Although this sounds like a cryptic definition, it's easily understood with a basic example. Using the default sample, the URL [/example?p1=aaal] is sent, with a single GET parameter.

By setting the parameter as an insertion point for security testing, you can replace the aaa value with a variety of payloads, including dates, numbers, passwords, filenames, or a custom list of user-defined values. Because it can fuzz parameters, brute force usernames and passwords, and be used for a number of other security tests, the Intruder section is the Swiss army knife of the Burp Suite toolset, providing a wide range of possibilities.

The Repeater tab provides an easy interface to craft custom requests, as well as identify consistency issues within the application. Often, I prefer this module to verify time-based SQL injection vulnerabilities, which testing tools often find as false positives.

Next, the Sequencer tab collects and analyzes tokens for randomness and predictability – a significant vulnerability if not securely random. This information is used by identifying in the Proxy history the page where a session token is issued and sending it to the Sequencer for live capture of tokens. Once the session value is identified (similar to creating an Insertion Point in the Intruder), start the live capture and begin collecting session cookies. Once 100 of these have been collected, the randomness testing can begin, and results are displayed as more values are collected for a more thorough analysis. This explanation doesn't fully cover the process, but it will be further explained as I describe a real attack process.

Vulnerability Identification

With the basics of Burp Suite explained, I'll focus more on using these tools to identify flaws in your web infrastructure. To begin, I'll analyze cookie security misconfigurations, particularly relating to the Secure and HttpOnly flags on web applications. I'll use the aforementioned Burp Intruder to attack login forms and brute force valid accounts and then test the randomness of session cookies with the Sequencer. All of these steps will be performed using only a web browser and the free edition of Burp Suite.