🛠️

Burp Suite for Web Application Security

Apr 17, 2025

Web Application Penetration Testing with Burp Suite

Introduction

  • Objective: Walkthrough of a web app penetration test using Burp Suite without focusing on just commands or buttons.
  • Audience: Introductory for new users, insightful for experienced users.
  • Methodology: Not a full pen test methodology, but a practical guide using OWASP Juice Shop as a target.

Setting Up the Target Environment

  • Tool: OWASP Juice Shop via Docker or Heroku.
  • Burp Suite Setup: Use Burp Community, disable intercept in the Proxy tab, open browser to access the target.

Reconnaissance Phase

  • Phase 1: Understand the Application
    • Identify it as an e-commerce platform with product listings, reviews, user accounts.
  • Phase 2: Application Mapping
    • Perform reconnaissance using browser and Burp side by side.
    • Use HTTP history to track requests.

Interacting with Application Features

  • Product Reviews and Feedback
    • Analyze product reviews API requests and responses.
    • Test customer feedback form for CAPTCHA flaws.
    • Attempt to automate feedback submissions, identify replay and impersonation vulnerabilities.

Exploring Potential Vulnerabilities

  • Endpoint Analysis
    • Analyze photo wall API requests for user enumeration and information leakage.
    • Highlight and track findings using Burp's Proxy and Repeater tabs.
  • User Registration and Login
    • Map the registration process, analyze security question/answer handling.
    • Investigate potential mass assignment vulnerabilities in user objects.

Advanced Testing Techniques

  • JWT Analysis
    • Decode JWT tokens using Burp Decoder to identify potential exposure.
    • Identify issues like MD5 hash leakage, unlimited token lifetime.
  • Basket Manipulation and Authorization Testing
    • Test basket API endpoints for insufficient authorization.
    • Use Burp Intruder to automate and extract user ID information.

Logic Flaws and Exploitation

  • Logic Flaws
    • Introduce logic flaws: skipping steps, inconsistent workflows.
    • Demonstrate negative quantity logic flaw leading to money gain instead of payment.
  • Exploit Scenario
    • Provide a challenge to purchase an out-of-stock item (face mask).

Putting It All Together

  • Intruder and Repeater Integration
    • Use Intruder to find unlisted products like the "Christmas Special".
    • Delete extraneous items from basket using automated deletion.
    • Utilize Repeater and Intruder for logical exploration and attack.

Conclusion

  • Summary: Hands-on guide emphasizing Burp Suite as a tool for web app pen testing.
  • Community Engagement: Encouragement to provide feedback and engage with content.
  • Resources: Suggests further exploration of vulnerabilities and usage of Burp Suite tools.

Full transcript