![Sneaky interactions
Let's look at IP addresses...
rsnbh[...]8zzno.oastify.com
→ 54.77.139.23 (and 3.248.33.252 too)
nsec-364d8b17.nip.io
→ 54.77.139.23
My correlation ID is rsnbh[...]8zzno 19](https://image.slidesharecdn.com/nsec23-burptipsntricks-231218062508-63acb483/85/Burp-suite-pro-tips-and-tricks-for-hacking-19-320.jpg)
![Sneaky interactions
$ curl http://nsec-364d8b17.nip.io/yolo/rsnbh[...]8zzno
20](https://image.slidesharecdn.com/nsec23-burptipsntricks-231218062508-63acb483/85/Burp-suite-pro-tips-and-tricks-for-hacking-20-320.jpg)
![Sneaky interactions
$ curl -A rsnbh[...]8zzno http://nsec-364d8b17.nip.io/
21](https://image.slidesharecdn.com/nsec23-burptipsntricks-231218062508-63acb483/85/Burp-suite-pro-tips-and-tricks-for-hacking-21-320.jpg)
![Hackvertor
Exploit a TE.CL vulnerability
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: <@arithmetic(2,'+')><@length>[...]<@/length><@/arithmetic>
Transfer-Encoding: chunked
<@chunked_dec2hex><@length><@get_chunk/><@/length><@/chunked_dec2hex>
<@set_chunk(false)>SMUGGLED SMUGGLED<@/set_chunk>
0
27](https://image.slidesharecdn.com/nsec23-burptipsntricks-231218062508-63acb483/85/Burp-suite-pro-tips-and-tricks-for-hacking-27-320.jpg)
![Hackvertor
Sign the body of a request
[...]
X-Token: <@set_token(false)>foobar123456<@/set_token>
X-Sig: <@hmac_sha1('<@get_token/>')><@get_body/><@/hmac_sha1>
[...]
<@set_body(false)>name=joe&surname=john&role=admin<@/set_body>
28](https://image.slidesharecdn.com/nsec23-burptipsntricks-231218062508-63acb483/85/Burp-suite-pro-tips-and-tricks-for-hacking-28-320.jpg)
Burp suite pro tips and tricks for hacking
- 1. Tips and tricks for Burp Suite Pro Ten years later... Nicolas Grégoire aka @Agarri_FR Northsec 2023
- 2. Intro 2
- 3. Who am I? Nicolas Grégoire Twitter → @Agarri_FR Email → nicolas.gregoire@agarri.fr Founder & owner of Agarri Pentest, training and research Official Burp Suite training partner Mostly for Europe (I cover North America too ) 100+ trainees per year (either on-site and online) 3
- 4. What is the plan? Core tools Proxy History / Repeater Intruder/ Collaborator Extensions Hackvertor / Piper / Burp Bounty Other subjects Hotkeys / Poor-man automation Performances / How to stay up to date Enjoy Montreal 4
- 6. Avoid scrolling Problem Need to scroll to see fresh entries Cause → Burp Suite shows the oldest entry on top Solution Reverse the sorting order Click on the header of the # column Watch out for the small arrow pointing down! That also works in Logger (core tool) and Logger++ (extension) 6
- 7. Identify sequences Problem Mapping actions to traffic is hard Solution #1 Highlight the top row before triggering an action I would use the grey color Solution #2 When intercepting, highlight and comment the first request I would use the yellow color 7
- 9. Avoid scrolling Problem You want to see a specific piece of the response Like the element <div class="status"> Solution Enter a search criteria Check "Auto-scroll to match when text changes" 9
- 10. Search among tabs Problem Tabs are propely labeled, and groups too How to search among them? Solution Use Control + Shift + S (action "Search tabs") That also works in Intruder and Collaborator 10
- 12. Built-in wordlists Burp Suite Pro ships with ~ 50 wordlists They can be accessed in two clicks Relevant payload types Simple list Character substitution Case modification Illegal Unicode 12
- 13. Built-in wordlists Built-in wordlists can be exported Adding lists (possibly from 3rd-parties) is also doable From the menu bar Use "Intruder > Configure predefined payload lists" 13
- 14. Built-in wordlists A dozen of wordlists contain placeholders Naming isn't standardized {FILE} versus {KNOWNFILE} {domain} versus <yourservername> Replacements must be manually configured Check next page for details 14
- 15. Built-in wordlists Relevant payload processing rules "Replace {base} with base value of payload position" "Replace {domain} with collaborator interaction id" "Match/replace" (for {FILE} , <youremail> , ...) 15
- 17. Sneaky interactions Common assumption Pingbacks must use the Collaborator domain name Is that really true? 17
- 18. Sneaky interactions Yes, it's true For DNS interactions No, it isn't true For HTTP interactions 18
- 19. Sneaky interactions Let's look at IP addresses... rsnbh[...]8zzno.oastify.com → 54.77.139.23 (and 3.248.33.252 too) nsec-364d8b17.nip.io → 54.77.139.23 My correlation ID is rsnbh[...]8zzno 19
- 20. Sneaky interactions $ curl http://nsec-364d8b17.nip.io/yolo/rsnbh[...]8zzno 20
- 21. Sneaky interactions $ curl -A rsnbh[...]8zzno http://nsec-364d8b17.nip.io/ 21
- 23. Hackvertor Provides more than 200 transformers And hundreds of charsets Transformers can be chained Simply stack them up! Transformation happens on-the-fly 23
- 25. Hackvertor Generate fake data <@fake_hacker("Does the $adjective $noun $verb?","en-GB")/> ↓ Does the optical hard drive back up? Does the digital transmitter parse? Does the multi-byte alarm copy? This feature is provided by com.github.javafaker 25
- 26. Hackvertor Set a global variable <@set_email(true)><@base64>nicolas.gregoire@agarri.fr<@/base64><@/set_email> Generate a signed JWT <@jwt('HS256','secretkey')>{"email":"<@get_email/>","uid":12345}<@/jwt> The true flag defines the email variable as global 26
- 27. Hackvertor Exploit a TE.CL vulnerability POST / HTTP/1.1 Host: vulnerable-website.com Content-Length: <@arithmetic(2,'+')><@length>[...]<@/length><@/arithmetic> Transfer-Encoding: chunked <@chunked_dec2hex><@length><@get_chunk/><@/length><@/chunked_dec2hex> <@set_chunk(false)>SMUGGLED SMUGGLED<@/set_chunk> 0 27
- 28. Hackvertor Sign the body of a request [...] X-Token: <@set_token(false)>foobar123456<@/set_token> X-Sig: <@hmac_sha1('<@get_token/>')><@get_body/><@/hmac_sha1> [...] <@set_body(false)>name=joe&surname=john&role=admin<@/set_body> 28
- 29. Hackvertor Well-known transformations <@base64> , <@sha256> , <@length> , <@lowercase> ,... Access to the base request <@context_url> , <@context_param> , <@context_header> , ... Script execution <@python> (Jython v2.7.0), <@groovy> (v3.0.7), <@java> , ... Command execution <@system> 29
- 30. Hackvertor Warning Hackvertor will break Burp syntax parsing That will impact Syntax highlighting Automatic detection of injection points Automatic URL-encoding 30
- 32. Piper Executes anything within Burp Suite Interpeters, CLI and GUI tools, ... Numerous use-cases Display JSON data using gron Open a PDF file using Okular Compare messages using delta or Meld Uniquely identify bodies using md5sum Detect JWT-authenticated requests using grep Bypass WAF by modifying Scanner payloads using sed 32
- 33. Piper + Gron Demo! Display JSON data using gron 33
- 34. Piper + Okular Demo! Open a PDF file using Okular 34
- 35. Piper + Meld Demo! Compare three requests using Meld 35
- 37. Burp Bounty Extension that allows to add scan checks No need to write your own extension Useful when farming 1-day vulnerabilities Should be superseded by BChecks Something like "Nuclei for Burp Suite" It will be released as a core feature in the next weeks 37
- 38. BChecks Burp Scanner for pentesters https://www.youtube.com/watch?v=mDYsmfeSxd8&t=2241s 38
- 40. Use combos Problem Multi-step interactions are executed dozens of times a day Like sending a request from Proxy History to Repeater Solution Use a combination of keyboard shortcuts Control + R → Send to Repeater Control + Shift + R → Switch to Repeater Control + Space → Issue Repeater request 40
- 42. Poor-man automation We need two ingredients A live task in Burp Suite Configured to scan everything passing through the proxy The command-line tool ffuf Configured to replay findings through a proxy 42
- 43. Poor-man automation Configure the live task 43
- 44. Poor-man automation Run ffuf $ ffuf -u https://www.agarri.fr/FUZZ -w wordlist.txt -mc 200 -replay-proxy http://127.0.0.1:8080 44
- 46. Performances Problem Burp Suite consumnes a lot of resources Opinion Computers are way cheaper than brains Solution Use an oversized computer (CPU, RAM and screen estate) 46
- 47. Other subjects How to stay up to date 47
- 48. How to stay up to date PortSwigger on Youtube https://www.youtube.com/@PortSwiggerTV PortSwigger on Twitter https://twitter.com/PortSwigger https://twitter.com/Burp_Suite https://twitter.com/BApp_Store My own dedicated account https://twitter.com/MasteringBurp 48
- 49. Outro 49
- 51. Want more content? I'll soon release an online workshop Details Cost → Free Subject → Session management for Apps and APIs Date → During NahamCon (June 16th, 2023) 51
- 52. Thanks for listening! Any questions? Nicolas Grégoire aka @Agarri_FR Northsec 2023