Nowadays, creating and developing a website is not difficult for everyone. Creating a website can be of great help to everyone and especially in the current 4.0 era. In addition, the Covid-19 pandemic has made our tendency to go online on websites. But have you ever wondered if the website you build is safe enough for you and the customers accessing the system? What if a bad guy attacks your Website?
So today Anonyviet will bring you a series on the security of your Website system. You will be playing the role of a bad guy and attack on your own website (Penttest) and from there will find out the error on the system and how to fix it.
Overview of Pentest Burpsuite Support Software
Burpsuite currently has many different versions. Each version has quite different features and interfaces. In this article, Anonyviet will introduce this Burpsuite 2021.4.3 version.
After installation, you open Burp Suite and you will have the same interface as below.
How to use Burp Suite
In the Dashboard interface, there will be information about the Tasks running on the website that need to be pentested. The EventLog below shows the detected vulnerabilities. The information in the EventLog frame is quite important, there are many errors related to the certificate, connection errors are also displayed here. Makes it easier to spot and fix it faster.
Next is the Target section
In Target, there will be information about the subsites of that website that are allowed to access, requests can be made on these sites, you can press the > button in each site, to view it as a tree, there will be a more intuitive view of the target.
Also in the Target, can serve to filter requests more quickly than in the Scope subtab.
Next is the Proxy tab interface, this is an extremely important part in Burp Suite. The HTTP history tab will save the history of requests made during real-time manipulation right on the application or Website. You can directly view the request, response and edit it.
From the Proxy tab, you can select a request and send this request to other tools in Burp Suite that support such as Repeater, Intruder, Comparer, …
In the latest version that I introduce, Burpsuite has integrated the Chromium browser, which is very convenient and saves you from having to manually configure it on other browsers.
To open Chromium, click Open Browser like the image below.
When the Chromium browser is launched, you go to any website, Anonyviet.Com for example, and see the recorded requests in the HTTP Proxy tab. If not, your Intercept is off. Click to turn it on.
The next tab is Intruder. Used a lot to BruteForce Username, Password, Directory or test IDOR…
Next to the Intruder tab, that is the Repeater, an indispensable component for every time we pentest. Here, it allows us to edit any component of the request, from methods, headers, parameters, etc. After editing the request, you click Send to send the request to the server and receive the response.
I am not saying that this is an indispensable ingredient. That’s because attacking a target requires us to send payloads in different locations. The same is true of BurpSuite.
Changing the request itself like this allows us to try out all the payloads we have, look for reflected inputs in the response (when looking for XSS vulnerabilities), or see what the results are back when we type the payload as SQL injection,…, and to do those tasks, Repeater is the best solution to do it.
This part is quite important, so I will go into detail in the next articles. Remember to follow along.
Next is the Sequencer tab, which is used to analyze the complexity of the token generation algorithms in the website. See if it’s easy to guess.
Next is Tab Decoder used to encode or decode character types such as MD5, AES, BASE64 …
Tab Comparer, used to compare different requests and responses, sent by you through tabs such as proxy tabs or target tabs. You can send by right-clicking the request and selecting send to comparer.
The Logger tab, as the name implies, will save all requests executed in Burp Suite.
Tab Extender is an interesting tab, it allows you to add new Burp existing extensions, or add extensions developed by yourself. I will go into more detail in the next posts.
Here are some basics that you must be familiar with before the pentesting process begins. You can learn more by yourself, it will be very helpful for you beginners. In the next articles we will learn about Bruteforce techniques, collect information, etc. Hope you will watch and support.
Summary Series :