Let’s continue from Part I.
We covered the Dashboard, Proxy, and Repeater sections in that lesson. Time to cover the Intruder section:
Intruder
The Intruder is fundamentally a fuzzing tool. It sends multiple requests with altered values to a target.
There are 4 tabs within the Intruder: Positions, Payloads, Resource Pool, and Settings
Positions
This tab has 2 sections.
- Choose an attack type
- It’s exactly how it sounds. Look at the image below- you can choose from 4 attacks.
- Payload positions
- This determines where the payloads are placed by Burp Intruder during an attack.
- The add button adds a new payload position to the request.
- If you highlight a value and click the “Add” button, it will enclose the value with “§” characters. This tells Burp to replace that value with an element from a list (keep reading- this will make sense in a moment!)
- The clear button removes all positions added.
- The auto button detects where the payload positions are.
- The Refresh button simply refreshes the request.
I know this may sound confusing. Let’s use Intruder on an application and break down what’s happening.
The Intruder Tool in Action
Access this lab.
When you sign in, this page appears:
Click anywhere in your browser’s address bar and hit enter. It will take you to a login page.
Turn the Intercept on in the Proxy section of BurpSuite, then put any values in the fields. Click “Log in.”
Navigate to Proxy → Intercept. Your request was captured.
Hold down ‘Ctrl’ and ‘I’ (the letter i) simultaneously. This will send the request to the Intruder.
Head to Intruder → Positions. Click the clear button to clear preset positions.
Highlight the value in the username parameter, which is “asher” in this example. Click the add button.
‘§’ will enclose the value:
Make sure the attack type is “Sniper.” Head to this URL and copy the entire list of usernames.
Go to Intruder → Payloads.
Set the payload set to 1. Make the payload type “Simple list.” Then click the paste button (as shown below):
Click “Start attack.” BurpSuite will attempt to brute force the login:
When it ends, click on the “Length” tab twice. One username will have a response length that’s slightly higher than the others.
Click the payload. Under the “Response” tab, click “Render.”
It says Incorrect password. This is because the username exists in the database, but the password doesn’t match what we entered.
To verify, open a different request in the render tab. You will see the message “Invalid username.”
Now that we know the correct username, we need to update our template request. Navigate to Intruder → Positions.
Look at the request under the “Payload Positions” tab. Change the username value to the correct username and remove the “§” characters enclosing it.
Copy the whole list of passwords from this site. Head to Intruder → Payloads. Click “Clear” in the “Payload settings” pane.
Then click “Paste” to enter the passwords.
Navigate to Intruder → Positions. Click the clear button to remove any previous payload positions.
Highlight the value you entered for the “password” variable, then click “add.” It will be surrounded by the ‘§’ characters. Like this:
Then click “Start Attack.” The process repeats.
Click the length button again (when the process is finished.) One will have a shorter length.
Click it and look in the Response → Raw tab.
You’ll see that a session cookie is created.
Turn the Intercept off. Try the username/password we acquired from fuzzing:
Great work!
Decoder
From the Portswigger docs:
Burp Decoder enables you to transform data using common encoding and decoding formats. You can use Decoder to:
– Manually decode data.
– Automatically identify and decode recognizable encoding formats, such as URL-encoding.
– Transform raw data into various encoded and hashed formats.
Decoder enables you to apply layers of transformations to the same data. This enables you to unpack or apply complex encoding schemes. For example, to generate modified data in the correct format for an attack, you could:
1. Apply URL-decoding, then HTML-decoding.
2. Edit the decoded data.
3. Reapply the HTML-encoding, then the URL-encoding.
Navigate to the Decoder section and type anything into the first box.
Click the “Encode as” button next to the top pane and select a format. The bottom pane will update accordingly.
In the screenshot below, I encoded the top pane to Base64. The results appeared in the bottom pane.
On the second pane, decode the data as Base64.
A third pane appears. It’s the data from the second pane, but it’s decoded from Base64 to plain text.
Comparer
This tools helps you compare data items.
To see it in action, head to the Proxy section. Click the “HTTP History” tab and select any request.
Highlight some text in the request or response section. Right click the highlighted field, then click “Send to Comparer.”
Repeat the same process with another request. Then head to the Comparer section and click “Compare.” You can view them side by side, either in text or hex format.
Sequencer
This analyzes the quality of randomness in a data set. You can use this tool to test elements that are designed to be unpredictable, like session tokens.
Target
The Target tool shows the site map and detailed information about the target application.
- You can also define the scope of your work with Target. This is important for ensuring that you don’t pentest out-of-scope IPs.
Extender
This section is where you install plugins for BurpSuite.
It’s fairly simple. To see how it works, navigate to Extensions → BApp Store. Install the plugin “Turbo Intruder.” It will be added to the toolbar at the top of Burp.
Now you have a solid understanding of BurpSuite.
Next time, I’ll walk you through leveraging Burp to complete a Cyber CTF (Capture The Flag) challenge.
Thanks for reading!