Recently, I had the privilege of attending an Advanced Web Application Security training session at NorthSec which made heavy use of Burp Suite Pro. Even the community version of Burp Suite is terribly useful for pen-testing your sites before deployment, but I have personally found it difficult to find solid tutorials on how to use it, so I thought I would give a quick primer on it for totally new users. Below, I give you just a quick taste of what the Burp Suite Free Edition can do by exploiting a simple Reflected XSS flaw with it. (Usual caveat: please don’t use this tool to hack websites without the owner’s explicit permission, and certainly don’t commit XSS sins on other people’s sites, as that is highly illegal.)
Install the Target
To show off Burp’s functions, I installed the Damn Vulnerable Web Application, which you can download yourself to follow along. For these purposes, I have set the security level to “medium” under DVWA Security on the left-hand side. I’m using Firefox to demonstrate, which is almost like cheating — Chrome blocks simple XSS submissions with built-in protections. Because the point of this post is to show you how to use Burp, though, I’m okay with doing an incredibly cheesy flaw like this.
Find the Entrypoint
First, let’s take a look at the page itself and see how it works. There’s an obvious entrypoint in the submission field, which we can see in the url (“name=xxxxxx”). Here’s a naive attempt to exploit this entrypoint with XSS.
It doesn’t work, of course, because the Damn Vulnerable Web Application is set at medium security. We could keep entering attempts at XSS here one by one, but there’s a much easier way to do this with Burp Suite.
Set up Burp Suite Proxy
First, I have to change Firefox’s proxy settings under Preferences > Advanced > Network > Connection > Settings to allow me to intercept traffic and mess around with it in Burp Suite in the first place. Here are the settings you’ll want.
Now, I start up Burp Suite and set it up as a temporary project. The first thing I’m going to do is navigate to the Proxy tab and turn off Intercept so that the button reads Intercept is off. I would rather just go through my HTTP history, instead of pausing every request I make.
Find the Request in HTTP history
Now that Burp Suite is storing my browser requests, I reload my exploitable page in Firefox with my attempted XSS, just to get a base to work from. I take a look at my HTTP history tab, and sure enough, the request is there!
Send the Request to the Repeater
Now that I have my request, I can send it to a bunch of different places, just by ctrl-clicking (or right-clicking, if I happen to be on Windows). In this case, I’ll send it to the Repeater tab, and take a look at what it shows me.