Dear PenTest Readers,
In the current edition we decided to take a close look at one of the most popular and essential softwares for pentesters - Burp Suite. No matter if you want to use Community Edition or Professional, there are tons of possibilities of enhancing the efficiency of your penetration tests.
Our contributors provided an amazing content of tutorials, tips, techniques, and extensions that will certainly help you get familiar with Burp Suite if you haven’t had such an opportunity just yet. If you're an advanced user of this software, you’ll discover new pentesting vectors. REST API and SOAP webservices, fuzzing, broken access control, a review of multiple extensions - we’ve got it all covered in this edition! With these write-ups you’ll definitely have a great start using Burp Suite and taking your proficiency with it to the next level.
As usual, there are articles and case studies covering other offensive security topics. And believe us - but better check it out yourself - they are true gems this month: gRPC pentesting, the myth of EDR protection, a thorough introduction to Bug Bounties, multi-homed hosts detection, and foreseeing systemic risk are surely real treats for every pro!
We’re also happy to inform you that with this edition we’re officially starting a regular collaboration with Cobalt - two talented pentesters who work for this company provided articles on the main topic for the current issue. We’re thrilled for the more great content to come in the future!
For now, let’s dive into the fascinating journey of discovering Burp Suite!
Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
Security Testing of Webservices and APIs
by Mukul Kantiwal
We will look into the process of setting up your environment for API or webservice testing. We will take REST API and SOAP Webservices to understand how to setup your environment for testing them using Burp Suite or any other web application proxy. In the case of a developer, the tools widely used for creating or testing API are Postman for REST API and SOAPUI for SOAP webservices. Burp can test any REST API or SOAP webservices, provided you can use a normal client for that endpoint to generate normal traffic. We will be using Postman and SOAPUI to generate the traffic and capture it on our Burp Suite to perform security testing.
Art of FUZZing Through BurpSuite
by Rikunj Sindhwad
Fuzzing! is really an art in which the attacker tries to attack a victim through randomized payloads. Payloads can be anything, and the victim could be anyone or anything. A short example would be a victim will be a website hidden files and parameter, so payloads would be a list of filenames and parameter names. The attack will result in hidden parameters and files. Similarly, many types of fuzzing could be done to identify vulnerabilities, hidden information such as parameters, headers, and files. BurpSuite is great when it comes to fuzzing a website due to intruder integration. Intruder helps BurpSuite to fuzz the target, which can be a URI, Headers, Parameters, method, or anything related to a web request.
Automating Broken Access Control with the Auth Analyzer Extension
by Jesus Espinoza (Cobalt)
This is an automated way to test for broken access control vulnerabilities, using Burp Suite and the Auth Analyzer extension, which is a very useful tool still under development. Auth Analyzer has other capabilities, such as CSRF (Cross-Site Request Forgery) token extraction, updating authorization headers or updating cookies (so that your session never expires), among others. So we encourage you to take a look on your own at the Auth Analyzer extension and see its potential.
Top 10 Tips for Burp Suite [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Nairuz Abulhul
Burp Suite is a great analysis tool for testing web applications and systems for security vulnerabilities. It has so many great features to utilize during a pentesting engagement. The more you use it, the more you discover its handy features.
Introduction to Bug Bounties
by William Colachicco
This article is generally geared towards beginners and novices to get them started doing bug bounties and web app hacking. Intermediate-level hackers may get some useful information out of it also. I will broadly discuss different bug bounty platforms and how they work. Then I will provide some additional resources and recommendations for learning and practicing. The core of the article will consist of a walkthrough of how to actually hack on web apps and the tools to use. Finally, report writing will be discussed along with some additional recommendations for leveling up in this field. If this seems like a lot, don’t worry, I tried to pack a lot of actionable information into this article. Happy hacking!
Burpsuite Extensions for Pentesters
by Ninad Mathpati (Cobalt)
Burp Suite is a go to tool for penetration testers and bug hunters. It has a robust and modular framework and is packed with extensions that can increase web application testing efficiency. Extensions for Burp can be used to modify Burp’s behaviour in several ways, including changing HTTP requests and responses, customizing the interface, adding custom scans, and accessing key runtime information, such as proxy history, target website map, and scan issues during the test.
by Arun S and Sourish Das
This article imparts knowledge about gRPC technology, what are the different ways of implementing it and the various security concerns associated with it. As part of our research and past pentest experience, we have developed a vulnerable gRPC application using Java to better understand these vulnerabilities. We will be demonstrating the various vulnerabilities that can be possibly found in an application using gRPC.
EDR Protection is a MYTH
by Er Deepanshu Khanna
In this era of Cybersecurity, malware has evolved to much greater strength. This era is not the same as deploying the virus and crashing the whole system or organization. The objective of all the worldwide attackers has changed. Now the main objective of the attackers is to grab as much confidential information they can and sell it on the “Black Markets” or to the competitors. Hence, here comes the EDR solutions that claim they can protect organizations against real-world attacks such as ransomware (which is a type of malware). But then why did big organizations such as ACER, Microsoft, CNA, Channel9, etc., get attacked? Does it mean that these organizations are not spending money on deploying the EDR solutions? The answer is that these companies are spending millions of dollars in deploying the heavy security solutions but when it comes to practice in real-time, they only protect the systems against the known signatures. Whichever solution any organization deploys to monitor and prevent real-time attacks, the truth remains the same that this is a cat and mouse chase. Today the organizations implement a solution, tomorrow there will be a bypass. Or today the attackers bypass the solutions, tomorrow there will be a patch for this.
Multi-homed Hosts Detection
The reality is that one and the same PC can be connected to two network segments at once - a public and a protected one. And this is a big and unobvious hole in any firewalls. It is these holes that this technique will help to identify. But how do you find such nodes? Trying to compromise each of them by acting at random? There is a better way. The NetBIOS protocol will help us.
Foreseeing Systemic Risk
by Bruce Williams
I have taught systems risk management, mainly WHS, for many years. You need to show as part of your legal defence you were improving your safety position, especially if there was a death. If a person dies as a result of ransomware locking up your medical database, who would be responsible? Cybersecurity staff who had the role to stop it from happening? Directors who did not pay? Cybersecurity has some elements of legal defence (have the directors shown that they took steps to protect the company, etc.) and there are various systems used using threat analysis. Any system has an inherent system risk and there are new concepts such as NAT that make cybersecurity defence better in the future. So when people tell me they have a system, I say “So how’s that working out for you?” We don’t know if it is working.