Practical 5
Name : Premsagar Manoj Pawar
Subject : Cyber Security Lab
Class : BE Computer
Section : B
Roll No : 30
Aim: Study of Web Application Analysis Tools in Kali Linux
Web Application Proxies: Burpsuite
Burpsuite can be used as a sniffing tool between your browser and the web servers to find the parameters that the web application uses.
To open Burpsuite, go to Applications → Web Application Analysis → burpsuite. To make the setup of sniffing, configure burpsuite to behave as a proxy. Go to Proxy → Options; Check the box under Running for interface 127.0.0.1.
Using Burp Proxy
The Proxy tool lies at the heart of Burp's user-driven workflow, and gives you a direct view into how your target application works "under the hood". It operates as a web proxy server, and sits as a man-in-the-middle between your browser and destination web servers. This lets you intercept, inspect, and modify the raw traffic passing in both directions.
If the application employs HTTPS, Burp breaks the TLS connection between your browser and the server, so that even encrypted data can be viewed and modified within Burp's tools.
Configuring your external browser to work with Burp
Once you have confirmed that the proxy listener is up and running, you need to configure your browser to use it as its HTTP proxy server. To do this, you change your browser's proxy settings to use the proxy host address (by default, 127.0.0.1) and port (by default, 8080) for both HTTP and HTTPS protocols, with no exceptions. This ensures that all HTTP and HTTPS traffic will pass through Burp. The details of how to do this vary by browser and version. Please refer to the relevant section below based on which browser you intend to use with Burp.
Check your browser proxy configuration
When you've configured your browser, you need to test that it is working properly by performing the following steps. If anything does not happen in the way described below, there is a problem with your browser configuration. In this case, please refer to the troubleshooting page.
Make sure you have checked that the proxy listener is active and have configured your chosen browser.
With Burp running, open the browser that you configured and go to any HTTP URL (don't use HTTPS for the moment). Your browser should sit waiting for the request to complete, that is, it should look like it is stuck trying to load a page. This is because Burp has intercepted the HTTP request that your browser is trying to send.
In Burp, go to the "Proxy" tab and open the "Intercept" sub-tab. Both of these tabs should be highlighted. On the "Intercept" tab, you should see the intercepted HTTP request in the main panel.
Notice the button that says "Intercept is on". If you click it, it will change to "Intercept is off" and the request will be released from Burp.
Go back to your browser. You should now see the requested page loading as it would during normal browsing.
If everything went as described above, you have finished the mandatory configuration steps for using an external browser with Burp Suite. However, at the moment you will only be able to test web applications that exclusively use HTTP. If you try and access an HTTPS URL using your external browser, you will notice that the connection is blocked. Therefore, we strongly recommend that you perform the final additional step to install Burp's CA certificate so that you can also test applications using HTTPS.
Getting set up
Burp Proxy works in conjunction with the browser that you are using to access the target application. You can either:
Use Burp's embedded browser, which requires no additional configuration. Go to the "Proxy" > "Intercept" tab and click "Open Browser". A new browser session will open in which all traffic is proxied through Burp automatically. You can even use this to test over HTTPS without the need to install Burp's CA certificate.
Use an external browser of your choice. For various reasons, you might not want to use Burp's embedded browser. In this case, you need to perform some additional steps to configure your browser to work with Burp, and install Burp's CA certificate in your browser.
When you have things set up, visit any URL in your browser, then go to the "Proxy" > "Intercept" tab in Burp Suite. If everything is working, you should see an HTTP request displayed for you to view and modify. You will need to forward HTTP messages as they appear in order to continue browsing. You should also see entries appearing on the "HTTP history" tab.
Intercepting requests and responses
The Intercept tab displays individual HTTP requests and responses that have been intercepted by Burp Proxy for review and modification. This feature is a key part of Burp's user-driven workflow:
Manually reviewing intercepted messages is often key to understanding the application's attack surface in detail.
Modifying request parameters often allows you to quickly identify common security vulnerabilities.
By default, Burp Proxy intercepts only request messages, and does not intercept requests for URLs with common file extensions that are often not directly interesting when testing (images, CSS, and static JavaScript). You can change this default behavior in the interception options. For example, you can configure Burp to only intercept in-scope requests containing parameters, or to intercept all responses containing HTML.
You may often want to turn off Burp's interception altogether, so that all HTTP messages are automatically forwarded without requiring user intervention. You can do this using the master interception toggle in the Intercept tab.
Using the Proxy history
Burp maintains a full history of all requests and responses that have passed through the Proxy. This enables you to review the browser-server conversation to understand how the application functions, or carry out key testing tasks. Sometimes you may want to completely disable interception in the Intercept tab, and freely browse a part of the application's functionality, before carefully reviewing the resulting requests and responses in the Proxy history.
Burp provides the following functions to help you analyze the Proxy history:
The history table can be sorted by clicking on any column header (clicking a header cycles through ascending sort, descending sort, and unsorted). This lets you quickly group similar items and identify any anomalous items.
Burp Proxy testing workflow
A key part of Burp's user-driven workflow is the ability to send interesting items between Burp tools to carry out different tasks. You can do this using the context menus that you can access by right-clicking in various locations throughout Burp.
For example, having observed an interesting request in the proxy, you might want to quickly perform a vulnerability scan of just that request, using Burp Scanner.
You could send the request to Repeater to manually modify the request and reissue it over and over.
You could send the request to Intruder to perform various types of automated customized attacks.
You could send the request to Sequencer to analyze the quality of randomness in a token returned in the response.
You can perform all these actions and various others from the context menus that appear in both the Intercept tab and the Proxy history.
Key configuration options for Burp Proxy
For more specialized testing tasks, or when working with unusual applications, you may need to modify some of Burp Proxy's numerous options:
You might need to modify the Proxy listener, to bind to different interfaces, redirect requests to different hosts, handle server TLS certificates differently, or support invisible proxying for non-proxy-aware clients.
You can configure the Proxy to automatically modify HTTP responses in various systematic ways; for example, to unhide hidden form fields, remove JavaScript form validation, etc.
You can configure match / replace rules to automatically change the content of requests and responses.
References:
1. https://portswigger.net/burp/documentation/desktop/getting-started/proxysetup/browser
2. https://portswigger.net/burp/documentation/desktop/penetration-testing
3. https://www.youtube.com/watch?v=1O-xOTp96d8
4. https://www.tutorialspoint.com/kali_linux/index.htm
ZapProxy
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.
ZAP-OWASP Zed Attack Proxy is an easy-to-use integrated penetration testing tool for finding vulnerabilities in web applications. It is a Java interface.
Step 1 − To open ZapProxy, go to Applications → 03-Web Application Analysis → ZAP.
Step 2 − Click “Accept”. ZAP will start to load.
Step 3 − Choose one of the Options and click “Start”.. Preferably select “No, I do not want to persist this session at this moment in time” .
Step 4 − Enter URL of the testing web at “URL to attack” → click “Attack”. After the scan is completed, on the top left panel you will see all the crawled sites. In the left panel “Alerts”, you will see all the findings along with the description.
Step 5 − Click “Spider” and you will see all the links scanned.
Install and Configure ZAP
ZAP has installers for Windows, Linux, and Mac OS/X. There are also Docker images available on the download site listed below.
Install ZAP
The first thing to do is install ZAP on the system you intend to perform pentesting on. Download the appropriate installer from the Download page.
Note that ZAP requires Java 8+ in order to run. The Mac OS/X installer includes an appropriate version of Java but you must install Java 8+ separately for Windows, Linux, and Cross-Platform versions. The Docker versions do not require you to install Java.
Once the installation is complete, launch ZAP and read the license terms. Click Agree if you accept the terms, and ZAP will finish installing, then ZAP will automatically start.
Persisting a Session
When you first start ZAP, you will be asked if you want to persist the ZAP session. By default, ZAP sessions are always recorded to disk in a HSQLDB database with a default name and location. If you do not persist the session, those files are deleted when you exit ZAP.
If you choose to persist a session, the session information will be saved in the local database so you can access it later, and you will be able to provide custom names and locations for saving the files.
The Burp tools you will use for particular tasks are as follows:
Scanner - This is used to automatically scan websites for content and security vulnerabilities.
Intruder - This allows you to perform customized automated attacks, to carry out all kinds of testing tasks.
Repeater - This is used to manually modify and reissue individual HTTP requests over and over.
Collaborator client - This is used to generate Burp Collaborator payloads and monitor for resulting out-of-band interactions.
Clickbandit - This is used to generate clickjacking exploits against vulnerable applications.
Sequencer - This is used to analyze the quality of randomness in an application's session tokens.
Decoder - This lets you transform bits of application data using common encoding and decoding schemes.
Comparer - This is used to perform a visual comparison of bits of application data to find interesting differences.
Burpsite :
ZAP Proxy :