xss

All posts tagged xss

Walkthrough of the Burp Suite basic Web Application pentesting room focusing on the practical example section.

Burp Suite

Simply put, Burp Suite is a Java-based framework aimed at providing a one-stop shop for penetration testing of Web applications. Burp is able to capture and manipulate all the traffic between an attacker and a web server. This ability to intercept, view and modify web requests before they are sent to the target server makes Burp Suite perfect for any type of manual web application test.

Configuration

Burp Proxy is operated by opening a web interface on 127.0.0.1:8080. Which means that all browser traffic has to be channeled through that port in order to intercept. To do this we can use its in-built Chrome browser, Firefox or any other browser. We can install an extension like FoxyProxy with which proxy profiles can be saved making it easier to switch between proxy settings. There are other workflow options that can be set up to simplify interception (e.g. Scoping), but they are not strictly needed, so we leave that aside for now.

Practical Example Attack

Let’s take a look at the support form and test it for Cross-Site Scripting (XSS) as a quick example. This is essentially an injection of a client-side script (usually Javascript) into a web page in order for it to run. There are several forms of XSS, the one we will try is called “reflected” as it affects only the person making the web request. Typically, filters are applied in webforms to avoid tampering with special characters, but there are a variety of options to block those filters to load and also to bypass them. First let’s enter some data into the email field meanwhile the interception is active in Burp. This is to identify in the POST request where to put our payload.

Then all we need to do is just swap the email string to our payload and “Forward” the request in Burp. This is basically a Man-In-The-Middle (MITM) attack as we are tampering with the data on the fly.

If the input payload is handled correctly, we should receive a request success pop-up.

Obviously upon further forwarding the requests in Burp, the input would be deemed to be not legitimate.

Thanks for reading and as always, any feedback is most welcome.