Burp Proxy: Intruder and Repeater
Now that we are done with the basics of Burp Proxy and its working, let look at the Repeater Option within Burp. Keep the Interceptor off and just crawl the site and let the traffic get captured.
TURN OFF the INTERCEPTOR and normally surf the web and everything gets sent to the HISTORY tab so you can test them.
In this screen we can view the sites that we have visited and the ones with a tick mark in the params column are the ones that we can fiddle with. Select the request we want to test and right click it. Select “send to repeater”.
The repeater tab will be highlighted when any traffic is sent towards it. We can use the repeater to do some quick manual inspections. The request already prepared in the RAW tab, it is also cleaned and organized if you prefer to review on the parameters, header, or hex tabs.
The REPEATER allows you to make any changes you want to the request and then resend it to analyze the results from the server. It even highlights the request parameters in BLUE and possible vectors to manipulate in RED. Click the GO button to send the traffic to the server. The server will respond with output with respect to the values that you have modified. We can select the “render” option to have a look at the site itself, rather than in raw format.
Now if we suspect that the target website has any vulnerability that we can explore, INTRUDER comes handy. Right click the message body and sent it to the INTRUDER.
Intruder is used to automate customized attacks against Web applications.
It has four tabs: – target, positions, payloads and options.
Target: This panel is used to specify the target host and the port to use for the connection. There is an option for using SSL encryption, if required.
Positions: This panel is an important option in automating attack strings on the target. The types of attack vectors are sniper attack, battering ram attack, pitchfork attack and cluster bomb. The tool will use the highlighting to show you were the possible attack points are. The tool uses the § symbol as start and end markers for each targeted attack position. If you want to replace the parameter value then place the §§ symbols before and after, however if you want to test altering or injecting after it then place the §§ symbols directly after the parameter value; eg:- §abc§ or abc§§
Now we need to select the attack type:-
Sniper: This attack mode lets us inject a single payload into the chosen attack positions. This takes the payload options and inserts them one by one into the chosen position and then repeats until it has tested all payload options.
Battering Ram: This takes our desired payload and inserts it into the chosen attack positions. The difference here is that if more than one position is chosen it will insert the same payload into all positions at once and test, whereas the Sniper tests them one by one.
Pitchfork: This attack mode allows you to test multiple payloads based on attack position, with a max of 8 being able to be defined. This attack mode sets a different payload for each position and moves through them one by one while testing multiple positions at once.
Cluster Bomb: This attack mode uses multiple payloads and allows you to test each possible payload in each chosen attack position, meaning it will try payload1 in position1 and then on the next test it will try payload1 in position2, swapping out for any other payloads you have defined.
In the payload tab, we can select various sets or upload a custom file set, by selecting the “runtime file”.
You can paste some scripts or some SQL injection scripts (as shown below) in a notepad and select it.
- and 1=1
- and 1=2
- and 1>2
- and 1<=2
Now verify the settings in Options tabs. Scroll down on the OPTION page and you will find a section for grep. We can define text to search for on the results page after our payloads have been inserted.
Once all these are set, you can actually run the test using our HTTP request we identified earlier and now using our selected Sniper attack with payload and grep contents. Run the Intruder tool by clicking on the file menu at top and selecting Intruder -> start attack.
A new window will open up where we can see our test results.