![]() ![]() For a good article discussing this same thing, check out the SecureState blog. When you run the attack, the macro will run automatically as it is defined as a session handling rule and the CSRF token will be automatically retrieved and placed in that parameter. Set up the Intruder attack the same as if you were doing a password brute force. Take the login page or in this case, the add user POST request and send it to intruder. Add the macro you created earlier and click the radio button that says “ Update Only the following parameters” and put in the value of the parameter that contains the CSRF token. Set all the items to the preset except for the CSRF token, which needs to say “ Derive from prior response“.Īdd a new Session Handling Rule. Go into the other request and and configure it as well. Burp will automatically add the start and end values needed for extraction. Go ahead and find the CSRF token and highlight it. ![]() Click “ add” under the “ Custom parameter locations in response“. In the case of WordPress, this is on the user-new.php page.Ĭlick “ Configure Item” on the first request with the CSRF token. You will need to include two requests, one where the CSRF token is defined, and the POST request you want to submit. First step is to go to “ Project Options” and click “ Add” under “ Macros“. You can use this same methodology against anything else, such as a login form that requires it. For this example I’m going to use adding a user in WordPress, reason being that it requires a CSRF token each time. This can be really annoying for an attacker. Some applications will use CSRF tokens on login pages to stop this exact type of attack. Compare response lengths and consider using grep under the “ Options” tab to extract data from the responses or identify keywords. This means if you had 10 users, and 3 passwords each, it would send 30 requests. When you run the attack, it will try every username with every password specified. I would recommend only using 3 or 5 passwords, as the targeted application may lock out user accounts. For Payload set #2, add in a couple simple, common passwords such as “ Summer17!” or “ $Comapanyname1“. For Payload #1 load in your username list. ![]() Both of these can be set as “ Simple list“. The #1 refers to the username (First highlighted parameter) and the #2 is the second highlighted parameter, the password. You will have two options under payload set. When you go to the payloads tab it will be slightly different. Also take note that we switched the attack type to “ Cluster bomb“. We will go through the same steps, except in the positions tab we will need to highlight both the username and password fields. While it’s unlikely a single user has a weak password, it’s much more likely that one of many users has a weak password. This is going to be a similar, however in this case we are assuming we have a list of usernames. Another method is to click the “ Options” tab and use “ Grep – Match” or “ Grep – Extract” to flag items with keywords or strip out certain strings from within the responses. Typically I will sort by length to find differences in responses. ![]() When you get the results, you are going to want to look for differences in the responses. Either paste in your wordlist from the clipboard, or click the “ load…” button and select a wordlist file. Switch to the payload tab and keep the payload type set to “ simple list“. All you need to do is start by sending the POST request associated with the logon to Burp Intruder.Ĭlear out all the auto selected parameters, and then highlight the password field and click the “ add” button. While tools like Hydra exist for this purpose, I find that it is much easier to tune in burp. Often times penetration testers will want to brute force passwords to gain access, or to test password lockout policy in an application. Here are a few pro-tips to get the most out of your web application tests. There are a few things however, that while they exist in Burp Suite, they are not completely intuitive. The feature set is rich, and anything that it does not do by default can usually be added with an extension. Burp Suite is one of my favorite tools for web application testing. ![]()
0 Comments
Leave a Reply. |