TT4175-2021-L04-Web hacking1.ppt - Compatibility Mode
Transcript of TT4175-2021-L04-Web hacking1.ppt - Compatibility Mode
TTM4175 Introduction to Communication Technology and data security
Web hacking 1.
Laszlo Erdödi
TTM4175 2021 L04 – Web hacking 1. 27
Burp suite
Burp provides a proxy to intercept the browsers traffic.
Specific packets can be filtered out by
• Client request parameters (file extension, web method)
• Server responses (content type, web answer code)
• Direction of the packets (client to server, server to client)
Browser proxy
TTM4175 2021 L04 – Web hacking 1. 28
Burp suite – Burp Certificate Authority
Because of the trafficinterception the browsers willobserve the invalid certificateand refuse the connection. Inorder to test https traffic, theBurp CA can be added toany browser as root CA.
TTM4175 2021 L04 – Web hacking 1. 29
Burp suite
Under HTTP history tab all the traffic that has passed throughthe browser are shown. All outgoing traffic can be interceptedas well and modified before sending (similarly to Tamper data).
Edit packet
TTM4175 2021 L04 – Web hacking 1. 30
Burp suite - Repeater
The repeater module can resend aselected packet from the history.Before sending it again the packetcan be altered.
TTM4175 2021 L04 – Web hacking 1. 31
Burp suite - Intruder
The intruder module is able to manipulate the parameters that havebeen passed to the website. When the packet is sent to the repeaterBurp tries to identify the parameters and carry out the attack. There areseveral attack types:
Sniper: one parameter, oneiteration
Battering ram: multipleparameters, one iteration
Pitchfork: multiple parameters,multiple iteration
Cluster bomb: multipleparameters, multiple iterationall combinations considered
TTM4175 2021 L04 – Web hacking 1. 32
Burp suite - IntruderThe payload tab is to set the content of the tries. For example with thenumbers option among others either an incremental list or randomnumbers can be specified.
DEMO…
In our example the specific answer canbe identified by the response length.
More details on the payloads are here:http://www.hackingarticles.in/beginners-guide-burpsuite-payloads-part-1/