Bypass Authentication with Burp Suite, the First Step
This is post is for beginners to start off with burp suite with some basic attacks.
Setting up Burp Suite
Burp Suite is a cyber security tool for web application security testing which comes in professional, community and enterprise versions. We shall be using the community version in this tutorial. You can download it from here — https://portswigger.net/burp/releases/professional-community-2020-12-1?requestededition=community.
Post installation, the first window would look like the following. Click ‘Next’ and ‘Start Burp’ in the next window to get started. Go to the ‘Proxy’ tab and choose ‘Intercept’ and select ‘Open Browser’. A chromium browser will pop up, as an alternative you can use any other browser by setting up proxy.
Bypassing authentication
Accessing the system without using the right credentials to identify the legitimacy of users is bypassing authentication via various techniques like SQL injection, retrieving credentials, brute forcing login page and more. We shall look into some techniques to test for broken authentication in order to bypass the initial security measure. In this tutorial we will be using the test website http://demo.testfire.net/.
To begin the attacks, turn on the intercept option reading ‘Intercept is ON’ as shown in the following figure. Next step is to enter the URL in the browser, the page would not load as the intercept is on.
Click the ‘Forward’ button to load the page in the browser and the HTTP request would appear as below. So each time we click forward button, the request would be forwarded to the server.
To perform attacks for authentication bypass switch to the ‘Intruder’ tab and choose ‘positions’. Ensure the ‘$’ symbol is placed before and after the fields you want to try the attack on. After enclosing the required attribute with ‘$’ in the positions section, go to ‘payloads’ where the possible words for that attribute are provided. Set payload set to the number of selected attributes. Choose an option from the dropdown for payload type. Some common choices are simple list where a list of all the possible words in a list format, brute forcer checks for all possible words and no inputs are needed and so on. So the payload type with required inputs are to be given for each payload set. Once all inputs are given start the attack.
Let’s understand all the possible attacks to test for broken authentication in the following sections.
Sniper Attack
Let’s begin with the first attack. A sniper attack is performed to find one of the attributes provided one of the attributes is known with a payload of a single list of all possible words. Choose ‘sniper’ option from the attack type dropdown in positions page. As per the following figure, we are running the attack on the attribute passw i.e password so we can give a simple list of possible passwords. It is to be noted that the username and password for this test website is admin, so we can just make a small list which includes that for trial. In the end, the correct attribute value is where the length field has a different value since the request is accepted and the server returns the required page so content length increases.
Cluster Bomb
Cluster Bomb attack is where both username and password are found out using 2 lists of possible words as payload, we can have 2 or more payload sets here. Similar to the previous one, we can give 2 lists of possible user names and passwords, pick the set with different length value from the output window.
Battering RAM
Battering ram attack on the login page using only list as payload, to find username and password by matching corresponding words. The process is simple, it picks a value from the list and applies it to both username and password. So this attack can be useful where same input is to be inserted for multiple attributes within the request.
There are numerous methods and attacks to test for broken authentication, a few discussed above. I hope this was useful to start off with Burp Suite and get deeper in the forthcoming posts.
Thanks for stopping by this article and I really hope you did find out something new and useful today 😊!
Have fun learning. See you next time! Until then check out my other stories at AskPranaviSree.
Byee!