Monday, January 14, 2008

Burp

XSS Discovery Tool # 1

I’ve just found a great book published by syngress , titled Xss attack , here are the short exceprt which is token from the book about the Burp Proxy suite , a tool to discover xss vulnerabilites on web applications.

The modern browser is designed for speed and efficiency, which means Web application security assessment is a painful task, because probing a Web application requires in-depth analysis. Generally, to test an application, you want to slow down the transmission of data to and from the server to a snail’s pace so you can read and modify the transmitted data; hence the proxy.

In the early days of security, proxies were capable of slowing down the connection in only the outbound direction and as such, a user could only alter the information being transferred to the server; however, that’s only part of the equation when analyzing a Web application. Sometimes it greatly behooves you to be able to modify the incoming data.


For example, you might want to modify a cookie so that it doesn’t use HttpOnly, or remove a JavaScript function. Sometimes you just want a bidirectional microscopic view into every request your browser is making. And then there was Burp Proxy.

Burp Proxy is part of a suite of Java tools called Burp Suite that allow for Web application penetration, but for the purposes of this book only one function is particularly useful, and that’s the proxy.To get started, you need the Java run time environment installed, which you can get from Java.com’s Web site. Once that is installed you modify your proxy settings in your browser to use localhost or 127.0.0.1 at port 8080.

Once this is done, you can launch Burp Proxy, which will show you a blank screen.The Intercept and Options windows are the most important ones that we will be focusing on.First let’s configure Burp Proxy to watch both inbound and outbound requests. Under “Options” uncheck resource type restrictions, turn on interception of Server Responses, and uncheck “text” as a content type.This will show you all of the data to and from every server you connect to.

Once this has been configured, you should be able to surf and see any data being transferred to and from the host.This will allow you to both detect the data in transit and modify it as you see fit. Of course any data you modify that is sent to your browser affects you and you alone, however, if it can turn off JavaScript client side protection this can be used to do other nefarious things, like persistent XSS, which would normally not be allowed due to the client side protections in place. Also, in the days of Asynchronous JavaScript and XML (AJAX), this tool can be incredibly powerful to detect and modify data in transit in both directions, while turning off any protection put in place by the client to avoid modification by the browser.

This can also help remove lots of information that would otherwise leak to the target,including cookies, referrers, or other things that are either unnecessary or slow down the exploitation. Another useful feature is the ability to switch into hex mode.This is particularly useful when you are viewing pages in alternate encoding methods, like US-ASCII or UTF-16.

Burp proxy is by far one of the most useful Web application security tools in any manual security assessment. Not only does it help uncover the obvious stuff, but it’s possible to write custom rules if you know what you are looking for. For instance, if you wanted to find only XML files for debugging AJAX applications, a Burp proxy rule can be created to capture just this information.

Ultimately, Burp is only one tool amongst a wide array of others that do parts of what Burp does as well or better, but nothing works in quite the same way or with quite the same power as Burp Suite. Burp Proxy is not for the faint of heart, but once you get accustomed to it, it is a great learning tool for understanding how Hypertext Transfer Protocol (HTTP) actually works under the hood.Download URL : http://portswigger.net/proxy/

More reviews can be found on thespanner.co.uk , xssworm.blogvis.com , ha.ckers.org .

No comments: