web application – burpsuite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

backtrack 5r1

location
/pentest/web/burpsuite

to run
root@bt:/pentest/web/burpsuite# java -jar burpsuite_v1.4.01.jar

Brute-forcing Web Authentication

URL tested

IP-Address/dvwa/vulnerabilities/brute/?username=admin&password=password123&Login=Login#

Burp

1. Proxy Tab / History Tab (find the string you want to brute force.) Right click send to Intruder.
2. Intruder Tab Attack type: Sniper.
3. Intruder Tab / Target (Check right) / Positions (Unclear all Auto highlighted areas.) Then high-lite the inputted password and Add$

Example username=admin&password=test&Login=Login HTTP/1.1 Just high-lite the word test and Add.

4. Intruder Tab / Payload set: 1 / Payload type: Simple list / Right copy a word list and click Paste in word list.
5. Top Intruder tab (next to Burp top tool bar) / Start Attack.
6. Attack Window should open. (Watch list been tested and look filter by Length) Look for different Length to the rest as likely to be authentication.

As example while testing all Lengths were 4882 but the working password = 4948 in length. (The only different one)

2 thoughts on “web application – burpsuite

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s