It defaults to “prompt for guidance” but we could change the settings with our known credentials. If we got to the Spider > Options tab, and scroll down, we see that there’s automated responses that we can choose for a login form: If this was a bigger application, then this would get very annoying very quickly. But then the form submission pop-up appeared again.
BURP SUITE REPEATER HISTORY PASSWORD
I already knew the login (it was provided), so I typed “guest” and “guest” into the username and password fields. When I started running the Spider tool, I saw this pop-up in Burp: WebGoat is an intentionally vulnerable web app used to teach various attacks, and includes two different login accounts. I also ran the Spider tool on a local copy of OWASP’s WebGoat tool (which meant that I had to add localhost to my scope before Spidering). But, hopefully it’s clear how this would be useful for much larger websites. We probably could have found most of those by just browsing. In this case, the results aren’t that impressive. You can press the button to stop it, and then clear any upcoming queues if need be. If the “Spider is running” button is grey/depressed, that means it’s currently running. If I want to see how many requests are being made, or if I need to stop the tool for some reason (maybe things are getting recursively crazy), go to Spider > Control. When I do this, I can see that the Spider tab has lit up orange. In other views, you can right-click a request and say “Spider from here”. Right-click this and select “Spider this branch”. In the Target > Site Map view, you can see that I’ve already visited one site from XSS Game (I visited the splash page). As we saw in the last blog post, you can right-click a request from numerous places (Proxy > HTTP History, Proxy > Intercept, Target > Site Map, etc.) and send the request to other tools. To start spidering, you have a few different options. You can also set a custom scope if needed, which will function separate from the scope applied to other tools. If you go to Spider > Control, you can see that the scope defaults to “Use suite scope”, which is the scope we just defined. Depending on what those sites are, that might be bad. If you do not set a scope when spidering, it will crawl things outside of your intended target. Next, I go to the Target > Scope tab to set my scope. First, I turn FoxyProxy on in my browser, and make sure that the settings in the Proxy > Options tab match my FoxyProxy options. In this example, I’ll be using XSS Game first. We covered scope in the last blog post, but it’s a way of limiting what websites are shown to you within Burp, and what websites are used by other tools (which sites do you want to be sending requests to?) Configuring Scope Make sure you set your scope before you run the Spider tool! The Spider tool does all of that for you by recursively finding and requesting all links on a given website. Doing that by browsing through the website is time-consuming, especially if you have a very complex website.
Why is this useful? Having a complete site map helps you understand the layout of a website and makes you aware of all the different areas where vulnerabilities might exist (for example, seeing the gear icon on a page means that data can be / has been submitted). If you worked through the last post and its examples, then you have already (passively) used the Spider tool. In other words, it programmatically crawls a website(s) for all links and adds them to the Site Map view in the Target tab. Burp’s website states:īurp’s cutting-edge web application crawler accurately maps content and functionality, automatically handling sessions, state changes, volatile content, and application logins. Spiderįirst up is the Spider tool, which is a web crawler. If you don’t have Burp Suite set up yet, check out this blog post first. Since everything is more fun with examples, I’ll be using practice hacking sites to demo some of these features. This blog post will cover the Spider, Intruder and Repeater tools, which start to show the usefulness and power of Burp Suite. In my last post I covered setup for Burp Suite, as well as the Proxy and Target tabs.
0 kommentar(er)
