Burp technique for non-Webapp testing (2): scanning and Replay

Burp technique for non-Webapp testing (2): scanning and Replay

In the first section of this series of serialization, I talked about the burp Function Testing for non-webapps. I only wanted to write something and share it with me. Now, I will continue writing.
In this section, I will talk about:
Target> Scope
Proxy> HTTP History
Intruder/Mixer
At the same time, I will talk about compaction, Repeater, and Comparer here, but I will not talk too much about it. After all, these are simple.
Scope
Ideally, you can use it to filter out useless things.
It is easy to add a network package to the scope. Right-click a request package and select it to add it to the scope. Then you can see that the request is added through Target> Scope. For example, if I add a GET request to the Google logo to the scope, other Google domain names will not be added to the scope, and must be manually added.
 

Another way is to copy the URL and paste it in. If we right-click a request (any location), we can Copy the requested URL to the clipboard using the Copy URL option. Next, we can click the Paste URL button to copy it to the scope. This button is also available in other parts of burp and can be used in a similar way.

Generally, we do not expect that only one single request in the scope will work. What we need is to match "* .google.com" or "google.com/images /". Fortunately, we can use regular expressions in scope to define the scope. A common practice is to use the edit button to modify the content after adding the URL to the scope.
There are four options in Scope:
Protocol: Any, HTTP, and HTTPS. Here I usually select Any.
IP host range: supports regular expressions such as * \ .google.com
Port: unless I want to monitor the traffic of a specific port, it is usually left empty, that is, no filtering is performed.
File Name: that is, the part of the URL after the domain name is removed. Regular matching is supported.
If we want to add Google and all its sub-domain names to the scope, we can add the request for that logo (or any similar content) to the scope, then edit it.

HTTP History
Proxy> HTTP History, which contains the request and response packets intercepted by Burp. It takes more than half of my time to use Burp here. We can use the Filter to reduce useless content. Click the Filter tab: Showing all items (different settings for each person and different display items) to open the Filter.
 

The most effective option to reduce useless information is to hide all content not in the scope by selecting Show only in-scope items. The following is a demo image:
 

As you have seen in this article, there are many options in the filter, many of which are easy to use. Next, I will point out the ones that I often use in non-webapps.
Filter by MIME type: This will activate everything until you are sure that no request is lost. MIME-type is not always declared correctly in the response packet. Other binary can be used to view more binary data or abnormal payload (not activated by default ).
Filter by file extension: I only use the Hide feature and often add additional extensions that I am not interested in (such as fonts) so that they can be filtered, do not use them.
Filter by listener: This is very useful when an application needs to connect to different ports and does not support proxy settings. Here we can listen to the local localhost (or modify the hosts file), and create a different proxy listener for each port, so that we can listen to specific traffic.
Release (available only in pro Version)
Burp comes with a good scanner. Of course it cannot be as comprehensive as the Appscan of the IBM Professional Edition, but it has many advantages in testing non-webapp.
First, Burp is very fast and simple. I can log on to scan a simple request and just perform this action. In Appscan
In, I have to scan the entire app (configure the scan, record the logon process, manually browse, automatically browse, and finally perform the entire scan ), the most speechless is that some special logins cannot be replayed. For example, some Special Logon ports have random tokens.
Burp is much cheaper. The Professional Edition is only USD 300/year, And Appscan is up to USD 2000/year.
The Issue activity tab contains Scan results (you can view the results more carefully through Target> Site map) and Scan queue contains Scan requests.
Live Scanning
Burp has two scan modes: active and passive, which can be performed simultaneously.
In a passive scan, it only monitors normal request responses and matches the requests according to the rule set, but does not send any requests. In the active scanning process, it generates a payload and sends it to the server. At the same time, it also analyzes the request and response packets.
On this tab, you can configure the following mode:
Do not enable LiveActive Scanning. Scan each request separately.
Live Passive Scanning> Scan everything is very useful, but it will increase useless items in the Scan results. If you set scope, you can Use suite scope. Of course, you can also Use custom scope to customize the scope.
Options
You can configure scanner options here. Although I do not use live active scanning, these options can still be configured for separate request scanning.

Attack Insertion Points: You can select the injection point and add or delete all the Points as you wish. Fewer injection points mean faster scanning speeds.
Active Scanning Engine: enables low-frequency packet sending when the IP address may be banned.
Active Scanning Areas: As you can see, these options are more targeted at webapps. If necessary, I can cancel unnecessary tasks, which can save a lot of scanning time.
Passive Scanning Areas: You can only select related options to reduce useless things, but I suggest you do not change it here.
Static Code Analysis: This option enables Static Analysis of JavaScript Code. You can disable this option when testing a non-webapp.
Intruder (the free version has frequency restrictions)
This is Burp's semi-automated scanning function. Right-click any request and choose Send to Intruder. In Intruder, you can specify the injection point, and then use the built-in scanner or your own payload for fuzz.
Positions
After sending payload to Intruder, we open the Intruder> Positions tab to see the injection point. Click Clear here to Clear the image, and then click Add to highlight our injection points.

As you can see, I chose a familiar Google logo request and sent it to Intruder. Then, we cleared all predefined injection points and added the file name. Right-click it, select Actively scan defined insertion points, and send it to the Scanner. Only this injection point is scanned. Alternatively, I will click the Start Attack button to Start scanning the injection point with my custom payload.
Payload
We can switch to the Payloads tab to set payload for custom Intruder attacks.
Payloads settings and Payloads options
Here we can use different payloads, and Burp has some complicated payload sets, which can be used in specific situations. For example, Recursive grep (Recursive matching) means that you can obtain a new payload from the response packet generated by the existing payload. Of course, there are also easy-to-use payload such as Case modification, Character substitution, Dates, and Numbers.
With Simple list, you can use your own payloads at the injection point. You need to load or copy a single column of payloads and get it into PayloadOptions. You can also directly select the Runtime file and use the payloads in the file. The effect is the same as that of load. You can also use some built-in payload dictionaries of Burp (seemingly only in Pro version ).
 

The Custom iterator option allows Burp to generate more complex payloads. For example, I want to simulate the generation of two hex characters (a total of four characters, such as 0 × 00 ). Here, I select position 1, which contains 0-9 and a-f. At the same time, this rule will be repeated in position 2-4. Burp allows you to select a total of 8 positions. If you want to add usernames after this, I can select position 5 and add the usernames dictionary. As you can see, it also supports splitters between different positions.
We recommend that you have a good payload dictionary, FuzzDB:
Https://github.com/fuzzdb-project/fuzzdb
Note: it contains some payloads marked by anti-virus software.
Payload Processing
You can convert the payload before the injection. For example, you can convert all payloads to base64 and then send their hash.

Options
We can reduce the speed of the Intruder request or process it with latency.
Payload Encoding will allow Burp to encode the URL to solve special character problems.
Grep-Match
We can obtain special items from the response package. For example, if we inject the payload of sqli, we can let the Burp look for the keyword of the SQL error. For XSS, I usually use alert (9999) and the like, and then search for 9999 in the Response Request.
FuzzDB has its own regular expression mode to analyze response packages. Here is a link to show you how to use them.
Repeater-Decoder-Comparer
These tabs do not have many functions, but they are also useful.
Repeater
Repeater is usually used for manual testing. The Repeater performs automated scanning, while the Intruder performs semi-automated scanning.
If you want to use repeater to Send packets, right-click and select Send to Repeater. We can change requests, forward them, and observe these responses.
Here I select the GET request of the logo, send it to Repeater, and forward it. Change the content and request a file that does not exist. We will see 404. However, you can use Ctrl + Z to restore the original request.

You can send the changed content from Repeater to Intruder for scanning.
Decoder
You can encrypt and decrypt data in different formats or create a hash. Double-click any parameter and right-click to select Send to Decoder. You can also select it and press Ctrl + C to copy it and paste it into decoder.
Comparer
Comparer is used to compare two payload or HTTP request response packages. Select the content to be compared and right-click Send to Comparer. This comparison function can be performed by bit (to take care of binary files) or by byte (for text ).