Burp technique for non-Webapp testing (I): interception and proxy listening
Burp can be used not only for Web application testing. I often use Burp in mobile and fat client tests. If the application uses the HTTP method, Burp will definitely be your best choice.
I want to record the Burp skills that are very helpful to me at work. One of the purposes is to share these skills with everyone, and the other is to record these skills (similar to memos in the menu ).
In this section, I will introduce the interception and Proxy listening configured through Proxy> Option.
In this article, the Burp Pro version is 1.6.39, and most of the items are applicable to the current Burp Free version (1.6.32 ). Most settings have not changed since I started using Burp (v1.5. You can download Burp https://portswigger.net/burp/download.htmlat this address.
When I started writing this article, I did not expect that Burp could write so many things. So I divided this article into several different parts. Please note that this article is not tested for Web applications, so I may skip some features. If you have your favorite tips or use cases, I hope you can share them in your comments.
1. Interception
Burp supports request/response interception and modification. You can configure most settings in Proxy> Options.
1.1 interception response
Sometimes you want to manually modify the interception response. In Proxy> Options> Intercept responses based... Enable it. Make sure to cancel the check box in the first rule. Otherwise, the binary payload may not be blocked.
1.2 request/response interception rules
Burp supports some rules to intercept requests/responses. These rules are useful when you have redirected a large amount of traffic to the Burp but only want to intercept traffic from some specific endpoints (for example, using the IE proxy settings. Go to Proxy> Options to view the rules for intercepting Client/Server requests. There are some pre-defined rules to determine the range of interception requests. You can also add rules that support regular expressions to match content and headers.
1.3 Matching and replacement
You can perform matching/replacement under Proxy> Options> Match and Replace. This means you can replace it in a request or response. It also supports regular expressions. I usually use it to modify the User-Agent (view the default rules or add your own User-Agent ). Another method is to automatically modify the binary without patching in the request to bypass control. For example, if the server returns true/false for logon, I will match/Replace the rules to fix the wrong logon response to make it true and bypass Logon (it only applies when the server does not care whether the logon is successful ).
1.4 SSL Pass Through
This feature of Burp is underestimated (Proxy> Options> SSL Pass Through ). Burp does not MitM anything to add to this part, but is a TLS proxy that will not be terminated.
Suppose you are trying to proxy something, but it does not work. You can add the endpoint to the SSL Pass Through and check whether the Burp is faulty.
This often happens when you use a fat client with a mix of HTTP and non-HTTP protocols to talk to a non-painful port. Burp makes the MitM non-HTTP connection and may automatically delete or modify data packets. This will cause application faults. First, determine the endpoints and add them to the SSL Pass Through. Let's take a look at the second part of Proxying Hipchat through the actual example: Do you think you can use Burp?
You can use this function to convert Burp into a fast and simple port. For example, you want to connect a client that sends data to port 1234 to a remote server listening to port 5678. If you do not want to write code (or use other programs) to redirect the port. Set Burp as the proxy on port 1234 to redirect the endpoint to the local host using the host file (other system-specific methods are alive ). In Burp, you can set a proxy to redirect all traffic to the endpoints using the request processing function and a different port. Add the endpoint to the SSL Pass Through.
1.5 Response modification options
Most web applications are self-explanatory and useful.
Converting the HTTP link to HTTP and deleting the security identifier in the cookie can work well with the forced use of SSL when processing requests. If TLS is disabled between our application (or browser) and Burp, a secure cookie will not be transmitted and the app will stop working. When Burp is Set to use the Set-Cookie Response Header, it can delete the security identifier.
1.6 disable interception in Startup and Miscellaneous
I started Burp, set it as a proxy server, run the application, and then wondered why it was stuck. Then I realized that the interception status is used by default at startup.
2. Proxy listening
Burp listens on a port. This port is the port for traffic forwarding. The default value is 127.0.0.1: 8080, but it can be changed. You can also set a new proxy listener on other interfaces or all interfaces 0.0.0.0. The only restriction is that another program cannot be used on the port of the selected interface.
Proxy listening can be accessed from Proxy> Option> Proxy Listeners.
2.1 bind
It is easy to Add a new listener. You only need to click the Add button. Loopback is 127.0.0.1 or localhost. If you want to perform a Burp listener on another interface, you can also choose here. It is very useful if I am representing a mobile device. In this case, I will create a listener on all interfaces (0.0.0.0) or network interfaces shared with mobile devices (such as a Windows hostednetwork.
You can import/export the root CA of the Burp that uses the import/export CA certificate, or regenerate the CA certificate to create a new certificate. For more information, see Installing Burp Certificate Authority in Windows Certificate Store. If you regenerate the root CA, you must replace the old certificate with the new certificate in the Windows certificate store (operating system or browser, such as Firefox.
2.2 request processing
This is a very useful feature for non-Web applications. Suppose I have connected to the www.google.com: fat client application by using the Windows host file proxy. In the host file, www.google.com is redirected to 127.0.0.1, And I have created a Burp listener in Port 8000. Now, I need to redirect all traffic from this listener to the original endpoint (www.google.com: 8080 ). One way to do this is to redirect this part to the host and port. The host and port will respectively include www.google.com and 8000.
If the application is connecting to different endpoints on the same port (for example, if we want to introduce traffic to port 80 or 443), we cannot redirect traffic here. We need to use Options> Connections> Hostname Resolution. We will introduce this content in the next section.
This method is useful if I am using Burp to pipe traffic to another Proxy tool, such as Fiddler or Charles.
Force the SSL option when I strip the TLS In the Burp and application and want to add it from the Burp to the endpoint. One example is to use SOAPUI.
2.2.1 invisible proxy of Burp
For more information, see Hipchat part3 and then read 2.2.1 and 2.2.2. Read the entire series to see how Burp works as a proxy. You can skip many pitfalls.
If we have already acted on a client, and the client agent perceives that it will send a CONNECT request to the endpoint, it wants to CONNECT before starting the real TLS connection (in this example, CONNECT to www.google.com ). This is because the agent (in most cases, it is not a TLS termination proxy rather than a Burp) cannot see the TLS in the package, and TLS is the encrypted TCP payload. Therefore, it does not know where traffic can be sent. This CONNECT request solves this problem. The proxy knows that the client is an example of a browser.
The non-agent knows that the client does not know (or does not care) that they are proxies. This is the case for most applications with no proxy settings or operating system proxy settings. The application still thinks it sends the message to the endpoint, but it is redirected to Burp. Burp is a TLS termination proxy that can expose data packets and read the host header to view the original endpoint. This is the invisible proxy of Burp.
It can be enabled on Proxy> Options. Select a proxy listener, click Edit, and under Resquest Handling, select support for invisible proxy.
What I often do is capture local traffic between the application and the Burp (using RawCap) and check whether the application sends a CONNECt request. If so, it is unnecessary. Another way is to try two settings to see which one will work.
2.3 Certificate
Here we can configure the Burp MitM certificate.
1. Use a self-signed certificate: this means that Burp can only use a single certificate for all connections.
2. Generate a single host certificate signed by the CA: This is the most common. Burp will generate an inaccessible certificate for each host. The general name (CN) of the certificate used as the domain name is the same.
3. Generate a CA signature certificate using a specific hostname: You can specify CN in the certificate. It is useful when an application performs authentication by checking CN, but it is not connected to the endpoint that frequently uses wildcards. For example, an application connects to images. googlecom, but it is looking for a certificate for \ * .google.com. If we select the last option, Burp will create a certificate for images.google.com (because it is the endpoint), and the certificate lock mechanism will reject the certificate.
4. Use a custom certificate (PKSC #12): If we have a specific certificate (including the private key) that we need, we can use it here. It is useful when the certificate lock mechanism is checking for more CN, so we can manually generate a certificate (or use the original certificate we can obtain if we can) and use it here.
3. Bonus Tips: Run Burp with a certain amount of memory
Personally, I have never encountered any problems when running Burp out of memory. However, I usually save the Burp State at the end of the day and do not use Python/Ruby extensions except YMMV.
Use the command line to allocate 2048 MB (or 2 GB) to the Burp ):
java -jar -Xmx2048m /burp_directory/burpsuite_whatever.jar