Burp suite scanner2/28/2023 For our personal application pentesting workflow, we typically do not initially hunt for vulnerabilities within cookies. You may have noticed that we have named our profile with “No Cookies”. In our profile, we like to select all of the XSS issues, as well as a couple of other payloads such as template injection and some XML payloads. Under “Select individual issues”, you can narrow down Burp Suites payloads to just a select few. Next, click on the “New” button and create a new configuration with a catchy name. Below, we have several predefined templates for a range of vulnerabilities and actions. To create a similar template, open the Configuration Library within Burp Suite under the “Burp” file menu. Creating BurpSuite Scan Profile Templates If you have to execute the large scan profile for every page of a gigantic application, it may never complete in the engagement timeframe. Any number of factors may limit the amount of time it takes to get through the ‘large’ default scan such as the environment you are scanning, the vulnerability class you’re hunting for, and any rate-limiting that may be in place. In our experience, on a live engagement, it is incredibly useful to have a more efficient scan. However, our custom scan template which only scans for XSS identified the issue in significantly fewer requests just 3% of the total of the default scan. Of course, we also have an “XSS & Friends – With Cookies” template with cookie support.Īs you can see, both scan profiles ended up in the same place identifying the reflected XSS vulnerability. Note, we don’t often scan cookies when hunting for XSS in the first round of testing. Within the scan configuration, we select a pre-defined “XSS & Friends – No Cookie” template. To narrow our scan scope even further, we send the request to Burp Suite Intruder, define an insertion point around the parameter(s), then right-click > Scan defined insertion points > Open scan launcher. By utilizing the Burp Suite extension Reflected Parameters we can quickly identify potential locations (which Burp Suite has captured during the crawling phase) within an application’s scope where XSS might exist.įrom there, we can quickly identify potential targets. Rather than launching a full scan, we can create a scan profile just for XSS-type attacks. Let’s try to be more efficient this time with our approach to XSS detection. Efficient Detection of Cross-Site Scripting (XSS) Example Workflow: By narrowing your scope to just specific vulnerability classes to hunt for, based on your knowledge of the application architecture, you can more efficiently identify those vulnerabilities with fewer requests. For instance, a page vulnerable to XSS may not typically be vulnerable to Command Injection… but a page vulnerable to Command Injection is often vulnerable to XSS. Now that we discovered this potentially vulnerable page, do we really need to scan the entire page for every vulnerability class when we could just hunt for XSS directly? This is the question that separates the ‘tool’ from the ‘pentester’. While we were successful in our goal, could we be more efficient? What if we had already scanned the application (albeit, a different page) with the ‘large’ default profile once. However, it took 1991 requests to finish this scan since we were analyzing the entire application for every vulnerability from XSS to SQLi. Often, one may opt to include the JavaScript analysis as well for each page.Īfter running this scan profile against a reflected Cross-Site Scripting (XSS) endpoint, such as on the Damn Vulnerable Web Application (DVWA), Burp Suite successfully identifies the XSS vulnerability on the page. When analyzing an application for vulnerabilities one may typically start off by selecting the following profile for every single page, “Audit checks – all except JavaScript analysis”. Detection of Cross-Site Scripting (XSS) Example Workflow: Compared to launching a traditional ‘full’ scan against every single dynamic page of an application, which may result in tens or hundreds of thousands of requests, our engagements tend to operate a bit more efficiently by leveraging these scan profiles.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |