Parsia's Den

Because no one wants to be the other guy from Wham!

Apr 7, 2016 - 9 minute read - Comments - Burp Thick Client Proxying

Thick Client Proxying - Part 4: Burp in Proxy Chains

In this post I will talk about using Burp as part of a proxy chain. The number of applications that can be proxied by Burp and used with Burp in proxy chains is infinite for documentation purposes. Instead I am going to demonstrate how to use some of more used tools with Burp in proxy chain. All of this is going to happen on a Windows 7 Virtual Machine (VM).

These applications/utilities are:

  • Cygwin: I will use cURL commands for demonstration purposes.
  • IBM Appscan Standard: I will use the evaluation version.
  • Charles Proxy: For when you have to use multiple proxies.
  • Fiddler: Same as above.
  • SoapUI

You don’t need Burp Pro to play along and apart from Appscan, all application are free to use. For Appscan we will use the evaluation version which is free for its demo test.

Apr 3, 2016 - 2 minute read - Comments - Not Security Migration to Hugo

Hugo Octopress Update

I have made a good number of changes to the Hugo-Octopress theme. As I have been using the theme more and more, I have realized there were a bunch of bugs (some were pointed out on Github).

Apart from Bugs, I had hardcoded too many settings in the theme. For example, modifying the text in the sidebar could only be accomplished by changing the sidebar template. Ideally user should not need to modify anything in the theme and it should be customizable by just using the config file.

In the end I created a bunch of issues on Github and then closed them myself. I am not quite sure if this is correct git but eh :D

Mar 29, 2016 - 10 minute read - Comments - Burp Thick Client Proxying

Thick Client Proxying - Part 2: Burp History, Intruder, Scanner and More

In part1 I talked about some of Burp’s functionalities with regards to testing non-webapps. I did not expect it to be that long, originally I had intended to just shared some quick tips that I use. Now you are forced to read my drivel.

In this part I will talk about Target > Scope, Proxy > HTTP History and Intruder/Scanner. I will discuss a bit of Scanner, Repeater and Comparer too, but there is not much to discuss for the last three. They are pretty straightforward.

Mar 27, 2016 - 9 minute read - Comments - Burp Thick Client Proxying

Thick Client Proxying - Part 1: Burp Interception and Proxy Listeners

Burp is not just used for web application testing. I usually use it during mobile and thick client tests. If the application is using HTTP methods then Burp is your best friend.

I am going to document a bunch of Burp tips and tricks that have helped me during my work. One purpose is to share it with the world and not be the other gun from Wham! (:D) and the other is to have it in an accessible place (similar to the cheat sheet in the menu).

This part one I talk about Interception and Proxy listeners which are configured via Proxy > Options.

At the time of writing the current version of Burp Pro is 1.6.39 and most items should apply to the current Burp Free version (1.6.32). Most settings have not changed since I started working with Burp (v1.5). You can download Burp from: https://portswigger.net/burp/download.html.

When I started this, I did not think I have so much stuff to write about Burp. So I divided it to different parts. Please not that this is not targeted towards web application testing so I may have skipped some functionalities. If you have any favorite tips or usecases and want them included with credit please let me know, as usual feedback is always welcome.

Feb 21, 2016 - 4 minute read - Comments - Burp Tutorial

Installing Burp Certificate Authority in Windows Certificate Store

I was writing another blog post and I realized that I keep repeating how to do the same things, so I decided to write some tutorial-ish things and just link them.

Burp uses custom certificates to Man-in-the-Middle (MitM) the traffic. All of these certificates are signed by Burp’s root Certificate Authority (CA). Each installation of Burp generates its own root CA that needs to be installed in the browser or Operating System’s certificate store to be recognized properly. Otherwise browsers will return warnings and some thick client applications will not recognize these certificates as valid.

Each installation of Burp generates its own root CA so it is unlikely that others can gain access to it and sign certificates to MitM your connection. To get the certificate’s private key, the attackers need to get to your local machine and if so they have better ways to look at your traffic anyway.

Alternate instructions by Portswigger: https://support.portswigger.net/customer/en/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser

For instructions on installing/removing Burp’s CA in other browsers and devices please use Portswigger’s website: https://support.portswigger.net/customer/en/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser.

Note: These instructions are for Burp version 1.6.37 Pro and 1.6.32 Free. As long as I remember (v1.5) these instructions have not changed, although they may change in the future but I really doubt it.