Professional Documents
Culture Documents
Nahamcon23-Burp Automation
Nahamcon23-Burp Automation
2
Who am I?
Nicolas Grégoire
Twitter → @Agarri_FR and @MasteringBurp
Email → nicolas.gregoire@agarri.fr
Slides
https://www.agarri.fr/docs/nsec23-burp_tips_n_tricks.pdf
Video
https://www.youtube.com/watch?v=hslR6hE7fS8&t=25247s
5
NahamCon 2023
6
Running the testbed
7
Running the testbed
8
Handling CSRF tokens
in Intruder
9
Recursive Grep
In "Intruder > # > Payloads > Payload type"
Required configuration
How to start (initial payload)
How to progress (based on "Grep Extract")
When to stop (optional)
10
Mini App - Chall 01
Goal
Dump only valid users
Strategy
Attack type → Sniper
Payload type → Recursive Grep
11
CSRF tokens in Intruder
Easy to setup
Twice faster than session handling rules
Works only if the response contains a token
12
Mini App - Chall 02
Goal
Find a value between 1 and 50
While providing valid CSRF tokens
Strategy
Attack type → Pitchfork
Payload type → Recursive Grep
13
Intro to
session handling rules
14
Terminology
Cookie jar
Place where the cookies are stored (like in a browser)
Macro
Sequence of HTTP requests
Execution is triggered by a session handling rule
Session tracer
Live debugger for macros and rules
15
Default behavior
Proxy
Cookies are written to the cookie jar
Scanner
Cookies are read from the cookie jar
16
Session management
for Web apps
17
Session management
for Web apps
18
Overview
19
Configure the macro
21
Mini App - Chall 02
Using Intruder
Attack type: "Sniper"
22
Session management
for Web APIs
23
Overview of Juice Shop
Known account
jim@juice-sh.op / ncc-1701 (feel free to create your own)
24
Session management
for Web APIs
25
Static authz header
26
Session management
for Web APIs
27
Dynamic authz header
28
Dynamic authz header
29
Dynamic authz header
31
Session management
for Web APIs
32
Cached authz header
33
Cached authz header
34
Cached authz header
35
Cached authz header
36
Thanks for listening!