Burpsuite for Pentester: Autorize

In order to protect online assets, web application security testing is an essential element of safeguarding them. Burp Suite has been a leader in this area for many years and it's still being used by safety professionals as well as Ethical hackers. One of those extensions that stands out in the web security testing community is "Autorize", which comes with a wide variety of additional features to improve its capabilities. A powerful set of features that simplify the authentication and authorization testing process is available with this extension.

Autorize = Authenticate + Authorize

Authorization includes any method by which a system grants or revokes permission to access specific data or actions. Meanwhile, Authentication is a process by which an individual or system authenticates themselves as being who they claim to be.

·       Common vulnerabilities detected by Autorize

·       Understanding the Functionality

·       Installation and Setup

·       Navigation and Configuration options

·       Practical Demonstration of Autorize in Action

Common vulnerabilities detected by Autorize

It is primarily focused on identifying authorization-related vulnerabilities. It can help to identify some of the main types of vulnerabilities, such as:

·       Inadequate Role-Based Access Control (RBAC): It can uncover issues where user roles or permissions are not properly enforced, allowing users to access functionality or data they shouldn't have access to.

·       Broken Access Controls: It can identify instances where access controls are not correctly implemented, leading to unauthorized access to resources or actions.

·       Insecure Direct Object References (IDOR): It can find situations where attackers can manipulate input to access other users' data or perform actions they shouldn't be able to.

·       Forced Browsing: It can help identify cases where an attacker can navigate directly to restricted areas of the application by manipulating URLs.

·       Insufficient Authorization: It may detect situations where user roles or permissions are not properly enforced, allowing unauthorized actions to be performed.

·       Horizontal and Vertical Privilege Escalation: It can find vulnerabilities that enable attackers to escalate their privileges within the application, either by impersonating other users or gaining additional permissions.

·       Business Logic Flaws: Autorize may discover business logic vulnerabilities, where application workflows can be manipulated in unintended ways, potentially leading to unauthorized actions or data exposure.

Remember that the effectiveness of Autorize depends on how well it is configured and your tests are carried out.

Understanding the working of Autorize

Let’s understand how Autorize works. Suppose, for instance, a web application implements user-based roles and supports cookie-based authentication.

Normal User: has access to general functionality but is not allowed to access admin functions and database (read-only access).

Admin User: has access to all functionality (read/write access).

Capture the normal user cookies and add them to Authorize. Re-log in with the Admin user access all the admin functionality and update some data to the database.

What will Autorize be doing now? Autorize is capturing all requests and changing the administrator cookie with your normal user's cookies when you are browsing an application, then sending them to server. See the server response, if the server behaves in the same way as legitimate Admin (like 200 OK in response) and no errors have been detected. The request was highlighted as a Red Bypass! Another request shows as a Green Enforced!.

For every request sent to the server from a client, it will perform an automated test. With a large application, with over 30+ dynamic webpages, it's going to ease our work. There are a lot of URLs you need to test manually, so Autorize will do it for you.

Similarly, Autorize also detects an API endpoint problem in the same way. The authentication method must be checked for the API. Let's say an API uses a JWT token, you can control that by modifying its authorization header and identifying the authentication bypass issues with the APIs.

Installation and Setup

From the Bapp Store, you can download and install the extension. Select Bapp Store in Extensions. You can search for ‘Authorize’, or you can just look down. Click on it, scroll down to the right side.

The extension is built in Python, you will see that 'Jython' needs to be installed first.

Browse the below link and download ‘Jython Standalone’.

Refer this link: https://www.jython.org/download.html

After downloading go to Setting > Extension > on the right side under Python Environment browser the Jython file. This environment has been successfully set up for Jython.

Restart the Burp program and follow this path to install Authorize on BApp Store. You'll notice that the install button is highlighted. You can click on it and install it.

The Authorize tab will appear in the bar after successful installation.

Navigating and Configuration Options

There are two tabs under the Authorize section, the first one is Request/Response Viewers tab and the other one Configuration tab.

Request/Response Viewers: The Request/Response tab will display complete information about the particular request you capture within Authorize and choose. The manipulated request will be displayed under the Modified Request section, the Original Request tab will display the original/unmodified request, and the Unauthenticated request will display the unauth request.

Configuration: Under the configuration tab you will see Autorize is off by default, when you are ready to capture the request first put Autorize on. There are also some configurations for capturing a request and server status code. Depending on your preference, you can select it.

Here, under the Temporary header box; you need to put the normal user token/cookies/header value that you want to replace within the actual request i.e. if any application is using a JWT token for auth mechanism you need to put that value here.

Either you can manually add the auth value or below is the option to fetch it from the last request. If you want to add the cookies header from the last request – click on ‘Fetch Cookies header’ or If you want to add Authorization header – click on ‘Fetch Authorization header’.

Generally, the session cookies are under Cookies Header and the auth token comes under Authorization Header.

Once the session cookies are loaded, it is essential to instruct Authorize on which requests to intercept and establish the standard behavior for the application when dealing with unauthorized requests or those with insufficient permissions.

Commencing with the Enforcement Detector, input a characteristic of the application's response that can be anticipated when a user with limited privileges tries to perform an action they lack sufficient permissions. In my practice, I've found that utilizing the "Body (simple string): enforced message body contains" option is the simplest to set up and functions effectively. Choose the type and content that aligns with your specific needs and remember to click the "Add filter" button.

Moreover, it is necessary to understand that it automatically sets the default comparison to "And" when assessing multiple filters. Therefore, if the application generates distinct error messages, such as one for trying to read a file and another for attempting to access administrative features, you should create a filter for each scenario and switch the "And" to "Or."

Follow the same procedure for the Unauthenticated Detector

 

The interception filter will intercept “Scope items only” regardless of content and from those requests, it will ignore spider requests and URLs containing image extensions. You may select on your preference and click “Add filter” when type is selected.

This is another additional feature Match/Replace. You can select it from this site if you need to change any specific header or body parameter on the Autorize request. Suppose there is a parameter name 'u.name' on the request body, and it has to be replaced by an Admin EID i.e.:=”a.name”) for proper access circumvention. You can tell Autorize via adding here.  

 

 

You can select the type of requests that you want to see under the Table Filter bar,

·       bypassed!: the endpoint may be vulnerable to IDOR,

·       Is enforced!: endpoint seems to be protected but re-check once,

·       Enforcing!: against IDOR, the endpoint is clearly protected.

You can save and export the data for further analysis under the Save/Restore tab.

 

Practical Demonstration of Autorize in Action

Let's do a quick demonstration to understand in an easy way, to perform this practical we are going to use a pre-setup Port Swigger lab “Method-based access control can be circumvented”. Click on access the lab and browser the application.

This will show a Broken Access Control vulnerability with two users that have different role higher and lower privilege users. The same concept can be applied to same-level users.

 

First, we have to capture the cookies for low privileged user (normal user). We are using the default normal user credentials,

Wiener:peter

And logged into the application to capture session cookie.

 

 

Updated some more details.

You will see the below capture session cookie in to the login request. Now copy this cookie header.

 

Add this cookie header value to Autorize tab as shown below,

 

 

And keep Autorize on.

 

In order to, check the auth bypass now we have to log in with high privilege (admin user). Go to login page again and use admin credentials to log in,

Administrator:admin

 

After successfully logging in and browsing the all admin-only URLs. You can see under the Autorize tab some highlighted requests

The Authz. Status indicates which endpoints are accessible to wiener (normal user).

The Unauth. Status pertains to unauthorized users, effectively eliminating the cookie and all authorization headers. You can opt to disable this feature by deselecting the "Check unauthenticated" option in the Autorize configuration tab.

Red [Bypassed!] : endpoint could be vulnerable to access control/IDOR issues. 

Orange [Is enforced!] : endpoint seems to be protected but cross-check manually by replacing the cookies value. 

Green [Enforced!] : endpoint is clearly protected against access control/IDOR issues.

 

As visible in above image, request 1, 2, 6, and 7 are having Broken access control issue.

Keep in mind that do not blindly follow the Autorize result,  The Red highlight requests do not mean that all endpoints are vulnerable or bypassed. There may be false positives; You must do a cross-check.

Some other possible scenarios, Suppose you are testing auth issues with the two same level of users. As a result, you will see Authz. Status shows Bypassed! And Unauth. Status shows Enforced! In that case improper authorization can be found on the request which shows that the specific endpoint can be accessed by the 2^nd user but has correctly implemented authorization for any unauthorized users.

When you select any highlighted request, on the right side you will see the detailed information about modified, original & unauthenticated request and responses.

That's a wrap for now. Cheers!

Conclusion

For carrying out comprehensive security reviews, the "Autorize Burp" extension is an essential tool. By automating authentication and enabling the testing of restricted areas, it enhances the efficiency and effectiveness of security assessments. This extension is an indispensable tool for conducting comprehensive tests and identifying potential vulnerabilities that may only be accessible to authenticated users.

Easy way to Generate Reverse Shell

 Easy Way to Generate Reverse Shell

In this article, we will learn how to get a reverse in few easy steps. Usually, the problem when reverse shell commands is to remember its long and complicating syntax. But due to growing AI of our digital world, this problem tackled and dealt with. Let’s see how it is done through this article.

Table of Content

·       What is Reverse Shell?

·       Types of Reverse Shell

·       Working of Reverse Shell

·       Reverse Shell Generator – 1

·       Reverse Shell Generator – 2

·       Hack tool

·       Shellz

·       Mitigation

 

What is Reverse Shell?

 

A reverse shell is a technique used in computer security and hacking that allows an attacker to gain control over a system through an established network connection. Reverse shells can be used for various purposes, including unauthorized access, data theft, and further exploitation of the compromised system.

A reverse shell, however, works in the opposite direction.

 

Here's a basic explanation of how a reverse shell typically works:

 

Listener/Server Side: The attacker sets up a listener (command and control/C2 server) on a machine they control. This listener waits for incoming connections.

 

Victim/Client Side: The attacker somehow tricks the target system into connecting back to their machine. This could be through techniques like exploiting vulnerabilities, social engineering, or other means.

 

Connection Establishment: Once the connection is established, the attacker gains a command shell on the target system. This shell allows them to execute commands on the target machine as if they were physically present.

Command Execution: The attacker can then issue commands on the target system, navigate the file system, run programs, and essentially control the system remotely.

 

 

 

 

Types of Reverse Shell

 

Reverse shell payloads are typically used by attackers to establish a connection back to their system. These payloads can be part of various hacking tools and frameworks. Here are some common types of reverse shell payloads:

 

Netcat (nc): Netcat is a versatile networking utility that can be used to create a basic reverse shell. The attacker sets up a listener using Netcat, and the victim connects back to it, establishing a shell.

Bash (Linux): A simple reverse shell can be achieved using Bash, the command shell for Unix-based operating systems. The attacker might use a one-liner command to create a reverse shell.

Python: Python is a powerful scripting language, and attackers often use it to create reverse shells. They can write a short script that opens a network connection and redirects input/output to that connection.

PowerShell (Windows): On Windows systems, PowerShell is a command-line shell that supports scripting. Attackers might use PowerShell to create reverse shells for Windows-based targets.

PHP: PHP is a server-side scripting language, and attackers can craft PHP scripts to establish reverse shell connections. These scripts are often injected into vulnerable web applications.

Ruby: Similar to Python, Ruby is a scripting language that can be used to create reverse shell payloads. Attackers might use Ruby scripts to exploit vulnerabilities and gain control over a system.

Metasploit Framework: Metasploit is a penetration testing framework that includes a variety of tools for exploiting vulnerabilities. It provides pre-built reverse shell payloads for different scenarios and platforms.

Java: Java-based reverse shells can be created to exploit systems where Java is installed. Attackers can use Java sockets to establish a connection back to their server.

C and C++: Attackers may also write custom reverse shell code in lower-level languages like C and C++ to avoid detection by antivirus software and intrusion detection systems.

 

Working of Reverse Shells

 

A reverse shell operates by initiating a connection between the target machine and the attacker's machine. Typically, the target machine sends a connection request to the attacker's machine. The attacker's machine functions as a listener, awaiting commands from the attacker.

 

 

 Various Type Reverse Shell Generator

To Create a Reverse Shell, we need a reverse shell command and a listener command. And to generate that go to the following website:

 

Online Tool- Reverse Shell Generator -1

 

Once the www.revshells.com is loaded, give your Listerner IP <Attacker IP> address and Listener Port <Random Port>; as soon as you do this listener and reverse shell command will be generated as shown in the image below. Execute the reverse shell command on the victim’s system and run the listener on your attacking machine. Once you do this, you will have your reverse shell.

 

As you can see in the image below, there are various options of the listener you can create such as powercat, busybox nc, socat, etc. Here we have created a netcat listenser.  Even for the reverse shell we have options like bash, pearl, ruby, nc -c and many more.

From the image below you can also observe that you can create such reverse shell commands for all the operating systems such as Linux, Windows and Mac.

 

This Reverse Shell generator also provide us with the option to create Hoaxshell which is a powershell payload for windows. The same is shown in the image below:

Reverse Shell Generator – 2

This is an amazing Online reverse shell generator. To use this generator, go to the following website:

www.tex2e.github.io/reverse-shell-generator/index.html

Once you are on the website, click on the ‘RevShell’ from the menu bar. And then give your Local Host and Local Port as shown in the image below and then click on the ‘Submit’ button. After clicking on the submit button, you will have your listener. Simultaneously, it will also create multiple reverse shell commands for various Operating Systems as shown in the image below:

HackTool

HackTools is an all-in-one browser extension designed for Red Team web pentesters. It streamlines web application penetration tests by providing cheat sheets and an array of essential tools, including XSS payloads, reverse shells, and more. This extension eliminates the need to search for payloads on different websites or in your local storage, offering one-click access to most tools.

Download the Hacktool extension from the following link :

https://addons.mozilla.org/en-US/firefox/addon/hacktools/

 

Once the extension is downloaded, access it through the full screen option. From the side bar go to the Reverse Shell option and give you Local hot and Local Port along with the type of shell you want to create as shown in the image below. Once you do this, it will create various reverse shells for you to use as shown in the image below:

 

 

Through Hacktool, you can also create PHP Reverse shell by clicking on the second option on the side bar and give your Local host and Local Port. Now the extension will create various PHP reverse shell. You can simply download it and the run it on the victim’s system and have a reverse shell.

 

Shellz

Shellz is a third-party tool which has made creating reverse shells a piece of cake. To download and install Shellz use the following set of commands as shown in the image below:

git clone https://github.com/4ndr34s/shells

cd shells

./install.sh

 

 

Once the tool is up and running, it will ask you about the type of reverse shell you want to create. As we wanted to create a bash shell, we chose the option 3 as shown in the image below:

After choosing the type of shell you want to create, it will ask you for Local IP and Local Port. Now choose the type of your IP as shown in the image below:

After this, it will ask you to if you want to encode your shell. Choose whatever option you like as we did not want to encode our shell, we chose then option 1 just like it shown in the image below:

 

And finally, it will give you the reverse shell command that you can execute on you r victim’s system. Then it will ask you the type of listener you want to create. Here, we chose netcat listener by typing in number 1 as shown in the image below:

 

After this, you can tell the tool where you want your session which can be either same window or a new terminal window just like we have done it. Voila! You will have your session as shown in the image below:

To our knowledge, these were the best four easiest methods to create reverse shells. If you try and google reverse shell generator, it spat out multiple results which you can use too.

Just like shown in the image above, you can choose and try any method or website you like.

Mitigation

To defend against reverse shells, it's essential to implement strong security measures, including firewalls, intrusion detection systems, and regular software updates. Security professionals should monitor network traffic for suspicious activity and follow best practices for secure system administration. 

Burpsuite for Pentester: Logger++

 Burp Logger++: A Powerful Extension

 

In this article, we’ll learn about a powerful Burp Extension cool tool called "Burp Logger++". It is like a super detective for websites, always on the lookout for any hidden problems. It is an extra feature that you can add to Burp, which lots of web experts use to find issues on websites.

Suppose you are a web explorer, and you want to know everything about a website. Burp Logger++ is like your trusty notebook. It is super helpful because it has a magical filter. You can tell it what kind of information you are looking for, and it will only show you those things.

With Burp Logger++, you can also color-code things. Think of it like using different colors to highlight the most important parts of a picture. This helps you spot the important stuff quickly.

·       Setting Up & Navigating

·       Query-Based Filter

·       Filter Library

·       Regex-Based Filter

·       Export Data Feature

Setting Up & Navigating

You can download and install the extension from the BApp Store. Go to Extensions > Bapp Store. Here, search for Logger++ or simply scroll down.

Click on it, on the right side scroll down and install it.

After successfully installation, it will appear on the tool bar.

 

Navigating

There are a lot of options visible to you. First, let's explore the "Options" tab to discover what advanced settings are included in this extension?

 

Navigate to "Options" to see the various log filter options. It allows you to customize logging setting as per your preference.

Logger++ is running by default. Here are some others important setting:

•         Log Filter: This feature lets you specifically choose the requests that you don't need to record for analysis, or you may turn it off when not in use.

•         Log From: It enables you to capture data from the specific logs that you want to capture from.

•         Import: You can import log data from CSV and OWASP ZAP reports with this function.

•         Export: The log data can be exported for further analysis.

Depending on your preferences, you can use different configuration. We are sticking with the default settings for the time being.

Query-Based Filter

The View Log tab contains all the logs. Using this website "vulnweb" as an example, browse it and simply scan the entire site; all logs will show up here under the View Logs page.

Now, go to Signup. In order to capture the logs for credentials, enter the test login details.

Username: test

Password: test

then click on "Login".

Let’s update some more details to capture more requests for further analysis.

You can see that all requests have been captured here in View Logs.

Magical Filter

You can use filter to selectively view or manipulate HTTP requests and responses. These filters help you focus on specific aspects of the web traffic and are especially useful during security testing. The working is based on query string. It accepts a logical query and returns output based on them.

You have some advanced choices with the filter options:

•         Entry: You can apply filters according to number, tool, tags, InScope, and other criteria.

•         Request: It lets you filter just the request itself using many options such as header, body, URL, method, parameters, cookies, etc. As shown below:

•         Response: It lets you filter just the response by using various options such as header, body, Inferred Type, Method, Parameters, cookies etc. As shown below:

Scenario 1: Let's suppose you just want to view HTTP POST requests from all logs. It is understood that HTTP POST parameters are in HTTP Request.

Go to Filter bar > right click > Select Request > Select Method

The method has been chosen and visible in filter bar.

Quary: Request.Method == “POST”

And hit enter. As result, Only HTTP POST Method requests appear.

Scenario 2: Taking another example, suppose we just want to view the requests which contains any username information from all logs.

Go to Filter bar > right click > Select Request > Select Body

Quary: Request.Body CONTAINS “uname”

As a result, the following request is highlighted:

Below are some useful queries which are helpful during penetration testing.

Some Useful Filter Queries
JSON Injection (Check for only one json request)	Response.InferredType == "json"
Injections Attack (Check for HTML, XML, JSON)	Response.InferredType IN ["json", "html", "xml"]
Disclosed Server Information	Response.header CONTAINS “Server:”
Exposed Sensitive File	Response.Body CONTAINS [“.git”, “.config”, “.zip”, “.swf”, “.doc”, “.pdf”, “.xlsx”, “.csv”, ]
Exposed Sensitive Path	Request.Path CONTAINS [“/git”, “/etc”, “/var”] Request.Path MATCHES “/account*”
Sensitive Parameter in Query String	Request.Path CONTAINS [“id”, “username”, “password”, “role”, “IsAdmin”]
Sensitive Parameter in Request	Request.Body CONTAINS [“id”, “username”, “password”, “token”, “role”, “EnterpriseID”, “IsAdmin”]
Missing Robots.txt	Request.Path MATCHES “/robots.txt”
CORS Misconfiguration	Response.Header MATCHES “ Access-Control-Allow-Origin: *”
Check for CSRF Token	Request.Method == "POST" AND Request.Body CONTAINS "csrf"
URL Redirection	Request.Path CONTAINS [“redirect=”, “page=”, “url=”, “index.page=”]

 

Filter Library

We can use the saved or pre-configured filters from the library directly with the help of the Filter Library. When you start testing, you do not have to manually type or remember the query string of filter pattern.

Click on “Add Snippet”.  Here are two values that must be added.

•         Alias: Put any Alias name for your query string.

•         Snippet: Add query string here.

As you can see below, I have added a filter for

Request_Type:  Request.Method == “POST”

You no longer have to type repeatedly to find only POST requests. You can color-code this request so that the highlighted request stands out among all captured requests on the View Logs page.

Click on Use as Color LogFilter > Select Background Color > check Enable and save it.

All POST requests are now highlighted in "Dard-Red" on this page.

Similarly, you can save whole test scenarios in the Filter Library. There is two ways to call the saved filter:

Method 1: In Filter Library, click on Set as LogFilter.

 

It will directly run the query and the desire result will be displayed.

Method 2:  Use “#” with Alias name directly in filter bar. 

And hit enter. The equivalent outcome will appear as follows:

Regex-Based Filter

Burp Logger's regex filter is a powerful feature that helps web security professionals pinpoint specific data within the vast sea of information during security testing.

You need to specify the regular expression (regex) pattern. This pattern acts like a search query, telling Burp Logger++ what kind of data you want to capture. You can create regex expression pattern to find data as like Email Address, IP Address, Server-side error messages, Software version disclosed, Any API Key exposed etc.

Go to Logger++, click on Grep Values tab. Here, you can see more filters to limit the search criteria.

·       Search Response = It will perform search only in responses.

·       Search Request = It will perform search only in requests.

·       In Scope Only = If you added the target URL in Scope only then it will only search within the scoped target.

For the time being, choose to search through every request and response. Let’s take an example, if you want to find email addresses in web traffic, your regex pattern might look like

Regex: [\w\.-]+@[\w\.-]+.

Directly paste this expression under Regex bar and press enter.

Consequently, the /userinfo.php request — which includes the email mentioned above is displayed.

You have two ways: Manually search through the complete request/response or click on Unique Result. The results that match the regex expression will be displayed only in Unique Results.

 

Similarly, Let’s check for IP Address also,

Regex Exp: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b

It is evident that a POST request is being sent through the IP address 10.10.1.10.

In the same way, you can check for other important information like if you want to find the web traffic contains any FTP, HTTP, WWW.

Regex: \b(ftp|www|http)[^\s]+

For reference, the following link includes helpful regex expression to find the disclosed server version within the error information.

https://github.com/lwierzbicki/RegexFinder/blob/main/burp.regex.tsv

 

Export Data Feature

Burp Logger's data export feature is a valuable tool for web security professionals. It allows you to save, analyze, and share the captured data efficiently, making it an essential tool for documenting findings, performing in-depth analysis, and collaborating with others in the field of web security.

Why Export Data Feature is Helpful?

·       Data Preservation: Exporting data from the Logger++ allows you to save a record of your testing session. This is essential for documentation and analysis.

·       External Analysis: By exporting data, you can use external tools or software to perform in-depth analysis, generate reports, or share findings with team members.

·       Archiving Evidence: It helps in preserving evidence of potential vulnerabilities or security issues discovered during testing, which is crucial for audits and compliance.

·       Collaboration: Exported data can be easily shared with colleagues or experts for collaborative analysis, making it an asset in team-based security testing.

·       Customization: Depending on the export format chosen, you can tailor the exported data to meet specific reporting or analysis requirements.

Supported Formats:

·       Base64 JSON Format: Base64-encoded data is often used to include binary data within a JSON structure.

·       JSON Format: JSON is a lightweight data-interchange format used for structured data.

·       CSV Format: CSV files are widely supported and can be opened in spreadsheet software like Microsoft Excel or Google Sheets.

·       HAR Format: HTTP Archive (HAR) format is used for capturing and storing the performance-related data. The HAR format contains detailed information about HTTP requests and responses.

For Example, suppose you want to export all POST requests for further analysis.

Select the associate requests > right click > choose Export entries as > Export as CSV

 

Now Select All > Choose Save > Enter the name and click on Ok.

Save the result to your system offline. You can examine the CSV file; it contains all of the values that you chose to save.

You may select the only required values to store based on your needs.

That’s All, Cheers!!!

Conclusion

People like Burp Logger++ because it makes their job easier. It is your smart friend who helps you find hidden treasures (or problems) on websites. With its filters and colorful highlights, has the superpowers for website exploration.

So, if you are a web detective, it is a tool that will make your job much more fun and efficient. Give it a try and see how it can help you on your web adventures!

 

Author: Megha is a Certified Security Professional with extensive experience. She is a passionate Researcher and Technical Writer at Hacking Articles. Contact here.