-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label bug bounty program. Show all posts
Showing posts with label bug bounty program. Show all posts
  • How to approach target in bug bounty ?

     

    How to approach target in bug bounty ?



    Every bug bounty hunter began by reporting low-hanging bugs and minor problems that business didn't care about at the time.

     

    1) Architecture Based Approach


    First find the technologies used by the website.

    For finding use this tool:

    • Wappalyzer
    • Buildwith



    Then you can find if there are any CVE or public exploits related to the technology the web app.

    You can read through documentations and bug bounty reports related to each dependencies. Find out what the most common mistakes that can be made by developer.

    If you are a beginner, it would takes quite long time to understand each technologies behind. This approach works well on modern web app.



    2) Asset-based Approach


    Bug hunters using this approach heavily relies on tools to find out as many assets as possible.


    For example -

    • Use sublist3r to find all subdomains
    • Use gau to fetch all URL.
    • Discover all IPs belonged to the target.



    Then you need to have a proper way to sort out and analyze the information obtained. This approach works well if the target has wide scope (eg. Facebook, Microsoft, Google).

    To become successful in this approach, You better familiar with some bash scripting or use python to automate some tasks. Also it might create a lot of unneccessary noice to the target and might lead to ip ban from the target.

    Read more about what bug you want to Report :- Click Here



    3) Function based approach


    In this approach start testing the website as the normal user uses it and use burp suite to record all request/response. Then, try to do something that is not supposed to do, access some URL that is not authentication to do so. Creativity is a key to be successful in this approach. Here are some of the type of information that should be gathered on your target:

    • Create a list of all the subdomains and IPs that belong to the target.
    • Find information about the type of software and services the site uses.
    • Check if they have a github account?
    • check the robots.txt file
    • Does the site have any input forms, any parameters in the URLs?
    • Start hunting as soon as any organization introduces the program.


    Read more about Burp Suite Tutorial :- Click Here



    Conclusion:



    You can read more bug hunting report and find out more yourself. Then, you can mix and match these approaches and techniques.

    As time passes you would find yourself developed your own methodology and getting smooth in bug hunting.


    Disclaimer

     
     
    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     

  • What bug you want to Report

     

    What bug you want to Report


     

     

    What bug you want to Report?

     

    A bug report contains device logs, stack traces, and other diagnostic information to help you find and fix bugs in your app.



    Authentication Bypass


    Authentication Bypass is a dangerous vulnerability which is found in Web-Applications. Attackers can bypass the control mechanisms which are used by the underlying web application like OTP, Captcha, 2FA, Email verification etc.
    An Attacker can perform a  complete Account takeover of Victim.


    Severity :   High 

    Complexity : Easy

    From : Remote / External




    Impact : An Adversary can carry out Auth Bypass attack and perform an Account Take Over



    Affected IP's : IP Address     Port
    https://www.example.com/      443



    Recommendations :

    The application should protect the sensitive actions and validate the verification process of the web application. Restrict the user for any malicious behaviour.
     
     
     
    References :


    https://hackerone.com/reports/770504
    https://hackerone.com/reports/257305
    https://hackerone.com/reports/219205

     

     


    No Rate Limit 


    No Rate Limit is a type of computer security vulnerability typically found in web applications. No Rate Limit  enables attackers to perform actions on the web application where the attacker can do signup creation, password reset or 2FA of other users. No Rate Limit vulnerability may be used by attackers to bypass access controls such & bruteforce tokens and passwords without any limiting of any requests. There should be protection on the web application for sensitive actions. Attackers send a high number of requests to perform desirable actions to get access to the application or accounts. 


    NO RL effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.





    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External



    Impact :An Adversary can carry out No Rate-Limit attack and also can take over the victim Account.
    Also, an adversary can manage to login through any other user's account.


    Affected IP's : IP Address    Port
    https://www.example.com/    443




    Recommendations :

    There should be a protection on the web application for limiting the users simultaneous requests.


    Any user should be Rate limited if He/She sends or races high amount of requests in a significant amount of time.
     
     
     
    References :

    https://hackerone.com/reports/743545
    https://hackerone.com/reports/385381
    https://hackerone.com/reports/297359




    Cross Site Scripting (XSS) :


    Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.

    An attacker can use XSS to send a malicious script to an unsuspecting user. The end user̢۪s browser has no way to know that the script should not be trusted and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws, see: Types of Cross-Site Scripting.




    Severity :  High 

    Payload : Enter the payload here

    Complexity : Easy

    From : Remote / External




    Impact : An Adversary can carry out XSS attack and also can take the cookie of the Admin and login through Admin Account.
    Also, an adversary can manage to login through any other users account with valid session cookies.

    Affected IP's : IP Address    Port
    https://www.example.com/    443






    Recommendations :

    Sanitize all the user inputs before executing them, also add XSS protection headers on server and client side.
     
     

    References :


    https://www.acunetix.com/websitesecurity/cross-site-scripting/
    https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
    https://portswigger.net/web-security/cross-site-scripting

     

     

     

     


    Provided by HACKING TRUTH (CLICK HERE)






    CSRF


    Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.



    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External




    Steps to Reproduce:



    1. Victim login their example account first.
    2. Attacker send a form/link to victim.
    3. If victim click the form/link, A desirable action could happen (eg- Profile Details Update or Email Password)
    4. Attacker successfully performs ATO





    Impact : An Adversary can carry out CSRF attack to modify the details of a victim and also can take over the victim Account.

    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443





    Recommendations :

    This CSRF protection protects the form against Cross-site Request Forgery attacks because an attacker would also need to guess the token to successfully trick a victim into sending a valid request. The token should also be invalidated after some time and after the user logs out.

     
     
     
     
    References :


    https://owasp.org/www-community/attacks/csrf
    https://www.acunetix.com/websitesecurity/csrf-attacks/
    https://www.netsparker.com/blog/web-security/csrf-cross-site-request-forgery/






    CORS


    Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. However, it also provides potential for cross-domain based attacks, if a website's CORS policy is poorly configured and implemented. CORS can be exploited to trust any arbitrary domain attacker controlled domain name and send the data to it.  Attackers can make an exploit and ask the domain to send data of the victim to the attacker domain.




    Severity :  High 

    CURL Request : curl “https://example.com/wp-json” -I -H Origin:hackingtruth.in
    As you can see when we run the above request in curl we can see these header results in the response.  



    Access-Control-Allow-Origin: hackingtruth
    Access-Control-Allow-Credentials : true

    Complexity : Easy

    From : Remote / External





    Steps to Reproduce:

    1. Enter the domain name example.com in the POC Code shown below and save it as exploit.html and click on exploit button :



    Exploit Code :

      
      
      
    <html>
    <body>
    <center>
    <h2>CORS POC Exploit>/h2>
    <h3>Extract SID</h3>
    
    <div id="demo">
    <button onclick="cors()" type="button">Exploit Click here
    </button></div>
    
    <script>
    function cors() {
    var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
    document.getElementById("demo").innerHTML = alert(this.responseText);
    }
    };
    xhttp.open("GET", "https://example.com/wp-json/", true);
    xhttp.withCredentials = true;
    xhttp.send();
    }
    </script>
    
    </body>
    </html>
    
      







    Impact : An Adversary can carry out CORS attack to exfiltrate the sensitive details of a victim



    Affected IP's :

    IP Address            Port
    https://www.example/    443




    Recommendations :

    All the REST Apis should be authenticated and the domain should not trust any other domains. Allow only selected, trusted domains in the Access-Control-Allow-Origin header.
     
     
     
    References :

    https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
    https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
    https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
    https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS








    Provided by HACKING TRUTH (CLICK HERE)




    SSRF

     

    Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
    In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems



    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External





    Steps to Reproduce:

    1. Attacker finds the vulnerable injection point (parameter)
    2. Attacker sends a localhost request or request to his controlled domain (eg: Burp collaborator)
    3. Attacker is able to scan the internal network or connect to localhost. Also attacker can get a HTTP connection on his controlled domain.
    4. Attacker successfully performs SSRF and exfiltrates data if any.




    Impact : An Adversary can carry out SSRF attack to scan the internal network, perform sensitive actions, download sensitive files like meta-data etc.


    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443




    Recommendations :

    There should be a proper validation and sanitization of any URL's,IP or shortlinks given by the user. More here - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
     
     
     
    References :

    https://portswigger.net/web-security/ssrf
    https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/







    Provided by HACKING TRUTH (CLICK HERE)


     

     

     

    SQL Injection


    SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.





    Severity :   High 

    POST Request :

    Complexity
    : Easy

    From : Remote / External




    Steps to Reproduce:

    1. Attacker finds the vulnerable injection point (parameter)
    2. Attacker sends a query to retreive the DB Version or DB Name or DB Tables
    3. Attacker is able to perfrom successfull SQLi




    Impact : An Adversary can carry out SQLi attack to download database,usernames,passwords modify the logic or  perform sensitive actions etc.


    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443



    Recommendations :

    Most instances of SQL injection can be prevented by using parameterized queries (also known as prepared statements) instead of string concatenation within the query.


    References :

    https://portswigger.net/web-security/sql-injection
    https://www.acunetix.com/vulnerabilities/web/sql-injection/






    Provided by HACKING TRUTH (CLICK HERE)


     

     

    Broken Link Hijacking


    When an web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity.




    Severity :   Medium 

    POST Request :

    Complexity : Easy

    From : Remote / External





    Steps to Reproduce:

    1. Attacker finds the vulnerable injection point (broken link)
    2. Attacker is able to claim the broken link
    3. Attacker is succesfully perfrom the BLH Attack





    Impact : An Adversary can carry out BLH attack to trick the victim in clicking the link and visiting the resources which are linked to the website, this way attacker can perfrom identify theft and steal credentials.


    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443




    Recommendations :

    Fix all the broken links in the web application to any external resources.



    References :

    https://medium.com/@iamtess5277/what-is-broken-link-hijacking-o-o-872d821da6fd
    https://medium.com/@arbazhussain/broken-link-hijacking-burp-plugin-6918d922c3fb
    https://hackerone.com/reports/266908






    Click Jacking


    Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.



    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External





    Steps to Reproduce:


    1. Attacker finds the web application is vulnerable to Clickjacking and loads successfully into the iframe of the attacker.
    2. Attacker creates a POC with the target.com which loads in the iframe
    3. Attacker creates or induces a sensitive action
    4. Attacker is able to achieve sesntive action on the targt.com





    Impact : Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.

    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443



    Recommendations :

    https://portswigger.net/web-security/clickjacking


    References :

    https://portswigger.net/web-security/clickjacking





    Proof of Concept :


       

     <head>
    
                  <style>
    
                       #target_website {
    
                                position:relative;
    
                             width:128px;
    
                             height:128px;
    
                             opacity:0.00001;
    
                             z-index:2;
    
                             }
    
                       #decoy_website {
    
                             position:absolute;
    
                             width:300px;
    
                             height:400px;
    
                             z-index:1;
    
                             }
    
                 </style>
    
                </head>
    
                   ...
    
                <body>
    
                    <div id="decoy_website">
    
                     ...decoy web content here...
    
                     </div>
    
                     <iframe id="target_website" src="https://vulnerable-website.com">
    
                     </iframe>
    
                </body>
      
      
      










    Subdomain Takeover


    A Subdomain Takeover is defined as Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organization̢۪s subdomain via cloud services like AWS or Azure



    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External




    Steps to Reproduce:


    1. Attacker finds the vulnerable subdomain (DANGLING DNS RECORD)
    2. Attacker is able to claim the subdomain on the cloud service
    3. Attacker is succesfully perfrom the Subdomain Takeover Attack





    Impact : An Adversary can carry out Subdomain Takeover attack to claim the unclaimed subdomains from the target website and host malicious content on the claimed subdomains.
    He can also perform Identity thefts by hosting malicious login pages etc..

    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443




    Recommendations :

    Fix all the broken links in the web application to any external resources.

    References :

    https://medium.com/@friendly_/subdomain-takeover-awarded-200-8296f4abe1b0
    https://safaras.medium.com/find-your-first-bug-1-subdomain-takeover-8c7e6192220f




     



    HTML Injection


    When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.




    Severity :   Medium 

    POST Request :

    Complexity : Easy

    From : Remote / External




    Steps to Reproduce:

    1. Attacker finds the vulnerable injection point (parameter)
    2. Attacker is able to inject the HTML Tags and it gets executed
    3. Attacker is able to perfrom successfull HTML Injection




    Impact : An Adversary can carry out HMTLi attack to trick the victim in clicking the link and visiting the website, this way attacker can perfrom identify theft and steal credentials.

    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443





    Recommendations :

    Do not allow parsing or execution of HTML tags from the user input.


    References :

    https://www.acunetix.com/vulnerabilities/web/html-injection/#:~:text=HTML%20Injection%20is%20an%20attack,injection%20of%20certain%20HTML%20tags.
    https://www.softwaretestinghelp.com/html-injection-tutorial/








    File Inclusion


    An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.



    Severity :   High 

    Complexity : Easy

    From : Remote / External



    Steps to Reproduce:


    1. Attacker identfies a vulnerable injection point (parameter)
    2. Attacker tries to read and execute the internal file
    3. Attacker is successfully able to perfrom File Inclusion Attack




    Impact : An Adversary can carry out Directory Listing to gain sensitive information from the target server


    Affected IP's : IP Address     Port
    https://www.example.com/      443



    Recommendations :

    The application should have proper whitelist of files and ignore every other filename and path.

     
    References :

    https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/









    Directory Listing


    Directory Listing is a vulnerabilty in which the server has misconfiguration and exposes the internal and hidden directories from the server to the public internet.
    Sometime an attacker can gain sensitive information from the server like backup files, source code , api keys , password files etc.



    Severity :   Medium 

    Complexity : Easy

    From : Remote / External





    Impact : An Adversary can carry out Directory Listing to gain sensitive information from the target server

    Affected IP's : IP Address     Port
    https://www.example.com/      443


    Recommendations :

    The application should have proper permissions on sensitive directories and content.
     
     
    References :

    https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/#:~:text=Directory%20listing%20is%20a%20web,it%20leads%20to%20information%20disclosure.



     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal


     

  • full tutorial of burp suite





    [Task 1] Intro


    Burp Suite, a framework of web application pentesting tools, is widely regarded as the de facto tool to use when performing web app testing. Throughout this room, we'll take a look at the basics of installing and using this tool as well as it's various major components. Reference links to the associated documentation per section have been provided at the bottom of most tasks throughout this room. full tutorial of burp suite


    [Task 2] Installation



    Before we can dive into the pretty amazing tool that is Burp Suite, we'll first have to install it. Lucky for us, if you're doing this room on Kali Linux you'll already have Burp Suite installed. Since this room is entirely do-able on Windows as well, we'll briefly touch on obtaining Burp Suite (community edition) for any system as it's fairly painless.


    If you'll be installing Burp (as it's commonly referred to) from scratch, you'll need to first visit this link: https://portswigger.net/burp/communitydownload



    We'll use the Burp Suite Community Edition throughout this lab, however, I'll be covering some paid features briefly as well to help you prepare for eventually using the Professional version.



    Burp Suite Getting Started Documentation: Link



    #1 If you'll be installing Burp (as it's commonly referred to) from scratch, you'll need to first visit this link: https://portswigger.net/burp/communitydownload


    #2 Once you've reached the Port Swigger downloads page, go ahead and download the appropriate version for your operating system



    #3 Burp Suite requires Java JRE in order to run. Download and install Java here: https://www.java.com/en/download/


    Once you've got everything setup move onto our next task, Gettin' [CA] Certified!




    Task 3] Gettin' [CA] Certified


    Before we can start using our new installation (or preinstalled) Burp Suite, we'll have to fix a certificate warning. We need to install a CA certificate as BurpSuite acts as a proxy between your browser and sending it through the internet - It allows the BurpSuite Application to read and send on HTTPS data.







    A certificate warning that will appear unless we install Burp's CA Certificate.


    One quick note, in this lab I'll be using Firefox and Foxy Proxy (which you can find here). I use Firefox in this instance as it's a little bit easier to work with when using Burp Suite.


    #1 First, let's go ahead and launch Burp. We can do this on Kali via the icon on the left side. In the image below it's the seventh icon from the top on the left-hand side. If your Kali desktop doesn't look like the screenshot below, click on 'Applications' and type in Burp Suite. Click on the Burp Suite icon that appears.








    Launch Burp!



    #2 Once you've launched Burp, you'll be greeted with the following screen:


            




    Once this pops-up, click 'Temporary project' and then 'Next'.

    *Now as you likely noticed both 'New project on disk' and 'Open existing project' are both grayed out. As annotated at the top of this window saving projects is a feature associated with Burp Suite Professional as it's pretty common to save and come back to a multi-day web application test.



    #3 Next, we'll be prompted to ask for what configuration we'd like to use. For now, select 'Use Burp defaults'.








    This option is included as it can be incredibly useful to create a custom configuration file for your proxy or other settings, especially depending on how your network configuration and/or if Burp Suite is being launched remotely such as via x11 forwarding.



    #4 Finally, let's go ahead and Start Burp! Click 'Start Burp' now!


    #5 You'll now see a screen that looks similar to this:







    Since we now have Burp Suite running, the proxy service will have started by default with it. In order to fully leverage this proxy, we'll have to install the CA certificate included with Burp Suite (otherwise we won't be able to load anything with SSL). To do this, let's launch Firefox now!

    *You can do this part with your browser of choice, however, I'll be using Firefox for this room.




    #6 Now that we've started Burp, let's add an extension to our web browser to allow up to easily route or traffic through it! For this room, we'll be using 'FoxyProxy Standard' on Firefox.







    Navigate to the following link to install FoxyProxy Standard: Link

    Go ahead and install this now!




    #7 Next, click on FoxyProxy among your extensions.







    After that, click on 'Options'.







    After that, click 'Add' in the top left.


    Enter in the following settings and then click 'Save'







    Finally, click on the FoxyProxy extension icon again and select 'Burp'.






    In the image above Burp isn't selected. Make sure it is in yours!

    Next, we'll move onto adding the certificate for Burp!




    #8 With Firefox, navigate to the following address: http://localhost:8080



    #9 You'll be greeted with the following website:







    Click on 'CA Certificate' in the top right to download and save the CA Certificate.



    #10 Now that we've downloaded the CA Certificate, move over to the settings menu in Firefox. Search for 'Certificates' in the search bar.

    Click on 'View Certificates'



    #11 Next, in the Authorities tab click on 'Import'



    #12 Navigate to where you saved the CA Certificate we downloaded previously. Click 'OK' once you've selected this certificate.



    #13 Finally, select the following two options seen in this photo:






    Select 'OK' once you've done this. Congrats, we've now installed the Burp Suite CA Certificate!




    [Task 4] Overview of Features



    Now that we've set up Burp, let's take a look at everything it has to offer. Web application pentesting can be a messy affair but Burp has something for every step of the way.


    Tools by Ana Miminoshvili on Dribbble



    Throughout this room, we'll be taking a look at these components of Burp Suite. Here's a quick overview of each section covered:


    Proxy - What allows us to funnel traffic through Burp Suite for further analysis


    Target - How we set the scope of our project. We can also use this to effectively create a site map of the application we are testing.


    Intruder - Incredibly powerful tool for everything from field fuzzing to credential stuffing and more


    Repeater - Allows us to 'repeat' requests that have previously been made with or without modification. Often used in a precursor step to fuzzing with the aforementioned Intruder


    Sequencer - Analyzes the 'randomness' present in parts of the web app which are intended to be unpredictable. This is commonly used for testing session cookies


    Decoder - As the name suggests, Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding.


    Comparer - Comparer as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.


    Extender - Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more!


    Scanner - Automated web vulnerability scanner that can highlight areas of the application for further manual investigation or possible exploitation with another section of Burp. This feature, while not in the community edition of Burp Suite, is still a key facet of performing a web application test.




    #1 Which tool in Burp Suite can we use to perform a 'diff' on responses and other pieces of data?
    Ans :- Comparer



    #2 What tool could we use to analyze randomness in different pieces of data such as password reset tokens?
    Ans :- Sequencer




    #3 Which tool can we use to set the scope of our project?

    Ans :- Target




    #4 While only available in the premium versions of Burp Suite, which tool can we use to automatically identify different vulnerabilities in the application we are examining?
    Ans :- Scanner





    #5 Encoding or decoding data can be particularly useful when examining URL parameters or protections on a form, which tool allows us to do just that?
    Ans :- Decoder





    #6 Which tool allows us to redirect our web traffic into Burp for further examination?
    Ans :- Proxy





    #7 Simple in concept but powerful in execution, which tool allows us to reissue requests?

    Ans :- Repeater





    #8 With four modes, which tool in Burp can we use for a variety of purposes such as field fuzzing?

    Ans :- Intruder




    #9 Last but certainly not least, which tool allows us to modify Burp Suite via the addition of extensions?
    Ans :- Extender




    [Task 5] Engage Dark Mode



    Working on a project late at night? Fear no more! In this task we'll cover how to enable dark mode in Burp Suite!








    This task is optional! You can simply click 'Complete' on all of the questions if you'd like to skip it. This section is purely for 'quality of life' improvements while using Burp Suite throughout this room. You can see what dark mode looks like in question three of task eight.



    #1 With Burp Suite launched, let's first navigate to the 'User options' tab.
















    #2 Next, click on the 'Display' sub-tab.







    #3 Now, click on the 'Look and feel' drop-down menu. Select 'Darcula'.












    #4 Finally, close and relaunch Burp Suite to have dark theme (or whichever theme you picked) take effect.







    [Task 6] Proxy



    Generally speaking, proxy servers by definition allow us to relay our traffic through an alternative route to the internet. This can be done for a variety of reasons ranging from educational filtering (common in schools where restricted content must be blocked) to accessing content that may be otherwise unavailable due to region locking or a ban. Using a proxy, however, for web application testing allows us to view and modify traffic inline at a granular level. Throughout this task, we'll explore the major components of the Burp proxy including interception, request history, and the various configuration options we have access to.









    Basic diagram of how communications are relayed through a proxy - Wikipedia - Proxy Servers


    In task three, Gettin' [CA] Certified, we configured our web traffic to route through our instance of Burp Suite. By default, Burp will be set to 'intercept' our traffic. This means a few things:


    1. Requests will by default require our authorization to be sent.


    2. We can modify our requests in-line similar to what you might see in a man-in-the-middle attack and then send them on.


    3. We can also drop requests we don't want to be sent. This can be useful to see the request attempt after clicking a button or performing another action on the website.


    4. And last but not least, we can send these requests to other tools such as Repeater and Intruder for modification and manipulation to induce vulnerabilities.



    Burp Suite reference documentation for Proxy: Link


    #1 Deploy the VM attached to this task!

    To complete this task you need to connect to the TryHackMe network through OpenVPN. If you're using the in-browser machine this isn't needed (but make sure you're accessing the machine and using Burp inside the in-browser machine).





    #2 By default, the Burp Suite proxy listens on only one interface. What is it? Use the format of IP:PORT


    ANs :- 127.0.01:8080



    #3 In Burp Suite, navigate to the Intercept sub-tab of the Proxy section. Enable Intercept






    #4 Return to your web browser and navigate to the web application hosted on the VM we deployed just a bit ago. Note that the page appears to be continuously loading. Change back to Burp Suite, we now have a request that's waiting in our intercept tab. Take a look at the actions, which shortcut allows us to forward the request to Repeater?

    Ans :- Ctrl-R



    #5 How about if we wanted to forward our request to Intruder?


    Ans :- Ctrl-I



    #6 Burp Suite saves the history of requests sent through the proxy along with their varying details. This can be especially useful when we need to have proof of our actions throughout a penetration test or we want to modify and resend a request we sent a while back. What is the name of the first section wherein general web requests (GET/POST) are saved?


    Ans :- HTTP history



    #7 Defined in RFC 6455 as a low-latency communication protocol that doesn't require HTTP encapsulation, what is the name of the second section of our saved history in Burp Suite? These are commonly used in collaborate application which require real-time updates (Google Docs is an excellent example here).


    Ans :- WebSockets history



    #8 Before we move onto exploring our target definition, let's take a look at some of the advanced customization we can utilize in the Burp proxy. Move over to the Options section of the Proxy tab and scroll down to Intercept Client Requests. Here we can apply further fine-grained rules to define which requests we would like to intercept. Perhaps the most useful out of the default rules is our only AND rule. What is it's match type?


    Ans :- URL


    #9 How about it's 'Relationship'? In this situation, enabling this match rule can be incredibly useful following target definition as we can effectively leave intercept on permanently (unless we need to navigate without intercept) as it won't disturb sites which are outside of our scope - something which is particularly nice if we need to Google something in the same browser.


    Ans :- Is in target scope





    [Task 7] Target Definition



    Perhaps the most important feature in Burp Suite, we'll now be turning our focus to the Target tab!
















    The Target tab in Burp allows us to perform arguably some of the most important parts of a web application penetration test: defining our scope, viewing a site map, and specifying our issue definitions (although this is more useful within report generation and scanning).


    When starting a web application test you'll very likely be provided a few things:


    - The application URL (hopefully for dev/test and not prod)
    - A list of the different user roles within the application
    - Various test accounts and associated credentials for those accounts
    - A list of pieces/forms in the application which are out-of-scope for testing and should be avoided



    From this information, we can now start to build our scope within Burp, something which is incredibly important in the case we are planning on performing any automated testing. Typically this is done in a tiered approach wherein we work our way up from the lowest privileged account (this includes unauthenticated access), browsing the site as a normal user would. Browsing like this to discover the full extent of the site is commonly referenced as the 'happy path'. Following the creation of a site map via browsing the happy path, we can go through and start removing various items from the scope. These items typically fit one of these criteria:


    - The item (page, form, etc) has been designated as out of scope in the provided documentation from the client
    - Automated exploitation of the item (especially in a credentialed manner) would cause a huge mess (like sending hundreds of password reset emails - If you've done a web app professionally you've probably done this at one point)
    - Automated exploitation of the item (especially in a credentialed manner) would lead to damaging and potentially crashing the web app


    Once we've removed any restricted or otherwise potentially dangerous items from our scope, we can move onto other areas of testing with the various tools within Burp Suite.



    Burp Suite reference documentation for Target: Link



    #1 Before leaving the Proxy tab, switch Intercept to disabled. We'll still see the pages we navigate to in our history and the target tab, just having Intercept constantly stopping our requests for this next bit will get old fast.





    #2 Navigate to the Target tab in Burp. In our last task, Proxy, we browsed to the website on our target machine (in this case OWASP Juice Shop). Find our target site in this list and right-click on it. Select 'Add to scope'.





    #3 Clicking 'Add to scope' will trigger a pop-up. This will stop Burp from sending out-of-scope items to our site map.





    #4 Select 'Yes' to close the popup.




    #5 Browse around the rest of the application to build out our page structure in the target tab. Once you've visited most of the pages of the site return to Burp Suite and expand the various levels of the application directory. What do we call this representation of the collective web application?

    Ans :- site map




    #6 What is the term for browsing the application as a normal user prior to examining it further?

    Ans :- happy path




    #7 One last thing before moving on. Within the target tab, you may have noticed a sub-tab for issue definitions. Click into that now.




    #8 The issue definitions found here are how Burp Suite defines issues within reporting. While getting started, these issue definitions can be particularly helpful for understanding and categorizing various findings we might have. Which poisoning issue arises when an application behind a cache process input that is not included in the cache key?


    Ans :- web cache poisoning



    [Task 8] Puttin' it on Repeat[er]



    As the name suggests, Repeater allows us to repeat requests we've already made. These requests can either be reissued as-is or with modifications. In contrast to Intruder, Repeater is typically used for the purposes of experimentation or more fine-tuned exploitation wherein automation may not be desired. We'll be checking out Repeater with the goal of finding a proof of concept demonstrating that Juice Shop is vulnerable to SQL injection.







    Burp Suite reference documentation for Repeater: Link




    #1 To start, click 'Account' (this might be 'Login' depending on the version of Juice Shop) in the top right corner of Juice Shop in order to navigate to the login page.










    #2 Try logging in with invalid credentials. What error is generated when login fails?














    #3 But wait, didn't we want to send that request to Repeater? Even though we didn't send it to Repeater initially via intercept, we can still find the request in our history. Switch over to the HTTP sub-tab of Proxy. Look through these requests until you find our failed login attempt. Right-click on this request and send it to Repeater and then send it to Intruder, too!























    #4 Now that we've sent the request to Repeater, let's try adjusting the request such that we are sending a single quote (') as both the email and password. What error is generated from this request?










    #5 Now that we've leveraged Repeater to gain proof of concept that Juice Shop's login is vulnerable to SQLi, let's try something a little more mischievous and attempt to leave a devastating zero-star review. First, click on the drawer button in the top-left of the application. If this isn't present for you, just skip to the next question.












    #6 Next, click on 'Customer Feedback' (depending on the version of Juice Shop this also might be along the top of the page next to 'Login' under 'Contact Us')


    #7 With the Burp proxy on submit feedback. Once this is done, find the POST request in your HTTP History in Burp and send it to Repeater.


    #8 What field do we have to modify in order to submit a zero-star review?


    #9 Submit a zero-star review and complete this challenge in Juice Shop!





    [Task 9] Help! There's an Intruder!



    Arguably the most powerful tool in Burp Suite, Intruder can be used for many things ranging from fuzzing to brute-forcing. At its core, Intruder serves one purpose: automation.




    Download File :-  Click Here



    While Repeater best handles experimentation or one-off testing, Intruder is meant for repeat testing once a proof of concept has been established. Per the Burp Suite documentation, some common uses are as follows:



    - Enumerating identifiers such as usernames, cycling through predictable session/password recovery tokens, and attempting simple password guessing
    - Harvesting useful data from user profiles or other pages of interest via grepping our responses
    - Fuzzing for vulnerabilities such as SQL injection, cross-site scripting (XSS), and file path traversal











    To accomplish these various use cases, Intruder has four different attack types:


    1. Sniper - The most popular attack type, this cycles through our selected positions, putting the next available payload (item from our wordlist) in each position in turn. This uses only one set of payloads (one wordlist).


    2. Battering Ram - Similar to Sniper, Battering Ram uses only one set of payloads. Unlike Sniper, Battering Ram puts every payload into every selected position. Think about how a battering ram makes contact across a large surface with a single surface, hence the name battering ram for this attack type.




    3. Pitchfork - The Pitchfork attack type allows us to use multiple payload sets (one per position selected) and iterate through both payload sets simultaneously. For example, if we selected two positions (say a username field and a password field), we can provide a username and password payload list. Intruder will then cycle through the combinations of usernames and passwords, resulting in a total number of combinations equalling the smallest payload set provided.


    4. Cluster Bomb - The Cluster Bomb attack type allows us to use multiple payload sets (one per position selected) and iterate through all combinations of the payload lists we provide. For example, if we selected two positions (say a username field and a password field), we can provide a username and password payload list. Intruder will then cycle through the combinations of usernames and passwords, resulting in a total number of combinations equalling usernames x passwords. Do note, this can get pretty lengthy if you are using the community edition of Burp.










    Intruder Attack Type Selection


    For our purposes, we'll be returning to the SQL injection vulnerability we previously discovered through using Repeater.




    Burp Suite reference documentation for Intruder: Link


    #1 Which attack type allows us to select multiple payload sets (one per position) and iterate through them simultaneously?




    #2 How about the attack type which allows us to use one payload set in every single position we've selected simultaneously?





    #3 Which attack type allows us to select multiple payload sets (one per position) and iterate through all possible combinations?




    #4 Perhaps the most commonly used, which attack type allows us to cycle through our payload set, putting the next available payload in each position in turn?




    #5 Download the wordlist attached to this room, this is a shortened version of the fuzzdb SQLi platform detection list.




    #6 Return to the Intruder in Burp. In our previous task, we passed our failed login attempt to both Repeater and Intruder for further examination. Open up the Positions sub-tab in the Intruder tab with this request now and verify that 'Sniper' is selected as our attack type.














    #7 Burp attempts to automatically highlight possible fields of interest for Intruder, however, it doesn't have it quite right for what we'll be looking at in this instance. Hit 'Clear' on the right-hand side to clear all selected fields.






    #8 Next, let's highlight the email field between the double quotes ("). This will be whatever you entered in the email field for our previous failed login attempt.
















    #9 Now click 'Add' to select our email field as a position for our payloads.











    #10 Next, let's switch to the payloads sub-tab of Intruder. Once there, hit 'Load' and select the wordlist you previously downloaded in question five that is attached to this task.










    #11 Almost there! Scroll down and uncheck 'URL-encode these characters'. We don't want to have the characters sent in our payloads to be encoded as they otherwise won't be recognized by SQL.








    #12 Finally, click 'Start attack'. What is the first payload that returns a 200 status code, showing that we have successfully bypassed authentication?


    Ans :- a ` or 1=1--








    [Task 10] As it turns out the machines are better at math than us



    While not as commonly used in a practice environment, Sequencer represents a core tool in a proper web application pentest. Burp's Sequencer, per the Burp documentation, is a tool for analyzing the quality of randomness in an application's sessions tokens and other important data items that are otherwise intended to be unpredictable. Some commonly analyzed items include:



    - Session tokens
    - Anti-CSRF (Cross-Site Request Forgery) tokens
    - Password reset tokens (sent with password resets that in theory uniquely tie users with their password reset requests)


    We'll take a quick peek at how we can use Sequencer to examine the session cookies which Juice Shop issues.



    SEO Friendly Progressive Web Applications withThe Overcoat by Chill Desk on Dribbble Angular Universal by Maxime Bourgeois on Dribbble













    Burp Suite reference documentation for Sequencer: Link



    #1 Switch over to the HTTP history sub-tab of Proxy.



    #2 We're going to dig for a response which issues a cookie. Parse through the various responses we've received from Juice Shop until you find one that includes a 'Set-Cookie' header.



    #3 Once you've found a request response that issues a cookie, right-click on the request and select 'Send to Sequencer'.


    #4 Change over Sequencer and select 'Start live capture'



    #5 Let Sequencer run and collect ~10,000 requests. Once it hits roughly that amount hit 'Pause' and then 'Analyze now'



    #6 Parse through the results. What is the effective estimated entropy measured in?


    Ans :- bits



    #7 In order to find the usable bits of entropy we often have to make some adjustmens to have a normalized dataset. What item is converted in this process?

    Ans :- token












    [Task 11] Decoder and Comparer



    Decoder and Comparer, while lesser tools within Burp Suite, are still essential to understand and leverage as part of being a proficient web app tester.






    As the name suggests, Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding. We chain these transforms together and Decoder will automatically spawn an additional tier each time we select a decoder, encoder, or hash. This tool ultimately functions very similarly to CyberChef, albeit slightly less powerful.





    Similarly, Comparer, as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.


    Per the Burp documentation, some common uses for Comparer are as follows:


    - When looking for username enumeration conditions, you can compare responses to failed logins using valid and invalid usernames, looking for subtle differences in responses. This is also sometimes useful for when enumerating password recovery forms or another similar recovery/account access mechanism.


    - When an Intruder attack has resulted in some very large responses with different lengths than the base response, you can compare these to quickly see where the differences lie.


    - When comparing the site maps or Proxy history entries generated by different types of users, you can compare pairs of similar requests to see where the differences lie that give rise to different application behavior. This may reveal possible access control issues in the application wherein lower privileged users can access pages they really shouldn't be able to.


    - When testing for blind SQL injection bugs using Boolean condition injection and other similar tests, you can compare two responses to see whether injecting different conditions has resulted in a relevant difference in responses.


    *These examples are taken nearly in their entirety from the Burp docs simply to provide a broader set of examples to consider when using Comparer.



    JavaScript Arrays in Depth by Maxime Bourgeois on Dribbble


    Burp Suite reference documentation for Decoder and Comparer



    #1 Let's first take a look at decoder by revisiting an old friend. Previously we discovered the scoreboard within the site JavaScript. Return to our target tab and find the API endpoint highlighted in the following request:







    #2 Copy the first line of that request and paste it into Decoder. Next, select 'Decode as ...' URL





    #3 What character does the %20 in the request we copied into Decoder decode as?


    Ans :- space




    #4 Similar to CyberChef, Decoder also has a 'Magic' mode where it will automatically attempt to decode the input it is provided. What is this mode called?


    Ans :- Smart Decode



    #5 What can we load into Comparer to see differences in what various user roles can access? This is very useful to check for access control issues.





    Ans :- site maps




    #6 Comparer can perform a diff against two different metrics, which one allows us to examine the data loaded in as-is rather than breaking it down into bytes?


    Ans :- words




    [Task 12] Installing some Mods [Extender]



    Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more! Here are some of the most popular extensions I suggest checking out (not all of these are free but I suggest looking into them all the same):



     Logger++ - Adds enhanced logging to all requests and responses from all Burp Suite tools, enable this one before you need it ;)

    Request Smuggler - A relatively new extension, this allows you to attempt to smuggle requests to backend servers. See this talk by James Kettle for more details: Link

    Autorize - Useful for authentication testing in web app tests. These tests typically revolve around navigating to restricted pages or issuing restricted GET requests with the session cookies of low-privileged users

    Burp Teams Server - Allows for collaboration on a Burp project amongst team members. Project details are shared in a chatroom-like format

    Retire.js - Adds scanner checks for outdated JavaScript libraries that contain vulnerabilities, this is a premium extension

    J2EEScan - Adds scanner test coverage for J2EE (java platform for web development) applications, this is a premium extension

    Request Timer - Captures response times for requests made by all Burp tools, useful for discovering timing attack vectors










    A prerequisite for many of the extensions offered for Burp, we'll walk through the installation of Jython, the Java implementation of Python.


    Burp Suite reference documentation for Extender: Link


    Article on some of the top extensions for Burp Suite: Link



    #1 To start, let's go ahead and switch over to the Options sub-tab of the Extender tab.



    #2 Scroll down until you reach the 'Python Environment' section. Note, Burp requires the standalone edition of Jython.



    #3 Download the standalone version of Jython from here: Link - I suggest saving this or moving it to your Documents folder



    #4 Return back to Burp and hit 'Select file' under the Python Environment subsection for Jython standalone. Navigate to where you just downloaded this file and select it.



    #5 Burp is now set to go for installing extensions. Switch to the BApp Store sub-tab of Extender and look through the various extensions offered.



    #6 Which extension allows us too bookmark various requests?


    Ans :- Bookmarks





    [Task 13] But wait, there's more!



    Before we conclude, let's take a quick look into the features that Burp Suite Professional offers: The Burp Suite Scanner and Collaborator Client!





    File Download :- Click Here 










    Arguably the most powerful feature in Burp Suite, the Burp Suite Scanner allows us to passively and actively scan and spider the website we are testing for vulnerabilities. In Burp 2.0's task-based model, we can launch these scans (Scanner and Spider) from the dashboard and let them run in the background while we continue to examine the web app. In this case, I've run an unauthenticated scan against Juice Shop and have attached it to this task. These reports can provide a starting place for further enumeration and exploitation via the other tools in Burp Suite.









    A Preview of the Report Attached to this Task Created with Burp Professional


    Commonly used in manual tests, Burp Collaborator Client allows us to gain insight into issues that may otherwise seem to produce no output. Often during testing, we may come across items which, either due to timing/slowness of the web app or a lack of any reaction, are likely vulnerable but don't produce any sure-fire indicators. With Burp Collaborator, however, we can produce out-of-band alerts via generating payloads that reach back to Burp Suite's servers for us.






    Burp Suite reference documentation for Scanner and Collaborator Client



    #1 Download the report attached to this task. What is the only critical issue?

    Ans :- Cross-origin resource sharing : arbitary origin trusted



    #2 How many 'Certain' low issues did Burp find?

    Ans :-  12





    [Task 14] Extra Credit



    Want to learn more? You're in luck! Port Swigger, the makers of Burp Suite, have a (mostly) free online Web Security Academy! This online training is excellent for learning more about web exploitation techniques and putting your newly minted Burp skills to the test! Pretty much all of this training is free with the only exceptions being a few labs that require the professional version of Burp Suite.


    You can find the Port Swigger Web Security Academy training here: https://portswigger.net/web-security









    In addition to Port Swigger's training, SANS offers excellent web application pentesting courses. A few of these include SANS SEC 542 and SEC 642. Note, these training courses are paid and can be fairly pricy. That being said, they are of incredibly high quality and are worth checking out.






    Disclaimer



    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)





  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.