 HOME  ABOUT PENTESTGEEK  HACKING TOOLS  DOWNLOADS

PENTEST GEEK WEB APPLICATIONS HOW TO USE BURP SUITE – WEB PENETRATION TESTING (PART 2)

HOW TO USE BURP SUITE Reporting Made Easy

– WEB PENETRATION
ThreadFix consolidates scan results -
integrate with scanning tools.

TESTING (PART 2)
threadfix.it

Network Security Scan

Author: Royce Davis Posted In Web Applications On: 2014/11/14 Comments: 4 Antivirus, Network Management & Asset
Tracking in 10 min or less!
solarwindsmsp.com

SUBSCRIBE TO PENTEST GEEK

In our last Burp Suite Tutorial we introduced some of the
useful features that Burp Suite has to offer when performing a FIRST NAME
Web Application Penetration Test. In part 2 of this series we
will continue to explore how to use Burp Suite including: Your Name

Validating Scanner Results, Exporting Scanner Reports,

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 Parsing XML Results, Saving a Burp Session and Burp Extensions. Lets get right
to it! EMAIL ADDRESS

email@example.com
HOW TO USE BURP SUITE – VALIDATING
SCANNER RESULTS
Its always a good idea to thoroughly validate the results of any automated
SUBSCRIBE
scanning tool. Burp Suite provides everything you need to do this on the
“Scanner/Results” tab. Click on a node in the left pane to see the identified
FOLLOW PENTEST GEEK
vulnerabilities associated with that target. The right-hand lower pane displays
the verbose Request/Response information pertaining to the specific
vulnerability selected from the right-hand upper pane.

The “Advisory” tab contains information about the vulnerability including a RECENT POSTS

high-level detail, description and proposed recommendation. The “Request” & How To Install Metasploit Framework Ubuntu
14.04
“Response” tabs will display exactly what Burp Suite sent to the target
How to Install Nmap From Source
application in order to check for the vulnerability as well as what was returned
Another Lap Around Microsoft LAPS
by the application. Take a look at the example below. Credential Harvesting via MiTM – Burp Suite
Tutorial
SSL Certificate from letsencrypt.org – Setup
Guide

PENETRATION TESTING
Search Results from Amazon

penetration testing Go

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 Penetration Testing: Hacking: Beginner to
A Hands-On Int… Expert Guide t…
Figure #1 – Validating Scanner Results
$35.40 $2.99
(63) (99)
The request tab shows us which page generated the alert.

“ https://www.pentestgeek.com/wp-
content/cache/minify/000000/NYtBDoAgDMA-

”
JFsML5oEYShDYSbwez3goUl7qMV0P76OxU4xmUMl9ZBZlhVdpVHEtCFK3UQO8fxQXzE13Enc2EqfK_wNLKxwkTte.js
The Hacker Playbook Learning Kali Linux:
2: Practical Gui… An Introduction to
Penetration Testing
$22.49
Just by requesting this page in a browser, or viewing the “Response” tab, We
(108) $28.77
are able to validate that the email address allegedly disclosed was in fact
Ads by Amazon
present in the response. We can consider this issue to be validated and move
on.
CATEGORIES
Definitions (3)
Forensics and Incident Response (1)
Information Gathering (3)
Metasploit (6)
Penetration Testing Tutorials (12)
Phishing (8)
Presentations (2)

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 Tools (3)
Web Applications (3)

METASPLOIT
Search Results from Amazon

Metasploit Go
Figure #2 – Validating Scanner Results

#ProTip Make sure to perform this step on each and every vulnerability identified by
the scanner. All automated scanning tools produce false-positives due to the nature
of the testing being done. Most companies are capable of buying tools and running
them on their networks. Pentesters are hired specifically to identify and remove these
Metasploit: The Mastering Metasploit
false positives
Penetration Test… - Second Edition

HOW TO USE BURP SUITE – EXPORTING

$39.89
(117) $49.99

SCANNER REPORTS
Once you have validated the scanner results you might want to generate
some type of a report. There are two report options available from the
“Scanner/Results” tab, HTML and XML. To generate a report right-click on a
target from the left-hand display pane and select “Report selected issues”.
Basic Security Mastering Metasploit
This will present you with the following Dialog box. Testing with Kali Li…

$28.83 $42.99
(66) (14)

Ads by Amazon

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 ARCHIVES
September 2016 (2)
August 2016 (1)
June 2016 (1)
May 2016 (1)
Figure #3 – Exporting Scanner Reports December 2014 (1)
November 2014 (1)
July 2014 (2)
Click through the Wizard and select which items you want in your report and June 2014 (2)
which format. The HTML report can be opened up in a browser and then May 2014 (1)
exported to a PDF format which can be useful to help communicate findings December 2013 (1)

to your client. The XML report allows you to parse out specific sections of a November 2013 (1)
October 2013 (2)
report for more granular detail. If you generate an XML report, make sure you
September 2013 (1)
uncheck the Base64 encoder option to see full HTTP Request/Responses. May 2013 (1)
March 2013 (1)

HOW TO USE BURP SUITE – PARSING XML February 2013 (1)

January 2013 (3)
RESULTS December 2012 (1)
November 2012 (4)
October 2012 (1)
I’ve written a simple Ruby script to parse out data from the XML output
September 2012 (1)
generated from an automated Scan. The script utilizes the Nokogiri gem and
August 2012 (2)
outputs the results into a column delimitated CSV file which can be imported July 2012 (1)
into Excel to produce a nice spreadsheet. If you have a basic understanding of February 2012 (1)
parsing XML nodes using CSS selectors, you will have no trouble modifying the January 2012 (3)

script to suite your specific needs.

Head over to the Git repository and clone the branch. Looking at the source WEB APPLICATION HACKING
code we can see where the parsing magic takes place. Search Results from Amazon

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 Web Application Hacking Go
You can copy / paste the code below!

def clean_finding(finding)
output = []
output << 'Web Application Findings'
output << ''
output << finding.css('severity').text
output << 'Open' The Web Application Hacking and
output << finding.css('host').text Hacker's Handboo… Securing Web Ap…

output << finding.css('path').text $35.92 $19.99

output << finding.css('issueDetail').text
(60) (5)
output << finding.css('name').text
output << finding.css('issueBackground').text
output << finding.css('remediationBackground').text
response = finding.css('response').text
if response.include?('Server:')
output << response.split('Server: ')[1].split("\n")[0]
end
output
Hacking Exposed The Basics of Web
end
Web Applications… Hacking: Tools an…

$43.69 $29.45
You can see that simply calling the .css method and passing (‘[VALUE YOU (12) (15)
WANT]’).text as a paramater will allow you to scoop out whatever specific
Ads by Amazon
items you would like from the XML soup. Run the script with no arguments

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 items you would like from the XML soup. Run the script with no arguments
and you’ll see it takes an XML file and spits output to the screen.
Network
Security Scan
“
[ # ] $ ./parse-burp.rb
Parse Burp Suite XML output into Tab delimited results Antivirus, Network
Example: ./parse-brup.rb > output.csv Management & Asset
Tracking in 10 min or less!

[#]$ ” solarwindsmsp.com

You can cat out the results into a file.csv if you like. The CSV file can then be
imported into an Excel spreadsheet which looks like this.

Figure #4 – Parsing XML Results

HOW TO USE BURP SUITE – SAVING A

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 HOW TO USE BURP SUITE – SAVING A
BURP SESSION
In some cases it might be necessary to pause an assessment and come back
later. You also might find yourself wanting to share your Burp Suite session
with another consultant. Two eyes are often better then one after all. In these
instances the easiest thing to do is to save a local copy of your session. Simply
select “Save state” from the Burp menu at the top. This will create a flat file
which you or another consultant can import into Burp Suite and see all of the
captured traffic and test cases. This is an extremely useful feature.

If you have tried to do this in the past and noticed the size of the resulting file
to be unnecessarily large (hundreds of MBs). It is possible you forgot to check
the “Save in-scope items only” check-box.

Figure #5 – Saving a Burp session

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 If you setup your scope following the guidelines in Part 1 you shouldn’t have to
worry about a massive sate file. The next page of the Wizard asks you which
tools you would like to store the configuration of. I have found that having
them all checked or all unchecked does not appear to affect the size of the file
much if at all but feel free to play with these options and make up your own
mind.

Figure #6 – Saving a Burp session

To restore a previously saved burp sate simply select “Restore state” from the
Burp menu at the top. Select the file from your system, click “Open” and follow
the instructions of the Wizard. Depending on the size of the state file it may
take a moment to import everything but once finished you can continue your
assessment or someone else’s for that mater as if you had never paused in
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 the first place. Its pretty cool!

HOW TO USE BURP SUITE – BURP

EXTENSIONS
Burp extensions are after-market additions written by other pentesters that
can be easily installed and configured to add enhanced or additional features
to Burp Suite. To demonstrate this process we’ll download and install the
“Shellshock Burp Plugin” from the Accuvant LABS Github page. Browse to the
following URL https://github.com/AccuvantLABS/burp-shellshock and click the
“Download here!” link.

Figure #7 – Click the Download here! link

Next click on the “Extender” tab within Burp Suite and click he “Add” button at
the top-left corner. When the dialog box pops up select the Shell Shock .jar file
you just downloaded and click Next.
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 you just downloaded and click Next.

Figure #8 – Select the .jar file

If everything went well you should see a message stating “The extension
loaded successfully” with no errors messages or output. Now the Extensions
tab shows our “Shellshock Scanner” extension is loaded. We can see from the
Details section that a new Scanner check has been added.

Figure #9 – Burp Extension loaded successfuly

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 HOW TO USE BURP SUITE – END OF
PART2
I hope this tutorial was useful to you. After reading both articles in this series
you should be familiar with many of the critical features offered within the
Burp Suite. Please take advantage of the comment section below to provide
feedback/questions. Thanks for reading!

The Web Hacking Hacking Web Ethical Hacking

Application... Exposed Web... Apps:... and...
$36.82 $43.69 $44.93 $89.10

Shop now Shop now Shop now Shop now

SHARE THIS ARTICLE

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 Posted In: Web Applications

Tags: Burp, Burp Suite, Burp Suite Tutorial, penetration testing, Tutorial, Web App, Web Application

4 comments

4 COMMENTS

PINKY
2016/06/14 at 2:08 PM

the article was great and it helped me a lot

ROHIT
2016/01/08 at 1:24 PM

Great article, Royce!

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 SIMPLE GUY
2015/12/19 at 4:19 PM

waiting for part 3 =)

TRAVIS FRITZ
2014/11/21 at 5:24 PM

Too Too good…

I actually added some of these steps to my guide at work. Good stuff….

Now what about part three? proxy Nikto, W3AF, etc… through burp to
collect all the traffic in Burp?

Maybe also discussing the steps taken to restore states and why one is
better than the other?

Many! Many! Thanks Royce!

If I get any of that done before you I’ll be happy to share!

Cheers!
@w0rm53r

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 LEAVE A REPLY

Your email address will not be published. Required fields are marked *

COMMENT

NAME *

EMAIL *

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
 WEBSITE

SIX − THREE =

POST COMMENT

PENTEST GEEK

CONT ACT US

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com