Footnote says:
> ^ Although we observe these scripts query the Facebook API and save the user’s Facebook ID, we could not verify that it is sent to their server due to obfuscation of their code and some limitations of our measurement methods.
If you are sending the comms through Burp, you can find out fairly easily without having to wrestle with de-obfuscating code.
I’d start with OWASP. Especially the top 10 https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Then look at Burp Suite https://portswigger.net/burp as a good proxy tool. Then you can leverage https://support.portswigger.net/customer/portal/articles/1969845-using-burp-to-test-for-the-owasp-top-ten to get a handle on web vulnerabilities.
TcpDump
It's a commandline/console package, login as root via SSH and use it
http://www.tcpdump.org/tcpdump_man.html
Or you can try using BurpSuite proxy, you'll need to start the proxy on your computer, then point your phone to it in the wifi settings.
Each has their pros/cons.
tcpdump is low-level and captures EVERYTHING.
Burp sits in the middle and can sniff out HTTPS, but apps/sites that double check certificates will be able to detect this.
Burp will let you set up rules to intercept certain packets; but it's all done live. Where tcpdump will let you capture/save the packets so you can go back and look through them all.
I usually use tcpdump first, then I'll turn on burp and setup rules to intercept only the packets I want.
Wireshark is a good one but you’d have to make sure that your network card supports monitoring and it may be hard to find the particular request you need depending on your familiarity with the program.
Burp suite I think is a better option for this if you’re able to configure a proxy in your network settings.
Burp Collaborator provides this in an easy to use form, full write-up available.
It also supports HTTP/S and SMTP, should you wish to explore other vectors for exfiltration.
You could check and see how they're sending the data.
Download the community edition of this tool, which is used, among other things, to inspect web traffic between the browser and server: https://portswigger.net/burp/communitydownload
There's a little set up you would have to do. Navigate to your bank's page normally, then go to Burp and turn intercept off so traffic can flow freely. Configure your browser's proxy settings to use Burp and install the Burp certificate in your browser (Burp provides instructions for both of these). Then, just log in to the site, and you should be able to see how the login information is sent.
On a free plan you can set up a proxy for your browser and catch every request to and from your browser. That’s how I use it at least. Check it out: https://portswigger.net/burp/
You can use it to see all requests to the api with the interceptor feature
Burp ist etwas, das man m.E. kennen sollte. Schau es Dir an, unseren Entwicklern fällt meist das Kinn auf die Brust.
Man kann Daten verändern, nachdem der Browser sie weggeschickt hat. Damit umgeht man alle Filter und Sicherheitsvorrichtungen im Browser.
Damit kann man Cookies Brute-forcen, Code einschmuggeln etc. Sollte man kennen, wenn man Security-Experte ist.
A lot of people have already explained well how HTTP proxies work. There seems to have been a misunderstanding though. HTTP proxies are by no means obsolete and are still in use.
An example for this is IT Security, and mainly Penetration Testing (also known as "ethical hacking", for more information, see: https://en.wikipedia.org/wiki/Penetration\_test).
An example: Say you want to know if a specific app or (IoT) device sends data to somebody without your knowledge, you will need to set up a HTTP proxy to be able to detect it. Tools like OWASP's "Zap" or Portswiggers "Burp Suite" can help you with that, and they are free to use. They allow you to use their GUI to start a HTTP proxy and let you run all network traffic from your home network through it, giving you full knowledge / control over all HTTP/S connection attempts.
Then you can lookup the IP addresses of the servers that are tried to be connected, and see who they are. By doing so, security researchers have found out that the Chinese smartphone manufacturer Xiaomi has sent user's private web searchers to servers in China and Russia (https://cybersecuritynews.com/xiaomi-spying-millions-of-people/)
For more information on how to use Burp Suite, see: https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/browser
You might want to check the https://portswigger.net/burp. Unfortunately, the community edition lacks the "automated" tools, but you can request the trial of the professional edition for one month.
Burp Suite lets you look at web traffic between your browser and your favorite web apps! There's a professional version that definitely has a lot of cool extra features like a comprehensive vulnerability scanner, but the free version is great for starting out. https://portswigger.net/burp/documentation/desktop/getting-started/installing-burp
If you visit a website, your browser downloads the HTML, CSS, JavaScript, images, etc. It's on your computer, so you can do anything with it you want. With inspect element, you can change your version of the HTML. If you submit a form with the edited HTML, the server can't verify if you changed anything, because it all happened client side. You could also make your own HTML page with a custom form that sends a request to another page (although some sites block requests from other referrers).
It is easier to intercept the data with a proxy like Burp or ZAP (Zed Attack Proxy). There are also some browser extension that allow you to view and modify http requests.
This is why you should never trust any client side input.
To brute force web forms I prefer to use Burp Suite's Intruder (https://portswigger.net/burp/help/intruder.html). Compared to Hydra and other similar tools, it gives you much more control on what's going on with the attack. It is also able to handle Basic Auth, with some minor tweaks.
Burp is a proxy/fuzzer suite, https://portswigger.net/burp/ you could use it to interact with the device once you're in the middle.
In order for wire shark to see the packets you need to be in the middle of the connection, or on a shared media network. If these devices are Wi-Fi you need to do a monitor mode capture, which is a OS/driver/Wi-Fi device specific procedure. Your Wi-Fi chipset must have monitor mode available as well.
Just basic randomness tests with Burp Sequencer https://portswigger.net/burp/help/sequencer_tests.html
I should really test it with something much better, like TestU01, which I've read good things about
> how do you script getting an user’s profile information?
Good question.
I proxied Ingress through Burpsuite Proxy. This let me capture each Ingress player lookup query and modify it to my needs. The script I wrote automated this. I just fed my script a flat text file of in-game names (IGNs) I wanted to monitor for bot activity.
Example:
I just automated this process to look up dozens of suspected bot accounts on an hourly basis.
> Did you use a modded version of the client app
No.
> was there a different mechanism to script that data?
See above.
> How were you not flagged for using unauthorized software?
I used authorized software. I just proxied it.
You said you have a degree in Computer Science so I didn't know if they covered that in your courses.
Let me tamper down your expectations. You aren't going to be able to go after Facebook & Youtube right off the bat. These kind of skills take years to develop, and even then the chances of "hacking" Facebook is a combination of luck and expert level skill. So with those expectations in mind I can give you a little guidance.
First thing is you need to learn about the HTTP protocol, this is an essential skill in web hacking. This tutorial should help get you up to speed. Then grab a copy of Burp Suite and start playing around with different sites using it. DO NOT start with Facebook or Youtube, they are very complex and you will quickly be overwhelmed. Look for smaller simpler sites to get your feet wet.
Spidering a website does not involve any file name guessing, it just follows all the links on the site recursively. To guess filenames using wordlists use the Content Discovery feature.
I'm not sure how to do it in python, but check out Burp Suite
BurpSuite is a lesser known tool that’s a bit more advanced than Charles (last I checked). You can actually perform a SSL MitM and replace the SSL certs. I’ve found it to be a lifesaver in certain applications.
Burp Suite Pro version has a "Collaborator" tool that uses randomly generated dns hostnames in requests to tie blind injections back to a specific request. If you're serious about finding web app vulnerabilities then $350 is a really low price to pay for the features you get in the Pro version. https://portswigger.net/burp/help/collaborator.html
You can try some free software yourself, which is basically what most of the "cheap" pen testing companies use anyway.
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Main
It's not the best, but it'll at least give you some feedback if your site is really bad or good.
There's a feature under 'Engagement Tools', named 'Content Discovery'. That does exactly what your asking but is only available for Pro versions.
https://portswigger.net/burp/help/suite_functions_contentdiscovery.html
And, BurpSuite's scanning is much more powerful and thorough than Nikto, in fact.
The easiest way (IMO) is going to involve a man in the middle hack.
Basically I would try and do something like this:
Phone requests webpage
Pass request through a linux server setup as a VPN (don't setup VPN's on your colleges network, they will probably notice this)
Have program on server doing sniffing (burp suite)
if url == something we're looking for swap it out before sending it back to phone
I'm sure someone here or over on /r/AskNetsec can come up with a more elegant solution though.
You should check out burp proxy as well. Great tool and makes a lot of that sort of thing very easy, like matching hosts and including or excluding certain traffic. You can export the cert and have this sign certs on the fly to MITM https requests. You can have it pause the traffic and let you modify the request before it goes out. It's a really great tool.
It can be helpful with reverse engineering for sure. I've used it to MITM my android traffic and figure out what an app was sending out and getting back. The appuse VM includes it and makes it easy to RE android malware and that sort of thing. It's great for reverse engineering some privately used REST API.
You can buy Burp suite (https://portswigger.net/burp/), 285€/y/user. Not cheap, but the semi-automated scanner is very good for that price. There's also the free version that has no scanner, which is very good for manual pentesting, but there you must know what you're doing (so it's not the best for casual security testing).
Hi, is there any error when you add the generic ci/cd driver? Share the debug log to investigate this further. Check this document about Integrating Burp Suite Enterprise Edition with other CI/CD platforms. In addition, try to set up a self-hosted agent check it again.
=====================================•You should be able to create a .bat script that runs the generic CI/CD driver - this can then be run as a Batch script task in Azure Pipelines:
Example command:
java -jar path/to/ci-driver.jar https://your-enterprise-server:8080 --api-key=secret --site-id=7 --min-severity=high --min-confidence=certain --report-file=scan-report.html --report-type=summary_
=====================================
The above is the instructions I received from portswigger about integration and I’ve been trying to follow this.
127.0.0.1:8080 is the burp-enterprise-server.
You can try setting a proxy with the http_proxy and https_proxy environment variables. Not all applications respect this though. You can also try Invisible Proxying if the script interacts with a specific host -
https://portswigger.net/burp/documentation/desktop/tools/proxy/options/invisible
Ultimately, pen testing is just looking for ways of breaking your application through things like exploiting unpatched software or common vulnerabilities like SQL injection.
There are a variety of ways, and with custom software, you often will need to review your code to look for spots to test. For example, maybe you require login to your main application, but your main application makes calls to an AJAX controller, and that AJAX controller isn't secured.
There are a variety of commercial tools out there, but if you're just learning, you might want to start with something free just to get the hang of it before you look at anything commercial and more fully-featured.
I'd recommend starting with Burp community edition:
https://portswigger.net/burp/communitydownload
Basically, Burp implements a proxy that captures you going through all the steps of your application (logging in, hitting every single page, using every feature you have, etc). Once you've gone through all the scenarios, you tell Burp to go ahead and run its test. It will take the information it's captured about each step and basically start pounding those URLs with different, common attacks to see if any of your pages are vulnerable to them (it's usually best to set up a virtual machine with a full COPY of the site, where you do your testing, just in case a successful attack ends up destroying any data by accident).
Yes, the binary is pretty much impossible to work with. As of 2021.8 Burp provides two different text views - there's full documentation here: https://portswigger.net/burp/documentation/desktop/http2
Prior to that, we were basically downgrading and upgrading.
This tool, Burpsuite is one of the industry standards. Check out their documentation on “content discovery” here
As for banning IPs, in today’s age that doesn’t matter too much. I’d consider IPs to be somewhat ephemeral when talking about potentially bad actors. For example, you likely wouldn’t just have a laptop running your attack scripts, but you’d probably spin up tons of virtual servers to execute the code and then get torn down after they’re done. In fact, even that can be automated so each command could come from a different IP.
Easiest way is to isolate device connections to WLAN by removing the SIM-card. Then run burpsuite, add proxy settings to device and see where it connects.
I have no idea what cargo collective is, but it sounds like you need to fix your HTML temporarily on the client-side in order to use the UI and fix it permanently on the server side.
So maybe use a proxy tool to intercept the HTTP response and fix the broken script tag, and then fix it in the UI.
You can probably do this with just developer tools, but if not then you can certainly do it with a proxy tool such as burp which you can get for free: https://portswigger.net/burp/communitydownload
You may be able to do this by configuring the DNS or changing the Host file on the guest machine to redirect hosts that you know the application uses to the Burp proxy. See Burp's write up on invisible proxying https://portswigger.net/burp/documentation/desktop/tools/proxy/options/invisible.
https://portswigger.net/burp/pro/video-tutorials
Here are video tutorials for Burp suite straight from the creators.
I'm assuming you're new to this area. Not to be a dick, but try to Google your problem. Read all the information you can find on a subject/tool, if you're still stuck then I'd recommend asking for help.
Welcome to the community though! Hope you enjoy and learn a lot!
(I'm by no means any type of expert or even knowledgeable. I've used burp suite and semi know my way around. I'm always still learning as well. This field is a never ending classroom with many things to learn!)
I've done something like this with Burp Suite (free version here). It runs a proxy which you route your traffic through. I was using a web app, so I configured my browser to use the proxy, but there's probably some way to have your OS use the proxy system-wide so you can use it with your desktop application.
All these answers are wrong. All you need to do is download the security certificates from port swigger into firefox and install the foxyproxy extension. All your problems will go away after that. All you need to do then is configure foxyproxy to point to localhost + burp suite port. Then it's only a matter of clicking between normal and burp internet in foxyproxy.
https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/certificate/firefox
Looking at your image it's port 443 so that looks like DoH. Considering it's just HTTPS you might be able to proxy it with something like burp proxy and trusting the burp certificate on the machine. You will probably need to do invisible proxy to force the traffic through your burp VM.
Why not use Google's jobs searching function or any other job posting website instead? They're prebuilt tools made by teams dedicated to this stuff so they're almost certainly better than anything you would make yourself. It would save a lot of time and frustration. That said, if you want the experience, and if you want to use Python, you should probably be looking at Beautiful Soup and requests-html. If you want experience with infosec tools I believe Burp Suite may be able to do this but I think you need the pro version to do searches on crawls.
Did you import burp's root certificate so that it's trusted as a CA? Essentially, for BURP to work with TLS, it needs to man-in-the-middle your browser traffic and for this to work properly, your browser needs to trust Burp's certificate as a CA cert. https://portswigger.net/burp/documentation/desktop/tools/proxy/options/installing-ca-certificate <-- has more details and instructions.
I'd love to take a look at it but I wont be able to before the 30th of June since I have exams coming up. It might also be interesting to use something like burp to see what kind of information the site expects.
So the guy runs a scan against the NP2 using a very common scanning tool, then chirps about the findings on Twitter? What a lame-o.
The problem with a guy like Zoom flexing his "security researcher" chops, is that you can't really trust anything he says- especially if he is posting it to Twitter for attention. He could be telling the truth 100%... or (more likely) he is inferring half of the information from scan results to sound more impressive. The fact that he is lying about working on the site in the first place (according to Dick), is a red flag right out of the gate.
Either way, quibbling with him about the findings is not a good idea, because it could be used to confirm information that he isn't really sure of.
> You run jquery version X, you're so insecure!
> What are you talking about? I run version Y of jquery.
> Version Y, you say? Interesting...
Lastly, if this guy does "security research" for a living, he is the last person I would hire. Clients don't like it when the people they hire have a history of chirping about their security findings on Twitter for internet points.
TLS(https) sites are going to throw a fit when trying to intercept their communications. You need to install the BurpSuite cert in the browser.
https://portswigger.net/burp/documentation/desktop/tools/proxy/options/installing-ca-certificate
Chrome->Developer Tools->Network
Also check out ZAP(https://owasp.org/www-project-zap/), or BurpSuite(https://portswigger.net/burp) as both of those projects allow you to not only intercept and monitor the communications, but manipulate them in transit as well.
Disclaiemr: this is an extremely watered-down explanation.
There are these free tools to sniff traffic:
These act as a network proxy that you can set on your device to route through. This means that all network traffic will be routed through these proxies which would intercept, sniff then continue sending the packets.
Many apps and websites use SSL (links that use https://
such as most apps and websites) to encrypt your connection.
This means tools such as Wireshark cannot intercept and read the packets.
However, to create an SSL connection, the app or web browser would do an SSL Handshake by requesting for the public key (asymmetric encryption, used for encryption only) of the website to negotiate a new symmetric key (used for both encryption and decryption).
The public key is stored in a X.509 Certificate which is then trusted by a Root Certificate.
A Root Certificate is trusted by virtually every consumer device that accesses the internet.
Using these 2 (or more) certificates, we can create a Chain of Trust to therefore infer that the server's certificate is trusted as it's signed by the Root Certificate that we already trust.
We can exploit this handshake by intercepting it and crafting our own packets to negotiate a symmetric key that we know.
We can then generate our own Public Key so that we can decrypt the rest of the handshake.
However, that means we need to generate our own Root Certificate to sign the forged certificate with the server's Public Key.
This also means we need to tell our phone to trust this Root Certificate. This prevent malicious Man-in-the-Middle attacks from occurring.
After that, we can sniff all traffic between that server and app/web browser.
I might be off on this, but I'm thinking of the way burp intercepting proxy does it. Why can't the router do similar? It generates a private key and stores the certificate in a place where you can download it and install it as a trusted root on the devices that need it. Yes, the place to download the certificate is via http so you fall back to trust-on-first-use.
I've heard this through my work actually, since I think there was plans there, to make sure that malware won't slip through secure connections. I think the hardware wasn't cheap either. However, I managed to find more sources about how the intercepting could be done too, with software. Here's one, about Burp (which isn't cheap either): https://portswigger.net/burp/documentation/desktop/tools/proxy/using
Is it for personal use like a single client or is it for a whole office or similar?
If its the former then something like burpsuite is handy. Its included in kali linux among other similar tools:
Or if its for the masses is it a forward proxy (known clients towards unknown servers) or reverse proxy (unknown clients towards known servers) you want to alter the content of?
Because one thing to consider if its the forward approach you will also need to deal with ssl termination and some services have their certs pinned in order to avoid such from happening (as in trying to forward proxy and modify the flows for lets say gmail who got its certs pinned in the browser will fail).
For free, easy to understand, but slightly slow, HackerOne was my first steps with it. One of the guys at their booth at DC26 talked me into checking it out, and it wasn't terrible. Everything else I learned about it has been stack overflow type stuff combined with the documentation and experimenting against sites I set up to hack on my own network
Indeed, it allows for easy plugin integration, you can quickly script something in python for that. Not sure now if the support for python is the pro version only though: https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension
> Sometimes a vulnerability can also be something really innocuous, like checking the result of strpos() with == instead of ===, leading to unexpected behaviour because it can return non-Boolean values that evaluate to false.
Yeah, 100%!
You won't believe the number of things I've found over the last few months just looking for unprivileged ajax hooks that are exploitable. What I think happens is developers put the normal ajax hook in, then it doesn't work as expected, so they hook the function to the unprivileged one as well, and it slips their mind to do all the usual WP privilege checking that they're bypassing by using that hook.
If you're interested in vulnerability research in WordPress plugins/themes, there's tons of low-hanging fruit out there exactly like that (I must've reported at least 5 or 6 in the past month and I've spent very little time looking for them!).
Another fairly common thing I've seen is folks checking non-specific nonces as a form of access control, but then not actually checking the current user's capabilities... so for example if there's an endpoint that's supposed to be admin only, but the only thing it checks is a non-specific nonce, it's fairly easy to subscribe to a site, grab the nonce for changing your user settings, and send that nonce along with the request to the endpoint.
If you're a plugin developer, you need to do one of two things (possibly both) - either point curl at every endpoint and try different combinations and see what's triggered, or download and install Burp Suite (or any other intercepting proxy), and run through some tutorials for it before pointing it at your plugin. It'll really open your eyes - everything that comes from the visitor needs to be checked for sanity and distrusted!
No, you do not require internet to access http://ipaddress/comodore64/index.php
You may need to turn intercept off on burpsuite or manually forward the packet. With intercept on the packet is being held by burpsuite for you to manually verify or edit before sending it. So the session is hanging. That's probably why you having a spinning wheel.
Most likely you mean Burp. Specifically the "replay" tab. You can use Burp as an HTTP proxy and if you want to play with a particular request you can do "rightclick->Send to repeater" and then play with it.
I've answered similar questions in the thread, but for me personally, I was lucky enough to start my career in information security consulting and had some awesome mentors to walk me through the basics and beyond ;). That said, everyone's path is different! If you're passionate and want to learn, Google is your friend, but it helps to know what to search for and where to begin. Information security is a huge field with tons of various focus areas, so I'd recommend starting really broadly with your research then dive deeper on any areas that seem interesting to you. For application security in particular, I'd recommend https://google-gruyere.appspot.com/ as a good starting point for learning the basics. You can also check out https://portswigger.net/burp/download.html or any other web proxy, become familiar with how HTTP requests/responses work, etc.
In general, yes, you'll want both network scanner and web scanner. Nexpose is free for 32 IPs if you have a small net you're concerned about.
Yes, post login scanning is possible, but more difficult. First of all, you need to be careful about what you're scanning: for instance if you scan a "delete users" function without thinking carefully about what it's doing you might have a bad time. ;-)
With burp you can use the built in session handling which is a bit complicated, or manually log in and have the tools set up to use the cookie jar. Most other tools have similar functionality, and the $$$ tools like Appscan and webinspect have easier to use wizards. Acunetix is somewhere in the middle of the cost/ease of use spectrum, and is a pretty good value.
See https://portswigger.net/burp/help/options_sessions.html for some info on this, but there's a lot of quirks to deal with in various appllications, and this is part of where a pro or more expensive tools show their value.
You can practice on test targets like DVWA which have a login to see how it goes in general..
If you're interested in web security, (which is not the only field in cyber-security, but it's the one with which I'm familiar) go download the free version of Burp, and hit up hackthissite.org. The challenges there are a fun way to learn some of the basics of web penetration testing. For a more high-level overview of what kinds of things you'd be finding in a web pen test, a quick read through of the OWASP Top 10 (PDF download) might be worth your time.
Best of luck!
https://portswigger.net/burp/download.html
I loaded 20000 random 72-bit tokens and it estimated 70 bits.
I used the option to base64 decode tokens before analyzing, of course.
I don't know what kind of info your db holds, but if he gave you back anything more than usernames and hashed passwords or you store anything more than that, you need to hire a professional.
That being said, I would take a shot at it with BurpSuite. If you know what you're doing and what to look for, you'll more than likely find a lot of vulnerabilities just using that.
Metasploit, SQLMap, Acunetix and the like are all good things to try turning on your site as well.