1
CYB 205
Software Foundations for Cybersecurity
Burp Suite Lab
The focus of this lab is to gain introductory knowledge and experience with Burp Suite. Burp Suite is a
suite of robust web application pentesting tools from the company PortSwigger
https:
portswigger.net/. Burp Suite is the industry standard for identifying and analyzing vulnerabilities
in web applications used by cybersecurity professionals (PentestGeek, 2018).
This lab is the successor to the Kali Linux and Metasploitable2 Lab. It is vital for the success of this lab
the prior lab must have been completed. Also, both Kali Linux and Metasploitable2 virtual machines
(VMs) must be configured properly and operational.
The Metasploitable2 VM is plagued with vulnerabilities, it is NOT advisable to allow this VM access to
the internet. Refer to the Kali Linux and Metasploitable2 Lab if unsure of the VM’s network
configuration.
1. From the Metasploitable2 webpage, select DVWA (Damn Vulnerable Web Application).
2. At the login screen of DVWA input the default username of “admin” all lowercase and the
default password of “password” also all lowercase.
https:
portswigger.net
2
3. Upon successful login, the DVWA homepage is presented.
4. Next, set the DVWA security level. Select the “DVWA Security” button on the right-hand side of
the page. Set the security level to “low” using the dropdown selection and “submit.”
5. The Firefox web
owser must be configured to interact with Burp Suite. To do this, the
owser
must be configured to use a “manual proxy.” To set a “manual proxy,” click the three small
horizontal lines (sometimes refe
ed to as “the hamburger”) in the upper right-hand corner of
the Firefox
owser.
3
6. When the hamburger is selected, a fly-out menu appears. From the fly-out menu, select
“Preferences.”
7. Next, select the “Advanced” option on the left-hand side. Then select the “Settings” button.
8. When the “Settings” menu opens, configure the “Manual proxy configuration.” “HTTP Proxy”
address must be “ XXXXXXXXXX” and “Port” set to “8080.” Ensure the “No Proxy for” box is
completely empty; delete any information in this box. Click “Ok” to continue.
E Ensure this area is blank.
4
9. Close the “Preferences” tab and return to DVWA.
10. Start “Burp Suite” by selecting the icon from the left-hand side Kali Linux menu. Also, “Burp
Suite” can be started by accessing the “Applications” menu from the top left-hand side. Select
“Burp Suite” from the favorites menu.
11. When Burp Suite launches, leave the defaults and click “Next.”
5
12. Start Burp Suite with default settings.
13. When the full Burp Suite application opens, select the “Proxy” tab and then the “Intercept” tab.
If “Intercept is on” click the button and ensure “Intercept is off.” For this exercise, “Intercept is
off” so traffic intercepted by Burp Suite will not have to be manually forwarded. The application
is still intercepting traffic due to earlier proxy setup.
14. Check the “Proxy Listeners” in Burp Suite to ensure settings match that of the Firefox
owser.
Click the “Options” tab and ensure the “Interface” is set to the loopback IP of XXXXXXXXXXwith
port 8080 and “Running” is checked. When the IP address and the port are shown together, it is
known as a socket XXXXXXXXXX:8080 should be directly under the interface column, if not, then
select edit from the left-hand side and make co
ections. Keep this window open.
6
15. With Firefox and Burp Suite properly configured, it is time to start a
ute force attack on a web
application login page. At the DVWA homepage, select the “Brute Force” option on the left.
Also, ensure the security level is set to low as shown in the lower left corner.
16. Enter any username and password in the form and click “Login” (use your imagination and
pretend you don’t know the credentials). Now go to Burp Suite and check the “HTTP history”
tab. Look for a “200” response in the “Status” column with a “username” in the “URL” field. This
indicates a successful response from a server (for more info concerning server response codes:
https:
developer.mozilla.org/en-US/docs/We
HTTP/Status).
https:
developer.mozilla.org/en-US/docs/We
HTTP/Status
7
17. Look at the information presented. The line with the “200” server response code is highlighted
and information pertaining to the host and URL are explained in the “Raw” tab below. The “Get”
equest shows what credentials were entered in the DVWA web form. The user entered “user”
for the username and “qwerty” for the password. The response from the web form shows an
inco
ect response for these credentials.
8
18. To simplify the
ute force attack, create two text files. One text file with a list of possible
usernames (screenshot on the left) and another with possible passwords (screenshot on the
ight). Since this is the free version of Burp Suite, keep the list small and simple as speed is
greatly reduced with this version. These text files will serve as payloads for the attack.
19. In the Burp Suite “Raw” tab, right-click within the area. When the pop-up menu appears, select
“Send to Intruder.”
20. When the information is sent to the “Intruder” the “Intruder” tab will highlight orange. Select
the tab.
Right-click anywhere in the white space.
9
21. Once in the “Intruder” tab, select the “positions” sub-tab and examine the orange highlighted
areas. These are the
ute force attack areas. The username is “position one” and the password
is “position two” and so on. This attack is only concerned with
ute forcing positions one and
two (username and password).
22. Change the attack type from “Sniper” to “Cluster bomb” via dropdown option. This will allow
use of multiple text files for multiple positions. Highlight the text in the window below the
“Attack type” and click the “Clear” button on the right. This will remove the “S” shaped type
characters from all
ute force positions.
23. Double click the entered username, in this case “user”, and click “Add” button to put the “S”
shaped characters around the username. Repeat this process for entered password, in this case
“admin.” Putting the “S” shaped characters around the username and password fields ensures
Burp Suite will only
ute force these two positions.
1 2 3
4 5
10
24. Set the payloads in the “Payloads” tab.
a. In the “Payload Sets” section, ensure “Payload Set” is “1” which co
esponds to the
username field to
ute force. For the “Payload type” select “Runtime file” from
dropdown. In the “Payload Options [Runtime file]” section, navigate to the text file
containing the list of possible usernames, highlight the file and click “Open.”
. Repeat this process with “Payload Set” position “2.” Use the dropdown to make this
change. This time, the runtime file will be the text document with possible user
passwords.
25. Click the “Options” tab and scroll down to the “Grep – Match” section. Clear any text contained
in the field by clicking “clear” on the left. Confirm when the dialog box appears. Next, type the
word “Inco
ect” in the “Add” field and click the “Add” button. This will create a field to show
failed
ute forced credentials during the attack.
11
26. Scroll up and start the
ute force attack by clicking the “Start attack” button and click “OK”
when the warning dialog box appears.
27. After the attack has completed (should not take too long) analyze the results. Look at the
“Inco
ect” column created using the “Grep – match” option created earlier. Highlight a row
that does not have an “Inco
ect” checkmark in the “Results” area. Below the results area,
select the “Response” tab and the “Render” sub-tab. Look for a response that may be the
co
ect username and password credentials.
12
28. Try the credentials indicated by Burp Suite on the DVWA webpage and see if Burp Suite was
successful
ute forcing the username and password.
29. If the login credentials entered were successful, the “Welcome to the password protected area
admin” confirmation should appear as seen below. This completes the Burp Suite lab.
13
References:
What Is Burpsuite - Tool Description XXXXXXXXXXPentest Geek. Retrieved 20 January 2018, from
https:
www.pentestgeek.com/what-is-burpsuite
Guidelines for Writing a Lab Report
Group work: each group will meet prior to beginning lab work. There are three members per
group. Each group member rotates the role as outlined below:
Manager. The manager delegates the work (including he
his own). At the conclusion of the lab,
the manager includes a paragraph indicating who was responsible for each section. The manager
of the lab report is ultimately responsible for quality control, which includes formatting.
Time keeper. The time keeper creates a timeline for project completion. At the conclusion of the
lab, the time keeper includes the timeline, which is a list of the tasks delegated by the manager.
The time keeper determines if the tasks were completed per the time line, and if not, when the
tasks were completed. Did each person complete their assigned tasks on time? If not, why?
Note taker. The note taker maintains a directory (folder) of lab results, findings, and
screenshots. The note taker is also responsible for archiving the communications between group
members. This allows the professor to review group communication to ensure all group members
participated. This folder will be zipped and submitted as part of the lab report.
General Guidelines: Lab reports should be written in a clear and concise manner in the 3rd
person. For the purposes of this class there should never be any reference to I, he, she, we, etc.
For instance, instead of writing “As instructed, I opened all files except for the unallocated space
text file.” write “As instructed, all files were opened except the unallocated space text file.”
Another example: instead of writing “When attempting to open this file, we receive an e
or
stating that the file was either damaged or is not a supported file type.” Consider