Burp Macro Auto Authentication

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone uh welcome back to cyber security tv uh this week we're gonna talk about the burp macro auto authentication so uh many times we are facing challenges while using the burp or especially buff scanner is we have a large site to scan and let's say if they have a ideal session timeout or for some reason burp is trying to make some requests which forcefully locks out the application then like you know this is not a enterprise level of uh scanner which would retry to authenticate itself but there is a way in the burp where you can manage your session so if burp detects the author uh like you know log out or something or uh invalid session it's gonna retry uh the authentication by itself and that's we're gonna use that or we're gonna do that using the macro which uh built-in burp has provided right so i'm gonna demo this is a very important lesson because i had struggled a lot of time uh while scanning like you know large application now with the session timeout i had to sit in front of the scanner and see oh whether my request has started getting like you know four or three four or four or session time out or log out or anything then i have to re-run the scan and that's just whole chaos uh how to do that so this is a best solution uh i have found so far so probably if uh maybe if you guys are facing the same issue you can use that as well so let's uh let me jump on to the bar first and we'll see how you can uh configure that so what we're gonna do is first of course we're gonna use the simple uh burp uh you can do this with the free or the pro version doesn't matter but yeah uh just make sure your proxy is configured on the right port uh like if you want you can also intercept the response this is actually not required for this particular exercise uh next thing i'm gonna use uh their motor test fire for our testing purposes so how simple uh like you know how simply the authentication works is let's say in any application you click on the sign in and just make sure you have this configured so as you can see the request has been intercepted on now here you do not need to observe every request so what i'm gonna do is i'm gonna turn the intercept off but we'll take a look at the http history right so i have intercept off let's go back uh i have saved the credentials so i'm just gonna fill those in and click login and congratulations we are logged in right now let's go to the http history and we see the first method that burp sent out was uh login.jsp then we have our username and password which was sent out and then the submit button was clicked and this was the main page of the bank now let's make one more request so here when we made this request we uh our show account list accounts and this is our account number and in the response we got all our 10 recent transactions and whatever right we are less concerned with this but what we are concerned with is for example likewise you have like you know multiple links here you have multiple operations in your application and you want to scan all of them so you would simply do like do active scan now during the scan it there is a possibility that the session might log out uh there is a possibility that like you know it bulb itself would kill the session and that would deny any further scanning so you want to avoid that scenario now how do we do that is you go to the project project options and you go to the sessions so if you go to the session uh one thing you would notice there is a cookie jar so if you open up the cookie jar you will see list of active cookies that is maintained by the burp suite now these are the cookies which burp will use for any of course right now it's set for the proxy like you know based on the proxy transaction it's gonna update this cookie value so for example uh let's say this is the let me take the screenshot of this and then we can compare how does the value uh change right so this is the values let's close this let me log out this is very important to understand so that's why i'm i'm kind of going through uh step by step so let's sign in again admin admin login right everything is going through the i'm sure like going to the http history so i'm not much worried about that let's open the cookie jar again now you see we only had two cookies instead of three and you actually would see that the values of this uh j session id is still the same because of course these are vulnerable applications not changing the session value of every login but you also saw that this ultra accounts cookie is now not in in that so what happens is the burp maintains this cookie jar and every time let's say we send a request from the repeater we send the request from the scanner but uses this cookie jar to send the cookie value along with it now what happened if you log out is this cookie value becomes like you know ineffective or invalidated and hence bulb is not able to authenticate so we need to find an automated way to upgrade this cookie value or like you know make it more accurate or make it current value so we are going to use a session handling rules and it says you can define session handling rules to make burp perform specific actions when making http requests each rule has a defined scope for particular tools urls or parameters and can perform actions such as adding session cookies which we want to do it log again to the application yes checking session validate yes each request is issued above apply sequence in each of the rules that are in scope for the request so first off we what we're gonna do is we're gonna check the session validity so every time our scanner or repeater try to make a request first we're gonna check whether the session is filed or not if not then we'll make bulk log into the application and then update the cookie jar right so let's start with that i'm gonna add a rule i'll say do login and rule action let's add check if session is a valid right so we'll do that for the current request doesn't matter which request is like where the request is coming from i'll actually show you uh where you can define the scope of the request but uh for now let's just keep like you know issue current request then uh next thing we have to do is inspect response to determine selection validity now how does uh burp know whether the session is valid or not it's based on the expression so what we have said is like this is the default so every time anytime you log out of the application you might see the like you know uh uh any request will give you a three zero two redirect and and say go to the login page or you're unauthorized so you can add anything right you can add like unauthorized so for this one let's go back and go to the proxy uh i'm gonna send it to the repeater right and right now am i logged into the application yes i am so let's sign off right and let's send the request so what did we get b got 302 because we are locked out and as you can see there is so we need to find like one unique expression that we're gonna get if the session is not valid so here it is login.jsp so even if you just keep the login it it should work so let's go back to project options session do login check if session is valid this is good so we're gonna whenever burp encounters log in it's gonna run the macro which define the behavior which we have defined right on session validity now you can also say if it's a it should be a case sensitive or not i'm just gonna keep insensitive you can also see sensitive uh in our case it's actually this but anyway that that doesn't matter uh merchandises uh indicates invalid fashion so yeah when when this matches that means burp has encountered an invalid session now we want burp to automatically reauthenticate itself so we're gonna say run a macro if session is invalid perform action below and in the macro i'm gonna choose so this is the main part you're gonna choose the request which helps you to authenticate to the server so first i'm gonna get login because it's gonna give me the login page and then i'm gonna choose the do login which is submitting the username and password and it gives me the cookie with the authenticated cookie value so i'm gonna click okay now you can re-record the macro we analyze macro you can test the macro i know this macro works i'm just gonna attach the macro i'm not gonna re-analyze anything so and yeah as you can see this is 200 this 302 you can also see the response we got the valid cookie so yeah this is gonna work hit okay hit okay now look at this part update current request with parameters match from the final macro responses right so of course this is just for the login so we don't want to change any parameters we're just going to use the same username and password but anyway you can keep this and then the second most important is update current request with the cookies from the session handling cookie jar so this is actually going to update the cookie value which we have in the cookie jar so subsequent request will use the new cookie value or which is authenticated and this will be completely transparent to you so let's hit ok and when i say keep okay i see a warning the rule is not in scope for any url so you want to proceed no because you want to make sure this is applicable to all of our scope so here i have chosen like you know by default target scanner repeater intruder sequencer you can also choose extender in the proxy then the url scope of course i generally or i i wouldn't say generate but most of the time i determine what the scope going to be for the testing so i only add like you know for example demo.testfire.net and that way we'll only be storing history for this domain and then also this will only be applicable to this but right now you can also see like you know key for all urls doesn't matter or you can say i use sweet scope which is defined the target tab so it's gonna like you know copy whatever we have here let's just do include all urls and hit ok and make sure uh this is checked now let's go back to the repeater right now let's see if are we logged in no let me refresh and just make sure we are oh we are logged in so sign off okay i'm gonna go back here and let's send the request now since we are logged in we still got the authenticated response and the best way to search for is you can see we found the account history for this particular account which should have not been here because we were not logged in now let me refresh the here you can see we are sign off and then i guess you can check like you know uh we can go in and if i actually replace with this url we will be able to see the authenticated page right now let's sign off again and go to the project options and check this off now our session handling rule is disabled so now if i send this request and since i'm logged off i should not be able to get the authenticated response which i am not now i'm getting like you know location and redirect so if i follow redirection i'm getting the login page so yeah so as you can see it's asking for the username and password i don't know how well to say oh okay so rendering works so right now we are getting back to the login page now instead let's go back let's go here to login go to the repeater send and now as you could see we are logged in and we are getting the authenticated response right so this is not just applicable for the repeater as i said you can apply this to the scanner uh you you just need to define the scope in here you can apply in the scanner sequencer intruder and this is a lifesaver for me at least like if you are you don't have to worry about every time or whether you're logged in or logged off like you can just continue your testing irrespective of session has time out and burp will manage its own session rules and uh give you authenticated results right so uh i guess yeah that that's about it i want to discuss uh i just want to keep it short but i'm sure i hope this uh demo uh would help will be you for you guys uh in the future for any testing that you may do if you have found any other ways to manage this session handling with the burp let me know i i will more than happy to know about that as well and uh hopefully help our community if there are any other questions let me know in the comment section uh if you enjoyed this video please hit the thumbs up button and subscribe for more videos and follow me on facebook we post the updates on there uh that's it i guess and i'll see you guys next week bye
Info
Channel: CyberSecurityTV
Views: 4,956
Rating: undefined out of 5
Keywords: Burp, Intercept, MiTM, Proxy, OWASP ZAP, ZAP, Active Scan, burp scan, burpsuit, burp suit tutorial, burp suit pro, web app security, owasp top 10, owasp, XSS, SQLi, burp 2.0 scan, burp 2.0, Burp Scanner, burp session handling, web app pentest, application pentest, app pentest, burp session management, burp macro, what is burp suite, burp proxy
Id: Ba2EzXP4swE
Channel Id: undefined
Length: 14min 45sec (885 seconds)
Published: Mon Aug 03 2020
Related Videos
Hack JWT using JSON Web Tokens Attacker BurpSuite extensions
thehackerish
16K
Burp Macros - Enhance your Web App Pen Testing
JSON SEC
476
[Burp Suite] #09 - More Macro Building - CSRF
Romil Averroes
899
ZAP Tutorial - Authentication, Session and Users Management
Cosmin Stefan
116K
Using Excel and VBA to get API data
Bane Data Solutions Ltd
165K
How to scan a website for vulnerabilities using Burp Scanner
PortSwigger
82K
🤖 How to use Microsoft Power Automate Desktop - Full tutorial
Kevin Stratvert
649K
Server Side Request Forgery | SSRF
CyberSecurityTV
1.1K
OWASP ZAP For Beginners | Form Authentication
CyberSecurityTV
7.2K
100 OWASP Top 10 Hacking Web Applications with Burp Suite Chad Furman
Adrian Crenshaw
38K
Introduction to Fuzzing Web Applications with Burp-Suite Intruder Tool
webpwnized
17K
Burp for Beginners: How to Use Intruder
InsiderPhD
14K
Burp for Beginners: A practical intro to help you find your first bug
InsiderPhD
24K
Exploit SQL Injection using Burp and SQL Map
CyberSecurityTV
21K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.