Most Popular Burp Extensions Explained: Request Smuggler, Logger++ and others #burpsuite #hacking

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello ethical hackers today we're going to learn the most popular burp suite extensions for burp suit community edition and we're going to test each one of them on oasp juice shop which is a vulnerable web application made for testing purposes [Music] so here we are on the burp app store which you can find under the extender tab and burp app store and you can sort by popularity we're going to choose a reverse order this way we have the most popular verb extensions that we can test we have some extensions which require burp suit professional i will be doing another video upon your request which tests those as well using burp professional but for now let's just stick with the community edition the first one is really straightforward it's does what it says json beautifier which does nothing but beautifying json for you this was go to extension before burp released recent versions which included this feature built in now if i go to the web application i can proxy my requests through burp if you don't know how to use this extension or what foxy proxy is i talk about this in detail in the wasp top 10 playlist which you can find in this channel now if i go for example to customer feedback i should have some requests going through burp for example this request calls the user who am i rest api and returns the data so let's play with it to give you an idea of what it does we'll send this to the repeater and let's just get rid of this header which will force the cache to be disabled and then send the data so right away you can see that we have a json object which is already pre-formatted and that's because of the recent versions of burp suit so you can see here we have a pretty button but if we choose raw you can see that the json now becomes inline this was not a feature in older versions so that's why we have this extension if you install it you should see that there is a new tab that appears called json beautifier and what it does is just the same thing as the pretty button except that now we have json beautified inside the whole response not just the json payload itself i would say that this extension is not really useful anymore as it used to be now active scan plus plus we can skip it because it requires verb professional but it just adds some checks for the burp scanner which is not included in the burp community edition now here we come to http request smuggler this extension helps you detect and exploit request smuggling vulnerabilities which is a vulnerability that has been discovered by james kettle you can see all the links that point to this vulnerability i won't go into the details of http request smuggling but in general it consists of exploiting inconsistencies between a proxy and the back-end server and james kettle found a way to smuggle requests that can be leveraged to exfiltrate sensitive data so if we go here you can see all the details about the paper and a video where james explains the vulnerability in detail and he provided an extension that can be used to check for this vulnerability so let's install it and see how it works for this extension to work we need turbo intruder which is another extension already available so now whenever you have a request like this one you can right click and you can see here that you have a new menu called launch smuggle probe but let's actually test that on a website which is actually vulnerable to that and luckily portswigger provides an application for that i've already talked about portswigger academy before in the hack for fun and profit podcast which you can find in a dedicated youtube playlist in this channel so here we have a bunch of vulnerabilities and one of them is request smuggling and again here is all the details related to this vulnerability throughout the explanations you have a lab that you can apply your knowledge on so here for example we want to detect a content length and transfer in code inconsistency and it tells you that you can use http request smuggler burp extension to help you and the idea here is to smuggle a request to the backend server so that the next request processed by the back-end server appears to use the method g-post so let's access this lab it seems that it's a blog if we view a post we can see that there is a comment section so let's send our test and let's capture the request using foxy proxy so here we have the post request so let's right click on it and choose launch smuggle pro and here we are presented with a huge menu let's just hit enter and if there is a vulnerability we would see it in the dashboard under the issues but you do see that we have only some dummy results here which don't reflect the reality and to be able to see the results of request smuggler we need to have pro version let's see what logger plus plus does apparently it allows you to increase the logging features that you already have in burp it logs requests and responses like burp does but it also allows advanced filters it logs all the tools that are sending requests and receiving responses the ability to log from a specific tool save the results into csv format grab through logs and so on and so forth so let's install it and sometimes when you want to experiment with an extension you'll also have the source so you can go to the github repository for example and you might get additional information including screenshots or tutorials on how to use them you can see that we are using the extension to filter logs based on a criteria we can highlight certain requests we can grab through the logs you have also how to use it so you can either use a standalone jar or using the verb app from the extender tab like we did so here we have the logger plus plus tab and as you can see it records requests as they are coming much like we do see in the proxy tab but notice many requests which we are not initiating and if you recall these are the requests sent by the http request smuggler extension so this allows you to effectively know what are the kind of tests that the extension is doing so here we are sending a comment and using a transfer encoding equals to chunked with a bit of capital case play to full the proxy and we are using a content length of 113 which i guess includes all this content in the post data we couldn't see such requests if we didn't have logger plus plus and here we can use uh filters so let's say we want to filter only the requests that are sent to juice shop we can base our filter on this header so that would be request dot host equals https and then the value of our host and right away you can see that we have only the requests that have been sent to juice shop you can also filter on the response like for example if we want to see all the requests that resulted in a success we can filter the response body to see if we have a success keyword so we will use contains operator in this case and then the keyword success and here we have all the requests which generated a success response we can also define our own filter expressions and store them here so you can hit add snippet and give your filter a name success response and here you can define which filter you want you can also define multiple filters and use them simultaneously i want to only target choose shop and then to do that i need to filter on the request in this case i would use this host right here with https all right so now i might use this as a log filter and then it automatically brings me to the view logs tab with the results we can also color those requests so i will tag those requests with an orange color so now if i go to view logs i can see that this request which returns success is highlighted with orange we can also use regular expressions to filter our requests which gives us all the requests or responses which have the keyword success for example so if we choose juice shop and right click we can view that in the logs and it will go straight into the request you can also define your scope and then check this checkbox to only search through your scope so if you go to target scope and then add and maybe just use juice now if we go to logger plus plus we want only the in scope items and then when we search we get back just there in scope items and you can tweak all the features of logger plus plus using the options tab for example we can log requests from all the tools which is by default and this allowed us to inspect the requests that were sent using http request smuggler or we can uncheck that and use only the tools that we are interested in another neat feature of logger plus plus is the ability to import burp proxy history you can even import from owasp's app and you can also export a csv it will open a dialog to choose which attributes you want exported for example if we are interested in just the host header we can check this line here and hit ok and this will automatically create a csv file for us and when we open it you can see all the host headers have been exported successfully so obviously this is a huge extension which we can address in a separate video but if you want to dig deeper you have the about tab which gives you information of how to reach the authors of logger plus plus and you also have the help which is kind of a documentation for all the features that are offered by logger plus plus for example you can see that we can use the body attribute that we used before you also have an explanation of the filters and how to use them how to use regular expressions and so on and so forth so hopefully this video allowed you to experiment or at least discover the two or three most popular suit extensions next time we will discover some others if you found this content helpful make sure to like comment and subscribe to this channel so that you get updates whenever i publish a new video on ethical hacking and bug bounty hunting if you're new to hacking and want to learn the basics check out the free oas top 10 theory and hands-on training on the hackerish.com and apply your knowledge on the lab which supports it if you enjoy learning with videos i invite you to watch the wasp.10 youtube playlist however i encourage you to first try to solve the lab exercises so that you don't spoil them don't forget that there are supporting blog posts for most of the videos you watch on this youtube channel i also encourage you to subscribe to the friday newsletter on the hackerish.com to gain some new hacking knowledge at the end of the week if you enjoy listening while doing other things at the same time check out the hack for fun and profit podcast link in the description box until next time stay curious keep learning and go find some bugs

Info

Channel: thehackerish

Views: 16,348

Rating: undefined out of 5

Keywords: infosec, bug bounty, hacking, cybersecurity, bug bounties, bug bounty hunting, podcast, bug bounty resources, computer hacking, hackerone, bugcrowd, bug bounty methodology, subdomain enumeration, oscp, pentest, penetration testing, red team, red teaming, javascript, burpsuite, burpsuite extensions

Id: BZTvfqn2NMQ

Channel Id: undefined

Length: 14min 35sec (875 seconds)

Published: Thu Oct 22 2020