Intro
Environment
Ubuntu 14.04, PHP7.0, Apache
Objective
Manually do penetration test on web app using Burb Suite
Components
NOWASP Mutillidae
NOWASP Mutiliadae is a purposely vulnerable web application containing more than 40 vulnerabilities. It includes all of the OWASP top 10 vulnerabilities. NOWASP will be used as target for penetration test.
Burp Suite
This is an interception proxy tool that interacts between the client (a browser application, e.g., Firefox or Chrome) and the website or server. It will be running on my local machine and it will intercept inbound and outbound traffic between the browser and the target host. BURP Suite available in free and premium edition.
Preparation
Download & Install NOWASP
Download & Install BURP Suite
Set BURP Suite as Network Proxy
To enable BURP to intercept our web request, set your network proxy to
http://127.0.0.1:8080.
Intercept with Burb
Forward or Drop
Go to
Proxy > Intercept tab. Make sure Intercept is on (on button). Once request get intercepted, you may click Forward or Drop the request by clicking the corresponding button.Examine Request / Response Parameters
Examine the parameters for both request and response.
Edit Request Parameters
Change GET request to POST request
Reference
- http://resources.infosecinstitute.com/manual-web-application-penetration-testing-introduction/
No comments:
Post a Comment