搜索
查看: 586|回复: 0

利用burp把前面的结果作为下一次请求的变量

[复制链接]

432

主题

573

帖子

2543

积分

核心成员

Rank: 8Rank: 8

积分
2543
发表于 2016-11-1 15:08:03 | 显示全部楼层 |阅读模式
需求:能够从前面的请求的返回结果中取值,放到后面请求中来执行。

https://blog.securenet.de/2013/0 ... te-anti-csrf-token/

Automated scanning with Burp despite Anti-CSRF token
Veröffentlicht am 7. Juni 2013 von Sven
The usage of security tokens in Web Applications is increasing rapidly, especially as more and more frameworks support this technique to prevent CSRF attacks. These anti-CSRF tokens are typically used when state-changing actions are executed, like adding a user or confirming your purchasing order.
There are web applications that use anti-CSRF tokens in the whole application. This makes the web application very robust against CSRF attacks, but makes the life of a penetration tester much harder because automated scanning becomes a nuisance.
This tutorial explains how to circumvent the anti-CSRF tokens used in requests, to execute tools like the Burp Intruder, Burp Active Scan and sqlmap.
Intruder ScanIf you want to fuzz a certain parameter in a request that is protected by anti-CSRF tokens there is an easy solution already implemented within Burp.
Click on „Add“ to define a new grep item

Just send the request you would like to analyze to the Intruder. Clear all payload positions and only select the value of the anti-CSRF token parameter and the value of the parameter you would like to be analyzed by the Intruder. Also set the attack type to Pitchfork.
In the options tab of the Intruder , the number of threads must be set to „1“, as the attack has to be executed as sequential processing. Otherwise the intruder will mix up valid and used anti-CSRF tokens.
Select anti-CSRF token in response

To circumvent an anti-CSRF token in the Intruder, it is sufficient to go to the options tab, click on „Add“ in the Grep-Extract menu and choose the value of the anti-CSRF-token in the „Define extract grep item“ menu. The start and end point will be filled out by Burp automatically after selecting the token and we can click OK.
Select payload for parameter to be tested

In the Payloads tab, we now need to select the payload type „Recursive grep“ for the identified anti-CSRF token parameter in the position tab. It is important that you also insert the token that was sent in the last valid response to be used as initial token value for the first request. The second payload can be set to whatever we want to test for.
[size=15.5556px]
Select payload type and insert value of valid CSRF token

If we start the Intruder now, the parameter can be tested and the initial token is used to create a valid request. The token in the responses to that is extracted by the grep-rule and inserted into the subsequent request.
In case of an error it is likely that the initial token was wrong or was already used. Then, in our browser, we again navigate to the function we would like to test, execute all of the above steps and use the token of the last response of the application in the initial payload field.
There is also an extension available for Burp Intruder to circumvent this kind of anti-CSRF token:
(1)    Burp Extension available to extend Intruder:
http://blog.spiderlabs.com/2012/09/adding-anti-csrf-support-to-burp-suite-intruder.html
Active ScanSometimes during testing we encounter applications that already use anti-CSRF tokens during login and for every subsequent request in the application. To automatically scan a certain request in such an application, we have to:
(1)    Get the Login-Page,
(2)    Login to the application,
(3)    Navigate to the function that should be scanned and
(4)    Get the anti-CSRF token that can be used for an automated scan.
Add a new session handling rule

Steps 2, 3 and 4 always need the valid token of the last response, otherwise the requests will be invalid. To use tools that execute automatic scans like the Active Scan in Burp or sqlmap, we need to create a session handling rule and a macro to automate the steps (1) to (4) within Burp.
Select „Run a macro“

We give the Session Handling rule a unique name and select „Run a macro“ in the rule actions section.
To create a new macro we click on „Add“ under „Select macro:“ in the next menu. The macro recorder will start, where we can select the appropriate requests. We must start with a request that does not need a valid token when sent to the application and select all requests until we get to the request we would like to test.
Record the „request-chain“

In our case we needed to start at the login, as all other requests needed a token when sent to the application. The first request gets the login page where no token is  required. The second request is a login request with valid user credentials, and the third request directs to the page we wanted to test. To get a valid request chain, the second and third request needs the hidden token of the response before.
Configure macro items

We can achieve this by selecting the second request and clicking on „Configure item“. There, we set the parameter that contains the token to be „Derive from prior response“. Usually this setting does not work by itself, we also need to „Add“ a custom parameter. We just select the location of the token value and use the parameter name as name for the custom parameter. This must be done for all subsequent requests.
In the „Session handling action editor“ the anti-CSRF token parameter that needs to be updated should be added explicitly.
Update parameter with anti-CSRF token

The scope of the session handling rule should be set to „scanner“. To limit the macro to certain requests we can either use „Use suite scope“ or „Use custom scope“. It is not recommended to set „include all URLs“, as every request in the scanner would then trigger the macro.
Set scope for Active Scanner

After the Session Handling rule is created we just need to enable it. As the macro navigates to the page we want to test and gets a valid token for the scanner, you can execute an active scan of this page now. For another page we would need to create a separate macro.
Note:
Every single scanner request will also trigger all the requests we defined in the macro additionally. In the case described above 100 requests of the active scanner would produce 400 requests in total, as every request requires the three requests in the macro. Therefore, the scan will take longer but will also produce more load on the server as many logins will be simulated. So, we should be careful to not overload the server during testing.
sqlmapThe exact same steps as for the Burp Active Scan can also be executed for sqlmap.
Set scope for sqlmap

There is just one difference: The scope of the session handling rule should be set to „proxy“. But use this setting with caution, as every request in the proxy will trigger the full macro and thus all requests in it. To limit the macro to certain requests here, it is even more important to set „Use suite scope“ or „Use custom scope“, as described above.
When the Session Handling Rule is activated we can start sqlmap. If we have a POST-request saved to a file we can use:
./sqlmap.py -r request.txt –proxy=http://127.0.0.1:8080
If we have a GET-request we can use:
./sqlmap.py –u „www.target.com/vuln.php?id=1“ –proxy=http://127.0.0.1:8080
Referenceshttp://blog.portswigger.net/2011/03/burp-v14-preview-session-handling_25.html
http://labs.asteriskinfosec.com.au/fuzzing-and-sqlmap-inside-csrf-protected-locations-part-1/
http://labs.asteriskinfosec.com.au/fuzzing-and-sqlmap-inside-csrf-protected-locations-part-2/








https://nvisium.com/blog/2014/02 ... ruder-to-test-csrf/
Using Burp Intruder to Test CSRF Protected Applications

Published on February 14, 2014 by John Poulin

[size=1.2em]Web applications often implement some form of Cross-site Request Forgery (CSRF) protection, such as a viewstate parameter that is passed through requests, or a per-session nonce (if they don’t, well, that’s a finding worth documenting!) These parameters are used to verify that the request received was sent from the intended user, and was not an attacker-forged request.
[size=1.2em]These parameters, which are intended to stop attackers from being able to coerce users into making forged requests, tend to be annoying to application security consultants during assessments. Typically scanners and other automated tools fail at correctly handling these parameters, and as such, are not effective.
[size=1.2em]This post will highlight a method for handling these CSRF prevention tokens using Burp Intruder’s Recursive Grep payload.

A scenario
[size=1.2em]To work through the example, we will be using an example app that we have developed. This application is a very basic search form with a CSRF prevention token.
[size=1.2em]Our goal is to test the application for a cross-site scripting vulnerability within the search functionality.
[size=1.2em]When we first load the page, we view the page source to see that there’s a hidden field named csrf_token. This token changes every time the page is reloaded.
[size=1.2em]
[size=1.2em]In order to automatically test this functionality, we need some method of submitting a correct csrf_token with each request. Submitting anything that does not match the expected value may cause errors or show up in server logs.
Recursive Grep
[size=1.2em]Burp intruder offers a payload type called Recursive Grep that “lets you extract each payload from the response to the previous request in the attack” [1]. We can use this functionality to extract the CSRF token from the HTML source, and replay in the next request, allowing us to launch automated fuzzing attempts.
[size=1.2em]We recently released a Burp intruder extender we call xssValidator that is used for automatically testing for xss vulnerabilities.
[size=1.2em]We can use Burp’s Recursive Grep payload to extract the csrf_token value, in tandem with the xssValidator payloads to automate detection of XSS in applications with CSRF prevention mechanisms.
Let us demonstrate
[size=1.2em]Begin by sending a request to intruder, as you would normally. Define the insertion points that you want to fuzz. After you have defined all the insertion points you need to find the location of the CSRF token within the HTTP request and define this as a payload, too. Be sure to take a note of which number position this payload is, because that will be important for the next step.
[size=1.2em]
[size=1.2em]After defining the payload positions we need to set the attack type. For this example we’ll be using the Pitchfork attack type.
[size=1.2em]We want to start by configuring the payload for the csrf_token parameter within the cookie header. In this case, it’s position one. Define the payload type as Recursive grep as seen in the screenshot below.
[size=1.2em]
[size=1.2em]Next, we need to define the location of the payload to be extracted within the HTTP response body. To do so, navigate to the Options tab and browse down to the Grep – Extract panel.
[size=1.2em]
[size=1.2em]Click the add button and a panel will popup allowing you to define the extract grep item. There are a few options: we can define a start and end, or use a regex to pick out the term. In this example we’ll be defining a start and end position.
[size=1.2em]To define the locations, simply highlight the specific area of interest within the HTTP response. The information can be within the header or the body.
[size=1.2em]After highlighting the desired region, you will see that the start and end positions are defined automatically. Click OK and you should now see an entry in the Grep – Extract panel.
[size=1.2em]
[size=1.2em]
[size=1.2em]Note: by default Burp limits the capture length to 100 characters. In many instances this will be too small, so don’t forget to adjust!
[size=1.2em]The Recursive Grep payload requires that the intruder attack consist of only one thread. This is necessary to ensure that the payload values are replayed as intended. Navigate to the Request Engine panel, and set the number of threads to one.
[size=1.2em]
[size=1.2em]At this point, we need to finish configuring the payload. Browse back to the payloads tab, and navigate to the recursive grep payload set. Under payload options you should now see an option to select the extract grep item from the list. Ensure that it’s selected. [Payload options Recursive grep] You will see that for this example we have provided an initial payload value. Quite often when testing CSRF protected applications you will need to obtain a valid token for the first request. This will ensure that we’re not triggering any anti-csrf functionality by not sending a legitimate token.
[size=1.2em]At this point we are done defining the recursive grep payload and can continue defining our other payloads.
[size=1.2em]In the example application we have two more: Search and csrf_token. The search parameter is the parameter we’re trying to inject. The csrf_tokenparameter is another position that is expecting the CSRF token.
[size=1.2em]We’re looking to test the application for XSS, and as such, we leverage the xssValidator extender to test payload position number 2. This extender leverages an external phantomJS server to accurately detect XSS vulnerabilities through Burp intruder. For more information, check out our blog post: Accurate XSS Detection with BurpSuite and PhantomJS
[size=1.2em]Now, in position 3 we need to provide the csrf_token again. Since we’re already retrieving the token in position 1, using Burp’s recursive grep payload, we can now use Burp’s copy other payload payload to copy the value of a previously defined payload. In our example we want payload positions 1 and 3 to have the same value.
[size=1.2em]
Launching the attack
[size=1.2em]Now that we’ve defined all the payloads, we’re ready to launch the attack. Go ahead and launch the attack. As it’s executing you will see that Burp is automatically parsing the csrf_token from the previous request, and using it as the payload value for the next request. You will also notice in our example that Payload1 and Payload3 both have the same value. This is due to the fact that we’re leveraging Burp’s copy other payload feature to pass the csrf_tokenin multiple locations.
[size=1.2em]
[size=1.2em]In this case, you will see a column labeled fy7sdu… This column is used within the xssValidator extender, and when checked, signifies a positive XSS finding.
Conclusion
[size=1.2em]As we have demonstrated, just because an application has CSRF prevention tokens, viewstate objects, or anything similar, doesn’t mean we still can’t automate the testing. Burp’s recursive grep payload is a great function for anyone that’s testing web apps.
[size=1.2em]If you’re testing a page that follows a redirect, the define extract grep item panel does not currently provide the option to follow the redirect, despite setting the redirect option to always. If you define the value manually, intruder will follow the redirect when processing the payload, as expected. PortSwigger is aware of the issue and will be rolling out a fix.
[size=1.2em]Last but not least, if you’re interested in using the example application you can access the source code on github: https://github.com/mccabe615/sinny. If you’re not interested in code, but just want something to test, feel free to use the version which we’ve deployed: http://sleepy-tor-8086.herokuapp.com/



您可以更新记录, 让好友们知道您在做什么...
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表