Burp Efficiency Tips

I spend a lot of time in Burp and had to consciously fix time wasting habits so I could be more efficient at my job.  In case it helps, here are some time savers.  I tried to note where it applies to Burp Pro.

  1. Import the Burp HTTPS Certificate.  If you haven’t done it, import the Burp certificate into your browser so that you don’t have to click past HTTPS warnings when testing a site served using HTTPS.  Follow these instructions.
  2. Avoid proxying sites you are not investigating.  I hate it when Burp proxy intercepts traffic to URLs like safebrowsing.googleapis.com and detectportal.firefox.com.  The option “Never intercept requests to this domain” is labor intensive.  I always forget to save these settings anyway.  A better place to handle this is in the browser’s “No Proxy for:” field.   Here is a suggested list of domains for that value:   .mozilla.org,  .google.com, detectportal.firefox.com, .firefox.com, .tiles.services.mozilla.com, .tiles-cloudfront.cdn.mozilla.net, safebrowsing.googleapis.com, .googleapis.com, snippets-stats.moz.works, stats.g.doubleclick.net, google-analytics.com
  3. Avoid logging traffic for out-of-scope sites.  I get overwhelmed by the giant stack of traffic in the Target tab and I can’t find the sites I’m interested in quickly.  To limit what gets logged here and in proxy HTTP History, you can specify this in User Option tab:scopeLogTraffic  loggingNotice                                       You should then see this message if it is disabled. 
  4. Remember to use Repeater.  If you find yourself repeatedly turning off the intercept, going back to the browser, changing some small thing, and turning the intercept back on, and making something happen in the browser, Repeater will change your life.  Just right click in the intercept window or in the Target tab and select “Send To Repeater”.  Once there, make your changes and click “Go”
  5. Save settings and give them reasonable names.  Burp allows very granular settings saving.  However, if you don’t give them good names, you will not know what you are looking for when you want to use them again.  Save and load settings is done through a gear icon next to the setting.  You can see that I added a match and replace rule in the proxy options and clicked the gear icon to save my changes.   matchNext time I want to use that rule, I’ll just “Load options” and find my excellently named file.  burpLoadOptions
  6. Save and Load Intruder settings.  I hate having to recreate the steps to set up an intruder attack that is very similar to one already performed.    You can save your attack and open it later.  These settings are not saved through a gear icon like most other settings.  Instead, there is an Intruder menu where all of this is possible! intruder
  7. Turn off Some Scanning Tests.  Make scanning more efficient by turning off checks that you are not interested in.  Are you just looking for Cross-site Scripting?  Turn off all other types.  Scan will go faster and cause less noise and possible disruption to the web application.  Burp Scanner is only available in Burp Suite Pro.
  8. Use a browser extension to turn proxy on and off.  Configuring Firefox to use the Burp proxy takes 7 clicks (hamburger icon –> Options –> Advanced –> Network –> Connection Settings –>  Manual –>  OK).    Reduce this to two clicks with a proxy switcher extension for the browser.  For Firefox, I’ve enjoyed Proxy Switcher.  It very simple and works with the latest Firefox.    As you can see below, the “No proxy for” domain list that I mentioned in item 2 is available through this interface.proxySwitcher
  9. Streamline the handling of issues you discover.  I used to find myself going back into Burp to retest results I’ve already confirmed just to find the URL and parameter again so I can report it.  Huge waste of time!  Instead, have a vulnerability management database such as DefectDojo or Threadfix that can digest exported Burp XML files.  Once you find and confirm a security flaw with Burp, you want to never have to find it again.  So, export the results to XML so that you can import it to your vulnerability tracker.  Threadfix provides a Burp extension that makes this a one-click exercise.  Read more about Burp integration with Threadfix.  That link explains how to export entire scans into Threadfix.  What if you find some flaw with Repeater or Intruder and want to send that to Threadfix or DefectDojo?  For now, such a task would be done by hand.
Advertisements

Dollar Words in Python

This post is intended to demonstrate the beauty of codereview.stackexchange.com.

I’m reading Because of Mr. Terupt out loud to kids.  Mr. Terupt tells his students to find dollar words. Dollar words are words for which the values of the letters add up to 100.  The letter “a” has a value of 1 and “z” has a value of 26.

I realized that this was a great introductory Python challenge:  Find all the dollar words in a given list of English words.  Working with my 13-year-old student of Python, we came up with the following:

import string

valMap = {}
for index,item in enumerate(string.lowercase):
    valMap[item] = index +1

def isDollarWord(word):
    lowercase = word.lower().strip()
    total = 0
    for letter in lowercase:
        if letter in valMap:
            total += valMap[letter]
    return total == 100

words = open("C:\Users\astroboy\Downloads\UKACD17.TXT")

for line in words:
    if isDollarWord(line):
        print(line)

I realized that this program couldn’t calculate accurate values for words with accents like café and divorcée, so we used the unicodedata python module to remove diacritical marks to convert, for example, é to e and á to a:

import string
import unicodedata

valMap = {}
for index,item in enumerate(string.lowercase):
    valMap[item] = index +1


def remove_marks(word):
    unicode_word = word.decode('cp1252')
    return unicodedata.normalize('NFKD',unicode_word).encode('ascii','ignore')

def isDollarWord(word):
    lowercase = word.lower().strip()
    normalized = remove_marks(lowercase)

    total = 0
    for n in normalized:
        if n in valMap:
            total += valMap[n]

    return total == 100

words = open("C:\Users\astroboy\Downloads\UKACD17.TXT")

for line in words:
    if isDollarWord(line):
        print(remove_marks(line))

I then posted this to codereview and ==WOW== what an education.

  1. If we use a default_dict instead of a regular dict, we would not have to test for n in valMap
  2. We should use list comprehension instead of loops.  This opens up the possiblity of using the sum command instead of total +=
  3. I’ve got a file descriptor leak because I didn’t explicity close the file.  Using Python’s with statement insures that the resource is closed
  4. I should make my code more compatible with Python 3
  5. Better to identify the proper codec when opening the file so every line does not have to be decoded.

Final product:


import string
import unicodedata
import codecs
from collections import defaultdict

#constants should be ALL CAPS:
LETTER_VALUES = defaultdict(int,
    ((letter, index+1) for index, letter in enumerate(string.ascii_lowercase)))

def word_value(normalized):
  return sum(LETTER_VALUES[n] for n in normalized)

def remove_marks(word):
  return unicodedata.normalize('NFKD',word).encode('ascii','ignore')

with codecs.open("C:\Users\bast\Downloads\UKACD17.TXT","rb",'cp1252') as words:
  for line in words:
    if word_value(remove_marks(line.lower())) ==100:
      print(remove_marks(line.strip()))