Day 029 #FromZeroToHacker – Burp Suite Other Modules

Along with Repeater and Intruder, Burp Suite has several slightly less well-known modules built-in.

Let’s learn all of them in the daily #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Burp Suite

Along with Repeater and Intruder, Burp Suite has several slightly less well-known modules built-in.

Specifically, we will be looking at the Decoder (To work with encoded text), Comparer (To compare two sets of text), and Sequencer (To analyse the randomness of captured tokens) tools. This bunch of tools can potentially save a lot of time if we use them efficiently.

Decoder

The burp suite Decoder allows us to manipulate data by decoding information captured during an attack, but also we can encode our own data. Decoder also allows us to create hashsums of data and also provides a Smart Decode feature which attempts to decode provided data recursively until it is back to plain text.

Let’s see it:

Decoder interface

This interface offers us a lot of options:

  1. The box on the left is where we would paste the text to be encoded or decoded. Of course, we can send data here from other options by right-clicking and selecting Send to Decoder.
  2. We can select to treat the input as text or hexadecimal byte values.
  3. Dropdowns menus to Decode, Encode, or Hash the input.
  4. Smart Decode attempts to decode the input automatically.

Decoder: Encoding and Decoding

Decoding/Encoding methods:

Let’s have a look at the manual encoding and decoding options:

Decoding and Encoding
  • Plain: Plaintext. You average text. Like the one you are reading right now
  • URL: URL encoding is used to make data safe to transfer in the URL of a web request. It involves exchanging characters for their ASCII character code in hexadecimal format, preceded by a percentage symbol (%). It is extremely useful to know for any kind of web application testing.
Encoding URL
  • HTML: Encoding text as HTML entities involves replacing special characters with an ampersand (&) followed by either a hexadecimal number or a reference to the character being escaped, then a semicolon (;).

![[day_029_HTML.png]]

Encoding HTML
  • Base64: Base64 is used to encode any data in an ASCII-compatible format. Designed to take binary data (images, media, programs…) and encode it in a format that would be suitable to transfer over virtually any medium.
  • ASCII Hex: This option converts data between ASCII representation and hexadecimal representation. For example, ASCII can be converted into the hexadecimal number 4153434949. The letter A in ASCII has a decimal character code of 65. In hexadecimal, this is 41. The S letter can be converted to 53, etc.
ASCII Table
  • Hex, Octal and Binary: These encoding methods only apply to numeric inputs.
  • Gzip: Gzip provides a way to compress data. Widely used to reduce the size of files and pages before they are sent to your browser.
Encoding Gzip

Of course, we can chain texts:

Chaining encoding

Hex format

Sometimes we need to edit our input byte-by-byte. For this, we can use Hex View:

Hex format

This allows us to view and edit our text in hexadecimal byte format.

Smart decode

This feature of Decoder attempts to automatically decode encoded text:

Smart Decode

Decoder: Hashing

Theory

Hashing is a one-way process used to transform data into a unique signature. A hashed output must be impossible to reverse. A good hashed algorithm must ensure that every piece of data entered will have a completely unique hash. For example, the MD5 algorithm returns 4ae1a02de5bd02a5515f583f4fca5e8c for the text MD5sum.

Hashes are also used to securely store passwords as the passwords will be secure even if the database is leaked. Relatively. When a user creates a password, it is hashed and stored by the application. When the user tries to log in, the application will then hash the password they submit and check it against the stored hash. If it matches, the password is correct.

Hashing in decoder

As with encoding/decoding features, Burp Suit let us generate hashsums for data directly. Specifically, we click the Hash dropdown menu, and then select an algorithm from the list:

Hashing
Hashing test

Comparer

Comparer, unsurprisingly, allows us to compare two pieces of data:

Comparer

We can see three main parts:

  1. On the left, we have two boxes for the datasets.
  2. On the upper right, we have options for pasting, loading, removing or clearing datasets.
  3. On the lower right, we have buttons to select that we want to compare either words or bytes.

As always, we can right-click data into Comparer by right-clicking and selecting Send to Comparer.

Comparing texts

This is pretty intuitive:

  1. The compared data, in text or hex format.
  2. This shows the colours that denote modified, deleted, or added text between the two datasets.
  3. Sync views checkbox that, when selected, both sets of data will sync formats.

Sequencer

While Sequencer is not used too much in CTFs and other labs environments, it is an essential part of a real-world web app penetration test.

Sequencer allows us to measure the entropy (or randomness) of tokens (strings used to identify something, that should be generated in a cryptographically secure manner). For example, we may want to analyse the randomness of a session cookie or a Cross-Site Request Forgery (CSRF) token from a form.

If these tokens are not generated securely, we could predict the values of upcoming tokens…

Sequencer

We have two main methods:

  1. Live capture is the more common of the two methods and the default in Sequencer. Live capture allows us to pass a request to Sequencer, which will create a token for us to analyse. With this request, we can tell Sequencer to start a live capture, making the same request thousands of times automatically, and storing the generated token samples for analysis. Then, it stops and starts analysing the captured tokens.
  2. Manual load allows us to load a list of pre-generated tokens into Sequencer for analysis.

Example of live capture:

Live capture

Sequencer: Analysis

When we have a report for entropy, we can (and should) analyse it. The report is pretty huge, so we are going to focus on the generated summary.

Sequencer summary

The summary gives us an overall result: Effective entropy, an analysis of the reliability of the results, and a summary of the sample token.

These will often be enough to determine if the token is generated safely or not. But sometimes, we may need to have a look at the tests directly, in the Character-level analysis and Bit-level analysis.

We are not going to go deep into the math behind it (I can barely multiply by myself), but here we can see that with a 1% estimate of being incorrect (Significance level: 1%), Burp has calculated that the effective entropy of our token should be around 117 bits. This is a good level of entropy for a secure token.

Summary

Time for a recap. We have learned about:

  • Decoder: How to encode and decode strings of data
  • Comparer: How to compare two datasets
  • Sequencer: How to capture and analyse tokens

Stats

From 134.081th to 132.059th. Still in the top 7% in TryHackMe!

Here is also the Skill Matrix:

Resources

Path: Web Fundamentals

Introduction to Web Hacking

TryHackMe: Burp Suite Other Modules

Other resources

Repeater
Intruder
ASCII Table
Cross-Site Request Forgery