Social Icons

Showing posts with label intrusion. Show all posts
Showing posts with label intrusion. Show all posts

Monday, September 28, 2015

Burp Suite : Integrated platform for Web Application Security

1.   Burp Suite is an excellent easy-to-use integrated platform for web application security that includes multiple tools seamlessly integrated to test every component and aspect of modern web applications. Whether you need to verify the robustness of your authentication mechanism, the predictability of your session tokens, or the input validation checkpoints present in your application, Burp is often compared to Swiss-army knife for security practitioners since it offers a horde of features . Not only does it allow in-depth manual assessments, but it also combines automated techniques to enumerate and analyze web application resources.Burp has been developed by PortSwigger Ltd. and is available in two editions:

- Burp Free
- Burp Professional

In-fact,the free version is perfect to start for beginners as it contains all the basic tools to find at least few first vulnerabilities.In its simplest way to explain, Burp is a local web proxy that allows to intercept, inspect, and modify HTTP/S requests and responses between the user's browser and the target website. While the user navigates through the web application, the tool acquires details on all visited pages, scripts,parameters, and other components. The traffic between the browser and the server can be eventually visualized, analyzed, modified, and repeated multiple times. The different tools included in Burp Suite can be easily distinguished by the upper tabs:

- Proxy: It allows to intercept and modify all web traffic.
- Target: This tool allows to aggregate all web application resources, thus guiding the user throughout the security test.
- Scanner: A complete web application security scanner, available in the Professional version only.
- Intruder: Burp Intruder allows to customize and automate web requests. 
- Spider: Automatic crawler that can be used to discover new pages and parameters.
- Sequencer: Used for verifying the randomness and predictability of security tokens, cookies, and more.
- Decoder: It allows to encode and decode data using multiple encoding schemes 
- Comparer: A visual diff tool that can be used to detect changes between web pages.
- Repeater: A simple yet powerful tool that can be used to manually modify and re-issue web requests.

How to go about Installation ?


- A minimum disk space of at least 200 MB is required.
- Required memory is at least 1 GB
- Burp Suite works on Windows, Mac OS X, and Linux
- Software components: An updated Oracle Java Runtime Environment is required to run Burp Suite. 

Downloading Burp Suite from ?



In the download folder where typically this file gets downloaded,create a burpsuite folder and mov this file to this folder for executing.

Launching Burp Suite in Linux


At the terminal type the following inside the pwd as the new burpsuite folder u created above :

java -Xmx2g -jar burpsuite_v1.4.01.jar



Tuesday, August 26, 2014

WEBSHAG : Scan a Web server@Kali Linux

1.    The name of this tool is such that a layman might start pondering some other thoughts :-)..Webshag ... is actually a multi-threaded, multi-platform web server audit tool  that's coded in Python and gathers useful common functionality for web server auditing like website crawling, URL scanning and file fuzzing.This can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication. In addition to that it proposes innovative IDS evasion functionalities aimed at making correlation between request more complicated. It also provides innovative functionalities like the capability of retrieving the list of domain names hosted on a target machine and file fuzzing using dynamically generated filenames (in addition to common list-based fuzzing).This post gives out a stepped screenshot on how to use it in Kali Linux for auditing a website.







The post shows the screen-shots for a Webshag version 1.10....that's the latest as on date...like always I have...this tool is too an opensource tool with a great functionality.....

Powered By Blogger