Automating Web App testing with Burp
So I started to do Hack the Box as a way to increase my familiarity with hacking. I didn’t want to start with any of the boxes in their virtual infrastructure for several reasons, so I started with their web challenges. I ran across one challenge that was relatively easy, but it required some repetitive tasks so after I submitted the flag I went back with Burp Suite and tried to figure out how it would be automated. I found a list of email addresses and a web form to send emails to those addresses. I copied the addresses into a text doc on my laptop and started exploring. Here are the email addresses and the submission form.
The first thing I did was capture the HTTP request to the server from the submission form.
We can see at the bottom of the request there are three fields submitted that I entered in the web form. I noticed the intruder tab in Burp and investigated. I started to input the target information and realized that Burp would make things easier than me hand jamming the required information into the Burp Intruder. I went back to the HTTP request in the Proxy History tab, right clicked on it, and there it was, Send to Intruder.
So I, of course, sent it to Intruder. The first tab was Target and it was pre-populated.
The next tab was the Positions tab which had the HTTP request in there with suggested Positions already setup. I removed the two that I wasn’t interested in and left only the
name1 position since it is the address field.
On to the next tab, which is the Payload tab, is where Burp knows what to put in the Position fields identified in the previous tab. Remember that text file I saved with the addresses? Well, I uploaded it for use.
At that point, Burp Intruder was ready to go and I started the attack.
Once the attack was finished, all we had to do was see what response looked different and in this case it the give away was the size of the response. That was way easier then how I did it although I got lucky and didn’t have to go through the whole list by hand.