Thursday, November 6, 2008

[MoBP] Automated HTML rewriting

Here are a bunch of handy new functions in Burp Proxy that you can use to achieve various tasks by automatically rewriting the HTML in application responses (all are off by default):

Unhiding hidden fields enables you to edit their values directly in the browser, rather than by intercepting subsequent requests. Similarly with enabling disabled fields, and removing length limitations. Here is what the Google Blogger application looks like with hidden fields unhidden:

On the web hacking course which me and Marcus deliver at Black Hat, we have around a dozen labs illustrating various cases of unsafe reliance on client-side controls. The first few examples involve easy scenarios like hidden and disabled fields, length limits and client-side input validation. Well, those labs will get even easier with the new version of Burp, because solving the lab will be a simple matter of checking the relevant box in Burp's configuration!

No comments: