Friday, November 27, 2009

[V13P] Target analyser

For Pro users, Burp now includes a function to analyse a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself.

To access this feature, you select one or more hosts or branches within the site map, and launch it using the context menu. The summarised information looks like this:

And you can drill down into more detail about individual URLs:

You can also export all of this information as an HTML report, which you can attach to client proposals and reports to show the attack surface you have covered.

A couple of caveats should be noted. Firstly, this function only analyses the content already captured within the site map, so you should ensure that you have fully browsed or spidered all of the application's content and functionality before running it. Secondly, URLs are deemed to be "static" if they no not take any parameters in the URL or message body; however the responses from these URLs may still be dynamically generated by the application.


Rob V said...

Most of the clients I've worked with don't even know for themselves. And when they do venture to guest, the numbers tend to be way off. This is an invaluable feature in helping to determine the T&M for a given project.

Anonymous said...

Recently I downloaded a copy of Burp Suite and thereupon began to explore Burp Intruder. After several weeks of this, I thought you might appreciate my evaluation.

First, let me say that this criticism is not, in any way, intended to discourage your effort. You have obviously gotten into this technology in depth and the software clearly reflects that. At the very least, it is a teaching tool for how
the web works.

My target was Yahoo Mail ( This is because I have several yahoo boxes and am much more familiar with the
characteristics of their server than any other server. These are the issues that arose in conjuction with using
Burp Intruder on Yahoo Mail:

1. After about 30 or 40 posts, the Yahoo server will begin to send captchas. I'm not sure whether the captchas have
any significance (see below), because I used the same initial log-in form in Intruder which did NOT mandate a captcha.
Yet, I am wondering if you have any idea how widely captchas are deployed in the industry now? And if you have any
solution for them?

2. After about 70 or 75 posts, Yahoo responds with a '999' error and refuses all traffic coming from my network. If I
change my i.p. thru the gateway and dhcp, this can be overcome but it's really a lot of work and I doubt any
serious hacker will do this. A bot net would probably be more effective.

Note that in my configuration, I used a "cluster bomb" attack in Intruder, with the payloads being a set of email addresses as
well as a set of common passwords. Thus, each post contained a different email as previous experience had shown
that Yahoo will also disable based upon repeated user names after about 20 or 25 posts.

Anyway, in conclusion, I do not see the value of your software against a serious professional target. Perhaps I
am missing something here? Also, I have read your book.