Burp Suite : Integrated platform for Web Application Security

1.   Burp Suite is an excellent easy-to-use integrated platform for web application security that includes multiple tools seamlessly integrated to test every component and aspect of modern web applications. Whether you need to verify the robustness of your authentication mechanism, the predictability of your session tokens, or the input validation checkpoints present in your application, Burp is often compared to Swiss-army knife for security practitioners since it offers a horde of features . Not only does it allow in-depth manual assessments, but it also combines automated techniques to enumerate and analyze web application resources.Burp has been developed by PortSwigger Ltd. and is available in two editions:

- Burp Free

- Burp Professional

In-fact,the free version is perfect to start for beginners as it contains all the basic tools to find at least few first vulnerabilities.In its simplest way to explain, Burp is a local web proxy that allows to intercept, inspect, and modify HTTP/S requests and responses between the user's browser and the target website. While the user navigates through the web application, the tool acquires details on all visited pages, scripts,parameters, and other components. The traffic between the browser and the server can be eventually visualized, analyzed, modified, and repeated multiple times. The different tools included in Burp Suite can be easily distinguished by the upper tabs:

- Proxy: It allows to intercept and modify all web traffic.

- Target: This tool allows to aggregate all web application resources, thus guiding the user throughout the security test.

- Scanner: A complete web application security scanner, available in the Professional version only.

- Intruder: Burp Intruder allows to customize and automate web requests. 

- Spider: Automatic crawler that can be used to discover new pages and parameters.

- Sequencer: Used for verifying the randomness and predictability of security tokens, cookies, and more.

- Decoder: It allows to encode and decode data using multiple encoding schemes 

- Comparer: A visual diff tool that can be used to detect changes between web pages.

- Repeater: A simple yet powerful tool that can be used to manually modify and re-issue web requests.

How to go about Installation ?

- A minimum disk space of at least 200 MB is required.

- Required memory is at least 1 GB

- Burp Suite works on Windows, Mac OS X, and Linux

- Software components: An updated Oracle Java Runtime Environment is required to run Burp Suite. 

Downloading Burp Suite from ?

Download link at http://www.portswigger.net/burp/download.html

In the download folder where typically this file gets downloaded,create a burpsuite folder and mov this file to this folder for executing.

Launching Burp Suite in Linux

At the terminal type the following inside the pwd as the new burpsuite folder u created above :

java -Xmx2g -jar burpsuite_v1.4.01.jar

Configuring Burp suite with Iceweasel

1.   Burp Suite is an integrated platform for attacking web applications. It contains a variety of tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All of the tools share the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility. There are two versions available including a free version and also Burp Suite Professional.It is a Java application that can be used to secure or penetrate web applications.The suite consists of different tools, such as a proxy server, a web spider, intruder and repeater.BurpSuite allow us to forward all of the web traffic from your browser through BurpSuite so that you can see each HTTP Request and Response and manipulate it to your heart’s content. This post will configure burp suite with Iceweasel in Kali Linux .

2.   Open Internet - Iceweasel Web Browser

3.   Click on Edit then Preferences

4.   Preference Window will be open Now go to Advance → Network → Setting

5.   Select Manual Proxy then set 127.0.0.1 in HTTP Proxy area and port should be 8080. Use this proxy server for all protocols by checking the box. Clear the No Proxy field then Finally Click OK.

6.   Now open burp suite Application → Kali Linux → Top 10 Security Tools → Burpsuite

7.   You get to see the following screen

8.    After Burp Suit is opened,Click on Proxy Tab then Click on Option Subtab and watch carefully local host interface running box should be check in Proxy Listeners.

9.    Scroll down in the same tab (Proxy Tab → Option subtab) 

Intercept Client Requests

    → Select URL Match type and keep Clicking UP button till URL Match type reach at the top.

    → Check Box 'Intercept requests based on the following rules.

Now select 'File Extension' and click on Edit.Edit Window will be open. Here we will add 'jpeg' file extension. You can add or remove file extension as per your need. So, Write code and click on OK.

10.  We will Add file extension match type according to below details:
      Boolean Operator : And
      Match type : File Extension
      Match relationship : Does not match
      Match condition: (^gif$|^jpg$|^png$|^css$|^js$|^ico$|^jpeg$)

11.  Select 'File extension'  and keep Clicking UP button till 'File extension' reach at the 2nd top.

12.   Now Open Iceweasel and type www.google.com in the web address area....and u r ON if all set right

Source of help : http://knoxd3.blogspot.in/2014/05/how-to-configure-burp-suite-with.html

VEGA SCANNER : Powerful Open Source Web Application Vulnerability Scanner

1.   Vega is one free and open source scanner and testing platform to test the security of web applications by Subgraph, an open source security software company. Vega can help find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. 

Main Features:

    Automated Crawler and Vulnerability Scanner
    Consistent UI
    Website Crawler
    Intercepting Proxy
    SSL MITM
    Content Analysis
    Customizable alerts
    Database and Shared Data Model

2.   So to launch Vega in Kali Linux...go to Web Applications then to Web Vulnerability Scanners and select Vega. 

 Vega will flash an introduction banner and display a GUI

Vega has Scanner and Proxy tabs as u play with the interface as seen below. To use Vega as a Scanner,click on the Scanner tab , click on Scan on the top-left corner and select to start new scan

 You will see an input field asking for the target. The screen shot tested below is targeting www.thesecurityblogger.com. Choose target and click on Next:

3.   It takes time to scan but gives pretty exhaustive results and presents a summary too.

HIDEMYASS saves its own!!!

1.  The month of September 2011 went so full of embarassment for HMA(Hidemyass) that it would probably like October  to  follow  August  ( September  may just  vanish in the smoke....) All  its  claims  of  telling  being anonymous  and safe, maintaining privacy,being completely hidden etc etc hit a serious setback....the story goes like this...

 2.   The case pertains to Lulz Security aka LulzSec,a computer hacker group that claims responsibility for several high profile attacks including SONY,CIA etc.So in the month of September this year an alleged Lulzsec member who had carried out attacks on various organizations including Sony and the UK’s Serious Organised Crime Agency, had used this ‘anonymous’ VPN service supplied by HideMyAss.But his plan failed in the biggest way imaginable. HideMyAss (HMA) keeps all yourlogs and as a UK company when given a court order to cough up information, they did so. After matching timestamps to IP addresses, in the blink of an eye Luzlsec member ‘Recursion’ became 23-year-old Cody Kretsinger from Phoenix. The FBI got their man.....so whats the use.....!!!!

3.   But I feel that anything to do with some serious crime should always be contained....like this way...but what about you and me....our surfing habits will always be known....our info will always be under cloud....:-(

4.   This is what HMA had to say :

“Our VPN service and VPN services in general are not designed to be used to commit illegal activity,” said Hide My Ass. “It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences.”

5.  Thanks vpn-reviews.net and  Torrentfreak

PROXY SERVER : ARE THEY LEGAL TO BE USED IN INDIA?

1.   Few days back I was surfing  few sites via proxy server at HIDEMYASS. Just like a that,a thought came to mind that if the Indian Government on one hand is trying all ways out to monitor nefarious activities on net...and in the name of this monitoring they are monitoring u and me as well....what would they be able to do for those actual ones who use proxy servers?.....

2.   Though it is understood that not all proxy server sites are as safe as they claim...most of them have actually a life of not more then 4-5 days...they actually are born to steal and vanish...we call that 9 2 11....But sites like those have been existing for more than 4-5 years like hidemyass,proxy.org etc are actually doing the work they are supposed to do ie PRIVACY!!!

3.   If any of the readers have some idea or can guide to some link w.r.t legality issues of using proxy servers in India...i would be grateful....and lastly if anyone has some disagreements on the comment earlier that INDIAN GOVERMENT IS MONITORING YOU...just check the ANONYMITY CHECKER at https://xerobank.com/.

CAN WE EVER BE SAFE ONLINE?

1.    It is indeed difficult to surf anonymously if u r a normal user....u put on a monkey cap "DISCONNECT" or wear a long coat or do anything u cant remain hidden....the spy ,if he is after you, will come to know who u r?where r u from?....what r u doing ?etc etc....

2.   Recently came across this https://xerobank.com/......and just clicked to know more of what it had to offer....it gave me a sneak preview of what others may know...my IP ADDRESS...MY LOCATION(ok that normal)...but then also told me that "DATA INTERCEPTION DETECTED"....BY THE INDIAN GOVERNMENT...now this was only a sneak peak....to know more visit the site at https://xerobank.com/