Vulnerability Analysis in Web Application using Burp Scanner

Hello friends! Today we are going to use Burp Suite Scanner which is used for website security testing to identify certain vulnerability inside it. It is the first phase for web penetration testing for every security tester.

Burp Scanner is a tool for automatically finding security vulnerabilities in web applications. It is designed to be used by security testers and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.

Let’s Start with burp proxy in order to intercept request between browser and website. From the screenshot, you can perceive that we have forwarded the intercepted data for “an active scan”.

 Note: Always configure your browser proxy while making use of burp suite to intercept the request.

Through a window alert it will ask to confirm your action for the active scan; press YES to begin the active scan on targeted website.

Issue Activity

The issue activity tab contains a sequential record of the Scanner’s activity in finding new issues and updating existing issues. This is useful for various purposes:

  • An index number for the item, reflecting the order in which items were added.
  • The time that the activity occurred.
  • The action that was performed.
  • The issue type.
  • The host and URL path for the issue.
  • The insertion point for the issue, where applicable.
  • The severity and confidence of the issue.

From the screenshot you can observe that it highlighted 8 types of issues found inside website from scanning result as following:

  1. Cross-site scripting (reflected)
  2. Flash cross-domain policy
  3. SQL injection
  4. Unencrypted communications
  5. Cross-domain Referer leakage
  6. Email addresses disclosed
  7. Frameable response (potential Clickjacking)
  8. Path-relative style sheet import

Active Scan Queue

Active scanning typically involves sending large numbers of requests to the server for each base request that is scanned, and this can be a time-consuming process. When you send requests for active scanning, these are added to the active scan queue, in which they are processed in turn.

  • An index number for the item, reflecting the order in which items were added.
  • The destination protocol, host and URL.
  • The current status of the item, including percentage complete.
  • The number of scan issues identified for the item.
  • The number of requests made while scanning the item.
  • The number of network errors
  • The number of insertion points created for the item.
  • The start and end times of the item’s scanning.

One by one we are going to demonstrate these vulnerabilities in details using request and response.

Advisory on Cross-site scripting (reflected)

It gave your brief detail of vulnerability and idea to exploit it.

Issue:   Cross-site scripting (reflected)
Severity:   High
Confidence:   Certain
Path:   /listproducts.php

The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload was submitted in the cat parameter. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application’s response.

Inside the request tab, we will get Inject payload with intercepted data in order to receive the certain response of generated request. In the given image you can observe that it has injected JavaScript inside URL with Cat parameter

As response, we can see the injected payload get submitted inside the database. Now it will generate an alert prompt on the screen when get executed on the website.

Let’s verify it manually on the running website.

Execute following script inside URL with cat parameter, As a result, you will receive prompt 1 as an alert window.

Advisory on SQL injection

Similarly test for other vulnerability

Issue:   SQL injection
Severity:   High
Confidence:   Firm
Path:   /listproducts.php

The cat parameter appears to be vulnerable to SQL injection attacks. The payload was submitted in the cat parameter, and a database error message was returned. You should review the contents of the error message, and the application’s handling of other input, to confirm whether the vulnerability is present.

The database appears to be MySQL.

Under request tab single code () will pass with the cat parameter to break the SQL statement in order to receive database error as a response.

Under the response tab you can read the highlighted text which clearly points towards SQL vulnerability inside the database.

Advisory on Flash cross-domain policy

Issue:   Flash cross-domain policy
Severity:   High
Confidence:   Certain
Path:   /crossdomain.xml

The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Similarly, as above it has generated the request through GET method using crossdomain.xml

It has received a successful response over its GET request, inside highlighted text you can read it has allowed accessing this site from any domain with any port number and security is set as False.

In this way, we can see how the burp suite scanner tests the security loopholes in a website.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

2 Comments Vulnerability Analysis in Web Application using Burp Scanner

Leave a Reply

Your email address will not be published. Required fields are marked *