burp

There are many tools available for automated testing of web applications. One of the best known is probably sqlmap. Sqlmap allows you to identify and exploit SQL injection vulnerabilities with ease from the command line. However, controls such as CSRF tokens or simple anti-automation techniques such as including a unique hidden value within the form can prevent automated tools from working correctly. Macros in Burp Suite are a great way to bypass these measures in order to carry out automated testing, although they can be complicated to implement.

During a recent application penetration test on behalf of a client, one of the security vulnerabilities discovered was a stored cross-site scripting vector, delivered via a JSON request to a MVC3 controller. The malicious data (in this case a simple script tag proof-of-concept) was written to the database and subsequently echoed back to the user when viewing a number of pages within the application.

The little used 'invisible intercept' function in Burp can be useful if testing basic client applications that do not support proxy settings, or in the case of the test I was on this week, to intercept Flash applications (that do not honour proxy settings in Chrome). Unfortunately there is little information on how to actually force your [locally generated] traffic through the proxy using iptables.