Sunday, September 6, 2009

Burp Suite Tip of the Day (BToD) Sequencer & Entropy Analysis

Back with another tip. As pointed out by @rybolov's comment on twitter, Burp Suite may be somewhat difficult for folks new to the Suite of tools. One thing that I find interesting is how folks that use the tool (like myself) can learn something new everyday. Sequencer is one of the tools included in Burp Suite that I think requies a bit of an introduction. Once understood, this tool along with Intruder can be a powerful session attack combination.

You will notice I define Burp Suite as a suite of tools and this is for good reason. It is truly my belief that this tool is fast becoming a one-stop shop for dynamic analysis of an application. The free version of the suite is excellent but for those who test professionally, tools such sequencer and intruder must be threaded otherwise valuable functionality might be lost. I say this because when breaking a session token sequence to hijack a session....... timing is critical. With that in mind, show @portswigger and yourself some love by purchasing the product at portswigger.net.

On with the tutorial. In our example, we have registered for access to the site. We have also identified a login submission form. After successful authentication with a limited access user account we are provided a cookie 'set-cookie'. The idea is here is since we can log into the site and are provided only one session value (the cookie) we might be able to submit another user's cookie value and access the site with their account. In other words, session hijacking!

For example, I'm given session value abcd1112 and using sequencer I've noticed that only the last four digits change. The response would be abcd1113 abcd1114 up to abcd1212. So I've evaluated this session value and noticed it has extremely weak entropy.

My next step would be to request a resource just beyond the login form such as welcome.php and do this in a threaded fashion manipulating my cookie value using Intruder. The responses might vary in byte length. For instance I've noticed a large byte return in one instance indicating more functionality returned so this might be an administrative account.

So the first thing we would do is send the request that triggered a cookie value to be set to sequencer like so:


At the Sequencer > live capture tab we want to select the cookie to evaluate which would be the value immediately following 'set-cookie: badentropy='.  The selection drop down is highlighted in red.

.
After we've clicked 'start capture' in the lower right hand corner in the Intruder > live capture tab we've a screen will pop-up like so:
By default, 100 session values will be evaulated and only after this is completed can you analyse the entropy. Burp Suite analyzes this for you btw ;-). So after the 100 session token values have been generated we've clicked the 'analyse now' button at this screen and determined that the site only increments the last four digits by 1 and sequentially by viewing the summary tab in this screen. So this is extremely weak entropy. Lets try to exploit it!

Send the request for http://www.example.com/welcome.php to intruder like so:


Now because the last value provided at the sequencer BY the application was badentropy=abcd1212 we will start at abcd1213 when positioning our payload.

I've already provided a tutorial on my blog how to use Intruder > numbers so the rest of this can be referenced at intruder/numbers paylod.

The thing to remember here is that you are looking for items of interest like varying byte length and response code. Obviously if you are given a 302 response when incorrect credentials are given and you've observed this in some of the responses and not others this might be a sign that the cookie submitted is not a valid. If the 200 response received in the other cookie values are all approximately the same size in byte length except for one or two those might indicate privileged accounts.

Hope this tutorial helps someone and as always, happy hacking.

No comments: