Friday, December 11, 2009

BToD Testing an Intranet site / 'do WWW Authentication'

I'm sure most folks have already used this feature but for those that haven't, I came across a situation recently where I was asked to test an Intranet application and found the 'do WWW Authentication' piece of functionality made life much easier for me.

So as you may know from my earlier post regarding extracting HTML comments using DirChex, Burp Suite and a Burp Suite Plugin this process is very quick and very simple.

DirChex is basically a dumb application. It is fed a list of URIs like so:

http://www.example.com/index.html
http://www.example.com/protected/shouldn't_be_available.html
http://www.example.com/hidden/mydatabasedump.txt
http://www.example.com/protected/TheMetsSuck.html

(That last line was for you Jack)

and it blindly requests each URI thru the proxy of your choice. The whole idea is to view the request/response as an unauthenticated user. I provide no options for setting a cookie/sessionID/login creds.

Here is the problem I ran into. I'm testing an Intranet application, the application uses NTLM which is tied to your Windows Domain account to receive access to the main page of the application. Only after you've first authenticated via your domain account will you have access to the actual application (which has a login form, technically your half authenticated?). So to test the "unauthenticated" portion you technically have to be authenticated :-)

This is where you can save your self some time. If you utilize the 'do WWW Authentication' option every request that is sent via Burp will automatically have the NTLM/Basic/Digest credentials included.

Navigate to the 'Comms' tab ('Options' tab in later version) and fill in the following:



Hope this helps someone.

Happy Hacking!

No comments: