I plan on showing some of the features of the Burp Suite and how it can be used to run Pen Tests on devices that have web authentication. I will walk through setup and use of the target window to store proxy requests, and then combine that with the repeater, intruder and sequencer to attack the site. My talk will explain how we can use each view to analyze and view responses as we modify packets on the fly. I plan to show how Burp helps you bypass site XSS and SQL injection checking, directory traversal, client side login checks, and find non-random sessions keys.
The last part of the demo I will show how I successfully used this in order to bypass the web authentication on an Iomega drive Network Access System. Without knowing the details of the CVE, upload a backdoor to the NAS and gain root so that I can use it as a pivot point and mount other attacks into the victims network… all with using Burp. All of this will be presented live, however instructions and PowerPoint will be provided so anyone can repeat this demo on their own.
Burp Suite: A Comprehensive Web Pen Testing – JoshinGeneral – CarolinaCon9
Related Posts
CONFidence 2016: Introduction to iOS Application Security Testing (Sławomir Kosowski)
Lab 4: Vulnerability Testing and Pen Testing
Mobile Security Framework(MobSF):world’s most powerful mobile pentesting framework
[Nessus] Best Penetration Testing Tool for all Testing
Pentest Remote Server (Shell upload)
Yuki Chan – The Auto Pentest Tool ✔
An introduction to Android application security testing (by Nikolay Elenkov)
Penetration Testing using Nikto
