Topic - In this Article we will learn Burp Suite's Target Tab. You will see how Target Tab is most important part of burp suite.
Requirement:
A. Mutillidae
B. Firefox or iceweasel
C. Burp Suite (We are using Free Version)
1. Each time whenever you need to perform Mutillidae in your system, you have to run mysql and apache server.
Open Terminal
a. Type service mysql start and Press Enter
b. Type service apache2 start and Press Enter
Both servers have been started. Now, you can open mutillidae without any issue.
Before opening Mutillidae Lets start Burp Suite. In Terminal type burpsuite.jar and Press Enter.
(Click image for large view)
2. Your burp suite has been started. First of all turn off intercept. We will discuss about it later because in this article we will discuss only about Target Tab.
3. Open your Internet Browser and browse your Mutillidae as per your setup. If you have installed and configured Mutillidae according to my article then type 127.0.0.1/mutillidae in the browser web address and search it. Soon you will get your Mutillidae screen.
4. Target tab contains detailed information about your target applications, and lets you drive the process of testing for vulnerabilities.
Site Map Sub-tab
A. The site map contains all of the URLs you have visited in your browser, and also all of the content that Burp has inferred from responses to your requests. Items that have been requested are shown in black, and other items are shown in gray. You can expand branches in the tree, select individual items, and view the full requests and responses. The tree view contains a hierarchical representation of content, with URLs broken down into domains, directories, files, and parameterized requests. You can expand interesting branches to see further detail. If you select one or more parts of the tree, all the selected items and items in child branches are shown in the table view.
B. The table view shows key details about each item (URL, HTTP status code, page title, etc.).
C. Request and Response Pane
5. If you select an item in the table, the request and response for that item are shown in the request/response pane.
Request Tab
Raw – You can see host, user agent, server and cookies etc.
6. Request Tab
Params – As you can see it shows cookies.
7. Request Tab
Headers – Its look like raw details but in well organized. This shows headers details.
8. Request Tab
Hex – It shows details like host user etc in hex code.
9. Response Tab
Raw – This is what server responding, Raw sub-tab shows server details etc. If you will scroll down you will notice HTML codes are there but leave it for now because there are HTML sub-tab has given separately.
10. Response Tab
Headers – Organized details of respond server.
11. Response Tab
Hex – Details in Hex.
12. Response Tab
HTML – In this section we can see respond html codes.
13. Response Tab
Render – Render shows the actually view of the site how it looks like exactly.
14. Scope Sub-tab - The scope configuration tells Burp the items that you are currently interested in and willing to attack. The scope definition uses two lists of URL-matching rules - an "include" list and an "exclude" list. When Burp evaluates a URL to decide if it is within the target scope, it will be deemed to be in scope if the URL matches at least one "include" rule and does not match any "exclude" rules. This enables you to define specific hosts and directories as being generally within scope, and yet exclude from that scope specific subdirectories or files (such as logout or administrative functions). You can add or edit rules on the "include" and "exclude" lists using the URL-matching rule editor.
Each URL-matching rule can specify various features of the URLs that will be matched. For a URL to match the rule, it must match all of the features that are specified by the rule. The following items can be configured:
Protocol - This specifies the protocol(s) that the rule will match. Available options are: HTTP, HTTPS, or any.
Host or IP range - This specifies the host(s) that the rule will match. You can enter a regular expression to match the hostname, or an IP range in various standard formats, for example 10.1.1.1/24 or 10.1.1-20.1-127. If the host field is left blank, then the rule can match URLs containing any host.
Port - This specifies the port(s) that the rule will match. You can enter a regular expression to match one or more port numbers. If the port field is left blank, then the rule can match URLs containing any port.
File - This specifies the file portion of the URL that the rule will match (ignoring any query string). You can enter a regular expression to match the required range of URL files. If the file field is left blank, then the rule can match URLs containing any file.
However, in most cases, by far the easiest way to define your target scope is via the site map. As you map out the target application via Burp Proxy, the application's content will appear in the site map. You can then select one or more hosts and folders, and use the context menu to include or exclude these from the scope. This process is extremely easy and in most situations will let you quickly define all of the rules necessary for your testing.
15. Context Menu - Displaying all of the information gathered about your target, the site map enables you to control and initiate specific attacks against the target, using the context menus that appear everywhere. The exact options that are available depend on the location where the context menu was invoked, and the type of item selected. The complete list of context menu actions is as follows:
Add to / remove from scope - These options create new target scope rules which add or remove the selected item from scope. The rule generated will apply to the selected item and all child branches in the tree. A common technique when testing an application that includes some sensitive URLs is to add the whole application path (domain or directory) to the target scope, and then select the sensitive items and exclude them from scope.
Spider this host- You can select a host or folder within the tree view, and perform actions on the entire branch of the tree, such as spidering.
Actively scan this host- [Pro version] Actively scan takes an individual request to the application, called the "base request", and modifies it in various ways designed to trigger behavior that indicates the presence of various vulnerabilities. These modified requests are sent to the application, and the resulting responses are analyzed. In many cases, further requests will be sent, based on the results of the initial probes. You should use this scanning mode with caution, only with the explicit permission of the application owner, and having warned them of the possible effects that automated scanning may have on the application and its data.
Passively scan this host- [Pro version] Passively scanning doesn't send any new requests to the application - it merely analyzes the contents of existing requests and responses, and deduces vulnerabilities from those. This mode of operation can be used safely and legally in any situation in which you are authorized to access the application.
Engagement tools- [Pro version] This submenu contains various useful functions for carrying out engagement-related tasks:
Search - [Pro version] You can use the Search function to search the selected branches of the site map for items matching a specific expression.
Find comments / scripts - [Pro version] You can use the Find comments / scripts functions to search the selected branches of the site map for comments and scripts.
Find references - [Pro version] You can use the Find references function to search all of Burp's tools for HTTP responses that link to the selected item.
Analyze target - [Pro version] You can use the Target Analyzer function to analyze the selected branches of the site map and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes.
Discover content - [Pro version] You can use the Discover content function to discover content and functionality that is not linked from visible content which you can browse to or spider.
Schedule task - [Pro version] You can use the Schedule task function to create tasks that will run automatically at defined times and intervals.
Simulate manual testing - [Pro version] The Manual testing simulator can be used to generate HTTP traffic that is similar to that caused by manual penetration testin
Compare site maps- You can use the Compare site maps function to identify differences between two site maps. This is a powerful feature that can be used for various purposes, in particular testing for access control vulnerabilities.
Expand / collapse branch / requested items - You can use these functions in the tree view to quickly expand whole branches of the tree, and collapse them after you have reviewed them.
Delete host- This function removes the selected item permanently. Since by default the site map displays all content that Burp has identified based on HTTP responses, the map will often include a large amount of third-party content that is linked to from the application you are interested in. You can deal with this either by configuring a suitable target scope and a display filter, or by manually removing irrelevant branches of the tree.
Copy URLs in the host- This function copies the URLs of the selected item to the clipboard.
Copy links in the host- This function parses the selected item for links, and copies these to the clipboard.
Save selected items- This function lets you specify a file to save the details of selected item in XML format, including full requests and responses, and all relevant metadata such as response length, HTTP status code and MIME type.
16. Display filter - The site map has a display filter that can be used to hide some of its content from view, to make it easier to analyze and work on the content you are interested in.
Request type- You can show only in-scope items, only requested items, only requests with parameters, or you can hide not-found items.
MIME type - You can configure whether to show or hide responses containing various different MIME types, such as HTML, CSS, or images.
Status code- You can configure whether to show or hide responses with various HTTP status codes.
Folders - You can optionally hide empty folders in the tree view. This is useful to remove folders whose child items have all been hidden by other display filter attributes.
Search term- [Pro version] You can filter on whether or not responses contain a specified search term. You can configure whether the search term is a literal string or a regular expression, and whether it is case sensitive. If you select the "Negative search" option, then only items not matching the search term will be shown.
File extension- You can configure whether to show or hide items with specified file extensions.
Annotation - You can configure whether to show only items with user-supplied comments or highlights.
Note: - If you set a filter to hide some items, these are not deleted, only hidden, and will reappear if you unset the relevant filter.