Monday, January 13, 2014

Re-launch - A focus on Web Application Pen Testing, Burp Extensions, etc

It has been quite a while since my last blog post here. Not that I have ever really blogged much, but in 2010, I officially switched from a world filled with enterprise firewalls and intrusion detection systems, to one filled with Web Applications (and other types of applications).

On one hand, for someone who likes to learn, Web Application Penenetration Testing is perfect: There are so many languages, frameworks, best practices, and common mistakes to understand, that as a tester, you will never run out of things to learn. Of course, that also means that you will never come close to being able to learning it all. Left unmanaged, this can be a source of frustration and despair.

The main point of this blog re-launch, is that it has been far too long since I have written any code. I'd like to document the mistakes I make, and the lessons I am bound to learn, as I jump back into things. 

I mainly test applications from a Windows OS, so those thousands of hours of BASH scripting experience from my past are just sitting in my brain as memories. I was just starting to become functional in Python also, when I essentially abandoned that as well. I have found a few things to automate over the last few years, but to be honest, most times I think of something related to application testing that I can automate in Python, I realize that Portswigger's Burp Suite already does that. I can't tell you how many times this has happened.

Of course, the problem with relying on a tool to do something for you is that if you need it to do something slightly differently, you are stuck. This is where the Burp Extension API comes into play.

Recently, I have done a number of assessments on custom applications (Mostly thick clients written in Java, C#, etc), that use web services to communicate with the server. While these applications use HTTP(s), and can be intercepted with Burp, their implementations are unique and it becomes difficult to analyze the requests with the default Burp functionality.

This is of course, the perfect opportunity for me to extend Burp Suite to make it do things that only I need it to do, while at the same time, an opportunity for me to dust off my scripting/programming skills.

The next few posts at least, will contain Burp Extension related info.  They will hopefully show me improving from noob to moderatly functional.  We'll see...

No comments: