DerbyCon 2017 Stable Talk about finding Struts (and other vulnerabilities) with Burp extensions. Full talk available on YouTube: https://www.youtube.com/watch?v=DSJW8_VzElI
Burp better - Finding Struts and XXE Vulns with Burp Extensions
1. Burp Better
Extending Burp to Find Struts and XXE Vulnerabilities
Or
Build Cool Things and GIVE THEM AWAY!
2. Chris Elgee
Nerd Guy
• Technical Engineer with Counter
Hack Challenges
• SANS Community Instructor
• Until recently: Penetration
Tester for Sage Data Security
• GSEC-Gold, GCIH, GWAPT, GPEN,
CISSP, OSCP
Army National Guard Guy
• Major in the Massachusetts
ARNG G-6
• Red teamer
• 26B, 12A, 25A, 02G
3. What am I missing? (False Negative Anxiety)
• Default credentials
• admin:SooperSecretPassword1234
• https://www.<CLIENTDOMAIN>.com/passwords.txt
• Negative quantities in shopping carts
• XXE in a POST body
• Struts vulnerabilities
10. Coding Additional Checks
• But I don’t want to code in Java!
• Use Python
• I don’t know the first thing about coding a Burp extension!
• Start with something similar
• How will I make it go?
• Existing python scripts
Highlight 1st three (included in tool)
2017-9805 in HH17
2017-5638 in EquiFax
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html
1st three tend only to work if pointed at the right URL - not just the root of the server.
Burp makes things a little easier because you’re typically looking at a much more complete set of URLs
https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with-publicly-released-exploit-code
https://dev.northpolechristmastown.com/orders.xhtml
A very good place to start!
783 lines (BCE)
https://github.com/albinowax/ActiveScanPlusPlus
A very good place to start!
783 lines (BCE)
https://github.com/albinowax/ActiveScanPlusPlus
Test in your lab! Jeff McJunkin can show you how:
https://www.sans.org/webcasts/building-super-duper-home-lab-105640
https://docs.google.com/presentation/d/1V-mWiyaJ3I6HhXRxH1M5ityWYRqb5PoNHwvWSZaOr_E/edit