Security testing of eBudget (PROJECT FOR SUMMER TRAINING)

Submitted by Ashish Sharma B.tech( I.T) Guru Gobind Singh Indraprastha University Under the guidance of
Mr. Kapil Kr. Sharma

National Informatics Centre

Page | 1

ACKNOWLEDGEMENT

We take this opportunity to acknowledge the guidance , cooperation and inspiration of all those who in one way or other helped us in any endeavour to complete this research and prepare meaningful report on eBudget security testing Our project is unique in the way that we were fortunate enough to be associated with a prestigious professional institute Among the many people, who have been there enormously helpful and have been there both mentally and physically in the preparation of this project, it becomes very difficult to categorize who was of great support. We would like to thanks Mr. Kapil Kr. Sharma our industry guide for providing us the inspiration for undertaking this project and his continuous support, encouragement and guiding us at all stages.

Page | 2

DECLARATION

I, ASHISH SHARMA, student of 3rd year B.Tech - IT, Amity School Of Engineering And Technology Guru Gobind Singh Indraprastha University have completed the project on Security Testing of E-Budget for the academic year 2010-2011 from National Informatics Centre(Ministry of Finance), New Delhi.

The Training was imparted for a period of 6 weeks which helped me understand the working of a high end organization such as National Informatics Centre. The information given in this project is true to the best of

Ashish Sharma 0911043108 B.Tech (Information Technology) Amity School of Engineering and Technology

Submitted by Ashish Sharma

Page | 3

ABSTRACT
This report describes the various types of flaws or bugs present in the eBudget, an application developed by NIC. This application was developed for management of various budgets in ministries and to implement a green approach in our government offices by removing the current file systems in which lots of paper is wasted. This application also gives a easier tracking system of various types budgets. This application was tested by various tools such as Burpsuite and Firebug for various security risks such as injection, cross side scripting, URL Access etc. with security objectives of Authorization, Authentication, Integrity and confidentiality. The application was also tested for various vulnerabilities and threats such as checking constraints given in the white list, brute force attack. This report also provides the measures that can be taken to fix the various flaws that are discovered during the testing phase.

Page | 4

Contents
Introduction about NIC Application security Difference between vulnerabilities, threats and risks Top 10 Application Security Risk Security objectives Vulnerabilities Threats Web applications End To End deployment scenario Roles and key scenarios Technologies Vulnerabilities found in eBudget 1. Insecure cryptographic storage 2. Broken authentication and session management. 3. Cross site scripting 4. Cross site request forgery 5. Injection flaws 6. Same sessionid for two users 7. Server information displayed to the user

Glossary

Cookie Browser cache SSL Get and Post method Web server Salted MD5 hashing scheme

Application to encrypt password

Burp suite Page | 5

Cryptography

Page | 6

Introduction about National Informatics Centre (NIC)

We live in the age of the Information Technology (IT) revolution. The universal acceptance of the power of IT to transform and accelerate the development process, especially in developing economies is indisputable. The rapid advance of Communication technologies, especially the Internet, has enabled governments all over the world to reach out to their most remote constituencies to improve the lives of their most underprivileged citizens. NIC, under the Department of Information Technology of the Government of India, is a premier Science and Technology organization, at the forefront of the active promotion and implementation of Information and Communication Technology (ICT) solutions in the government. NIC has spearheaded the e-Governance drive in the country for the last three decades building a strong foundation for better and more transparent governance and assisting the governments endeavour to reach the unreached. Background The mid-1970s, in India, were watershed years, heralding a revolutionary transformation in governance. In the year 1975, the Government of India envisioned that the strategic use of Information Technology (IT) in government would lead to more transparent and efficacious governance which could give a fillip to all-round development. In 1976, in the wake of this recognition of the potency of IT, the Government visualized a project of enduring importance viz. the "National Informatics Centre (NIC)". Subsequently, with the financial assistance of the United Nations Development Program (UNDP) amounting to US $4.4 million, NIC was set up.

Milestones

Central Government Informatics Development Programme a strategic decision to overcome Digital Divide in Central Government Departments during the Fifth Plan Period (i.e. 1972-77); Page | 7

NICNET - A first of its kind in developing countries, using state-of-the-art VSAT technology. Gateway for Internet/Intranet Access and Resources Sharing in Central Government Ministries and Departments during 1980s and 1990s;

IT in Social Applications and Public Administration; State Government Informatics Development Programme a strategic decision to overcome Digital Divide in Central and State Governments/UT Administrations, during the Seventh Plan Period (i.e. 1985-1990);

DISNIC A NICNET based District Government Informatics Programme a strategic decision in 1985 to overcome the Digital Divide in the District Administrations;

Reaching out into India during 1985-90, even before the arrival of Internet Technology, to all the districts of the country, which is a land of diversity and different types of terrain, various Agro-climatic conditions, different levels of socio-economic conditions, and varied levels of regional development etc.

Video-Conferencing operations first commenced in the early 90s and now connect 490 locations

National Informatics Centre Services Inc. (NICSI) was set up in 1995, as a section 25 Company under National Informatics Centre. NICSI is preferred by government departments for outsourcing the entire range of IT solutions and services.

India Image Portal is a gateway to the Indian government information with a mission to extend comprehensive WWW services to Government Ministries and Departments Under this project, over 5000 Government of India websites are being hosted.

A significant outcome of India Image Portal, which came about in the early years of the millennium, is the GOI Directory, a first of its kind comprehensive directory providing information about websites of the Indian government at all levels.

Page | 8

Also, in late 2005, all the services and websites in India Image Portal were brought under one interface to provide single- window access to citizens. This is the National Portal accessible at http://india.gov.in.

Integrated Network Operations Centre (I-NOC) was established in 2002 for round the clock monitoring of all the WAN links across the country.

NIC Data Centre, established in 2002, hosts over 5000 websites & portals. Data Centres which have been established at State capitals for their local storage needs, have storage capacity from 2-10 Tera Bytes.

NIC has been licensed to function as Certifying Authority (CA) in the G2G domain and CA services commenced in 2002.

NIC set up the Right to Information Portal in order to provide support to the Government for speedy and effective implementation of the Right to Information Act 2005.

Over the years NIC has extended the satellite based Wide Area Network to more than 3000 nodes and well over 60,000 nodes of Local Area Networks in all the Central Government offices and State Government Secretariats.

As a major step in ushering in e-Governance, NIC implements the following minimum agenda as announced by the Central Government:

Internet/Intranet Infrastructure (PCs, Office Productivity Tools, Portals on Business of Allocation and Office Procedures)

IT empowerment of officers/officials through Training IT enabled Services including G2G, G2B, G2C, G2E portals IT Plans for Sectoral Development Business Process Re-engineering

NIC provides a rich and varied range of ICT services delineated below.

Page | 9

Profile of Current Services:

Digital Archiving and Management Digital Library E-Commerce E-Governance Geographical Information System IT Training for Government Employees Network Services (Internet, Intranet) Video Conferencing Web Services General Informatics Services Medical Informatics Bibliographic Services Intellectual Property and Know-How Informatics Services Setting up of Data Centres Building Gigabit Backbone IT Consultancy Services Turnkey IT Solutions

Thus, NIC, a small program started by the external stimulus of an UNDP project, in the early 1970s, became fully functional in 1977 and since then has grown with tremendous momentum to become one of India's major S&T; organizations promoting informatics led development. This has helped to usher in the required transformation in government to ably meet the challenges of the new millennium.

Page | 10

Application security:
Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Security measures built into applications and a sound application security routine minimize the likelihood that hackers will be able to manipulate applications and access, steal, modify, or delete sensitive data. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats. Actions taken to ensure application security are sometimes called countermeasures. The most basic software countermeasure is an application firewall that limits the execution of files or the handling of data by specific installed programs. The most common hardware countermeasure is a router that can prevent the IP address of an individual computer from being directly visible on the Internet. Other countermeasures include conventional firewalls, encryption /decryption programs, anti-virus programs, spyware detection/removal programs, and biometric authentication systems. Application security can be enhanced by rigorously defining enterprise assets, identifying what each application does (or will do) with respect to these assets, creating a security profile for each application, identifying and prioritizing potential threats, and documenting adverse events and the actions taken in each case. This process is known as threat modelling. In this context, a threat is any potential or actual adverse event that can compromise the assets of an enterprise, including both malicious events, such as a denial-of-service(DoS) attack, and unplanned events, such as the failure of a storage device.

DIFFERENCE BETWEEN THREATS, VULNERABILITY AND RISK

An asset is what were trying to protect. Page | 11

Threat Anything that can exploit vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what were trying to protect against. Vulnerability Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerability is a weakness or gap in our protection efforts. Risk The potential for loss, damage or destruction of an asset as a result of a threat exploiting vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.

Top 10 Application Security Risk:

A1-Injection - Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted
data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

A2-Cross site scripting- XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victims browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A3-Broken Authentication and Session Management- Application functions related

to authentication and session management are often not implemented correctly, allowing

Page | 12

attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users identities.

A4-Insecure Direct Object References- A direct object reference occurs when a developer
exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Cross site request forgery- A CSRF attack forces a logged-on victims browser to
send a forged HTTP request, including the victims session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victims browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A6- Security Misconfiguration- Good security requires having a secure configuration

defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.

A7- Insecure Cryptographic Storage- Many web applications do not properly protect
sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.

A8-Failure To Restrict URL Access- Many web applications check URL access rights
before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

Page | 13

A9- Insufficient Transport Layer Protection- Applications frequently fail to

authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

A10-Unvalidated Redirects And Forwards- Web applications frequently redirect and

forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Security objectives:
When you create and carry out a security policy, you must have clear objectives. Security objectives fall into one or more of the following five categories:

Authorization: Assurance that the person or computer at the other end of the session has permission to carry out the request.

Authentication: Assurance or verification that the resource (human or machine) at the other end of the session really is what it claims to be.

Integrity: Assurance that arriving information is the same as that sent. Non-repudiation: Assurance (accountability) that any transaction that takes place can subsequently be proven to have taken place. Both the sender and the receiver agree that the exchange took place.

Confidentiality: Assurance that sensitive information remains private and is not visible to an eavesdropper, usually achieved by using encryption.

Page | 14

Vulnerabilities:
The application vulnerabilities are:

Missing or weak input validation at the server. Checking constraints given in the white list (e.g. size, type etc.) before uploading the photograph.

Failure to protect database from SQL injection. Failure to encode output leading to potential cross-site scripting issues. Exposing an administration function through the Web (CSRF).

Threats:
The following threats could affect the application:

Brute force attacks occur for certain fields if size and type constraints are not put on them.

Network eavesdropping occurs between the browser and Web server to capture client credentials.

SQL injection occurs, enabling an attacker to exploit an input validation vulnerability to execute commands in the database and thereby access and/or modify data.

Cross-site scripting occurs when an attacker succeeds in injecting script code. Cookie replay or capture occurs, allowing an attacker to spoof identity and access the application as another user.

Page | 15

Web Applications:

A web application is any application that uses a web browser as a client. The application can be as simple as a message board or a guest sign-in book on a website, or as complex as a word processor or a spreadsheet.

What are the Benefits of a Web Application?

A web application relieves the developer of the responsibility of building a client for a specific type of computer or a specific operating system. Since the client runs in a web browser, the user could be using an IBM-compatible or a Mac. They can be running Windows XP or Windows Vista. They can even be using Internet Explorer or Firefox, though some applications require a specific web browser. Web applications commonly use a combination of server-side script (ASP, PHP, etc) and clientside script (HTML, JavaScript, etc.) to develop the application. The client-side script deals with the presentation of the information while the server-side script deals with all the hard stuff like storing and retrieving the information.

Page | 16

End-to-End Deployment Scenario

WEB SERVER

DATABASE SERVER

APACHE BROWSE R
HTTP

EMPLOYEE DATABASE
TCP/IP WEB APPLICATION IDENTITY

TOMCAT TOMCAT HQL HTML HTML

LDAP
FORM AUTHENTICATION

Roles:
Application roles are:

Users(Normal Employee) Administrator

Key Scenarios
Important application scenarios are: An Employee/Administrator enters his credentials to log into his account. Page | 17

An Employee/Administrator is authenticated through LDAP. After authentication, admin can update ministries, manager module details, financial year, and a employee can upload different doc files to different financial years. An Employee submits the filled form. Administrator can make changes An Employee/Administrator must log out of his account after signing in.

Technologies
The application is developed and deployed using following technologies:

Web Server

: Apache

Application Server : Tomcat 1.6 Presentation logic : JavaScript and html Business logic Data access logic Database Server Framework : Java : HQL : Postgres database : Wicket, Spring, Hibernate

Page | 18

VULNERABILITIES FOUND IN eBUDGET:

1. INSECURE CRYPTOGRAPHIC STORAGE:

Screenshots of eBudget application Step 1: User access the link Http: //164.100.28.86:7070/eBudget and gets a login page as shown below.

Page | 19

Step 2: User enters his user name and password and press login button. When we check through testing tool Burpsuite then all the login details including password are visible and not encrypted .Hence the password may be easily stolen by the attackers making the application insecure.

Page | 20

Recommendations: 1. Clear the text area once user selects the login button. Or send the credentials in encrypted format 2. Use Salt MD5 hashing scheme to encrypt the password.

2. BROKEN AUTHENTICATION AND SESSION MANAGEMENT:

Step 1: Login from the admin account

Page | 21

Step 2: Login from another users account in our case username-so and password-so.

Page | 22

Step 3-Using Burpsuite we copied the sessionid of the user so session.

Page | 23

Step 4- Logout of so account.

Page | 24

Step 5- Passed it to the sessionid parameter of the admins account and we logged into the account of the user so.

Page | 25

3. CROSS SITE SCRIPTING (XSS):

Step 1: We enter into the account of admin. Step2: Click on the ministry master tab and add new ministry. Step 3: In the ministry description field we add a script and click submit button then script is added to the ministry description field.

Page | 26

Page | 27

Recommendations: 1. The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications unless their UI framework does this for them 2. Positive or whitelist input validation is also recommended as it helps protect against XSS.

Page | 28

4. CROSS SITE REQUEST FORGERY (CSRF)

Step1:Copying the URL of a page which is logged in using any of the user account.

Page | 29

Step 2: Logout of the account

Step3: Pasting that url in the address bar after logging out.

Page | 30

User is able to login directly by just copying the URL as shown below

Page | 31

5. INJECTION FLAWS
Step 1: Logged in into the admin account. Step 2: Clicked on the account master tab and clicked on the add button. Step3 : Added SQl injection in the account head description and clicked save and the SQl query is saved.

Page | 32

Recommendations: 1. The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. 2. If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter 3. Positive or "whitelist" input validation with appropriate canonicalization also helps protect against injection, but is not a complete defense as many applications require special characters in their input

6. Same session id for two different users:

Step 1: Login from admin account Step 2: Login from any other account Page | 33

Step 3: Using Burpsuite we intercept the requests and noticed that the sessionid for two different sessions are same.

Page | 34

7. Server information displayed to the user end:

Step 1: Logging in to the any account.

Page | 35

Step 2: Copying the URL.

Page | 36

Step 3: Opening this URL in another browser.

Page | 37

Server details and exceptions are displayed to the user.

Page | 38

Glossary

Cookie:
A message given to a Web Browsers by a Web Server. The browser stores the message in a Text Files. The message is then sent back to the server each time the browser requests a page from the server. The main purpose of cookies is to identify users and possibly prepare customized Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser which stores it for later use. The next time you go to the same Web site, your browser will send the cookie to the Web server. The server can use this information to present you with custom Web pages. So, for example, instead of seeing just a generic welcome page you might see a welcome page with your name on it. The name cookie derives from unix objects called magic cookies. These are Tokens that are attached to a user or program and change depending on the areas entered by the user or program.

Browser cache:

Your browser (Netscape, Internet Explorer, etc.whatever application you use to surf the web) has a folder in which certain items that have been downloaded are stored for future access. Graphic images (such as buttons, banners, icons, advertising, graphs, and color bars), photographs, and even entire web pages are examples of cache items. When going to a page on a website, your computer will check its cache folder first to see if it already has those images and, if so, it won't take the time to download them again. This makes for a faster loading of the page.

Page | 39

Secure Socket Layer(SSL):

The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of digital certificates.

GET AND POST METHOD:

The get method: When you specify method="get" in your <form> tag, the information that enter into your form will be tacked on to the end of the action= address. For example, go to Yahoo! and type computers in the search area. After you click the Search button, look at the Location area near the top of your browser window. It shows: http://search.yahoo.com/bin/search?p=computers Page | 40

The first part in red is the action address. The part in green includes the word you typed. The neat part of the get method is that you don't have to even use a form to send the data.

Post method:

In computing, POST is one of many request methods supported by the HTTP protocol used by the World Wide Web . The POST request method is used when the client needs to send data to the server as part of the request, such as when uploading a file or submitting a completed form. In contrast to the GET request method where only a URL and headers are sent to the server, POST requests also include a message body. This allows for arbitrary length data of any type to be sent to the server.

WEB SERVER:
A web server is a computer program that delivers (serves) content, such as web pages, using the Hypertext Transfer Protocol (HTTP), over the World Wide Web. The term web server can also refer to the computer or virtual machine running the program. In large commercial deployments, a server computer running a web server can be rack-mounted with other servers to operate a web farm.

The following are the various tasks performed by the Web server Virtual hosting to serve many Web sites using one IP address. Large file support to be able to serve files whose size is greater than 2 GB on 32 bit OS. Bandwidth throttling to limit the speed of responses in order to not saturate the network and to be able to serve more clients. Server-side scripting to generate dynamic Web pages, but still keeping Web server and Web site implementations separate from each other.

Page | 41

SALTED MD5 HASHING SCHEME:

HASH: Hash algorithms map binary values of an arbitrary length to small binary values of a fixed length, known as hash values. A hash value is a unique and extremely compact numerical representation of a piece of data. If you hash a paragraph of plaintext and change even one letter of the paragraph, then a subsequent hash will produce a different value. It is computationally improbable to find two distinct inputs that hash to the same value. A hash value is also known as a Message digest. SHA1, MD5 etc. are Hash Algorithms. MD5 MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given pre-specified target message digest. This feature can be useful both for comparing the files and their integrity control. abc
Message or Input MD5 Algorithm 900150983cd24fb0d6963f7d28e17f72 Message digests of Hash Value

Application of MD5 to encrypt passwords:

Web applications suffer from the vulnerability that the credentials travelling in clear text can be sniffed from the network. The credentials can also be detected with the help of memory editing tools on shared systems which are used to access the authentication web pages. For the issue of password travelling in clear text, the solution is to implement the salted MD5 technique. If only MD5 of the password was submitted, tests in the lab have shown that it is possible to replay the hashed password ( i.e once a Page | 42

hash of the submitted password is generated, this can be copied and pasted repeatedly ). Hence salted MD5 hash of the password can be submitted. In this case the password will not be same every time the salted md5 password is submitted to the server since the salt ( which is a random numbe) changes every time, the salted hashed password also changes every time. The pre-requisite to this is that the backend database stores a MD5 hash of the password. When a client requests for the login page, the server generates a random number, the salt, and sends it to the client along with the page. A JavaScript code on the client computes the MD5 hash of the password entered by the user. It then concatenates the salt to the hash and re-computes the MD5 hash. This result is then sent to the server. The server picks the hash of the password from its database, concatenates the salt and computes the MD5 hash. If the user entered the correct password these two hashes should match. The server compares the two and if they match, the user is authenticated. MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property. An MD5 hash is typically expressed as a 32-digit hexadecimal number. MD5 Hash Properties The MD5 hash consists of a small amount of binary data, typically no more than 128 bits. All hash values share the following properties: 1.Hash length :The length of the hash value is determined by the type of the used algorithm, and its length does not depend on the size of the file. The most common hash value lengths are either 128 or 160 bits. 2. Non-discoverability: Every pair of non identical files will translate into a completely different hash value, even if the two files differ only by a single bit. 3. Repeatability: Each time a particular file is hashed using the same algorithm; the exact same hash value will be produced.

Page | 43

4. Irreversibility: All hashing algorithms are one-way. Given a checksum value, it is infeasible to discover the password.

Cryptography
Cryptography can be defined as the conversion of data into a scrambled code that can be deciphered and sent across a public or private network. Cryptography uses two main styles or forms of encrypting data; symmetrical and asymmetrical. Symmetric encryptions, or algorithms, use the same key for encryption as they do for decryption. Other names for this type of encryption are secret-key, shared-key, and private-key. The encryption key can be loosely related to the decryption key; it does not necessarily need to be an exact copy. Symmetric cryptography is susceptible to plain text attacks and linear cryptanalysis meaning that they are hackable and at times simple to decode. With careful planning of the coding and functions of the cryptographic process these threats can be greatly reduced. Asymmetric cryptography uses different encryption keys for encryption and decryption. In this case an end user on a network, public or private, has a pair of keys; one for encryption and one for decryption. These keys are labeled or known as a public and a private key; in this instance the private key cannot be derived from the public key. The asymmetrical cryptography method has been proven to be secure against computationally limited intruders. The security is a mathematical definition based upon the application of said encryption. Essentially, asymmetric encryption is as good as its applied use; this is defined by the method in which the data is encrypted and for what use. The most common form of asymmetrical encryption is in the application of sending messages where the sender encodes and the receiving party decodes the message by using a random key generated by the public key of the sender. Page | 44

Burp Suite:

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-theart automation, to make your work faster, more effective, and more fun. Burp Suite contains the following key components:

An intercepting proxy, which lets you inspect and modify traffic between your browser and the target application.

An application-aware spider, for crawling content and functionality. An advanced web application scanner, for automating the detection of numerous types of vulnerability.

An intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.

A repeater tool, for manipulating and resending individual requests. A sequencer tool, for testing the randomness of session tokens. The ability to save your work and resume working later. Extensibility, allowing you to easily write your own plug-in, to perform complex and highly customized tasks within Burp.

Page | 45

Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.

Page | 46

Page | 47