Burp Suite from Portswigger.net is a fantastic web app testing tool that we use regularly at Secure Ideas. Though Burp is very popular in the security industry, there are a lot of features that often get overlooked. One of these features is the “Compare Site Maps” feature. This wizard-based function compares two different site maps of a site, displaying variations in an easy to review manner.
The most common use for this feature is to compare what a site looks like to an authenticated user versus a non-authenticated visitor. Often this can show us pages that are not correctly checking authentication. Another use-case is for sites that provide different information to different users. By reviewing how the site uses different tokens to access user-specific data, we may be able to determine vulnerabilities that allow us to access across those authorization boundaries.
|Our target, Joomla! is a very popular
content management system.
In this post I’ll show you how to use the Compare Site Map feature to assess whether each of the critical pages on a site actually check for authorization. Basically we’ll map the site as an administrator and then Burp will re-request each page as a regular user. We can then look for administrative pages that a non-administrator might be able to access. For the demonstration I’ll use the popular content management system Joomla.
The first step is to get Burp up and running. The easiest way to do this is to download the SamuraiWTF live CD or virtual machine image from www.samurai-wtf.org. The username/password to the system is samurai/samurai which will log you into an easy to use Linux system. If you’re not already familiar with SamuraiWTF, spend some time poking around.
When you’re ready to continue, click the blue K button on the bottom left to open the application launcher. Select Applications at the bottom and then in the list of applications click through to Samurai>Mapping>Interception Proxies>Burp Suite Free. This will launch the free version of Burp 1.4 which is installed and configured on the SamuraiWTF system.
The goal of this post isn’t to teach the basics of Burp, so if you’re completely new to the program, you should probably check out our recent Video Introduction to Burp, or maybe some of the tutorials on the Burp site.
|First map out the site in Burp as an administrator.|
The next step is to map out the site with the context of an administrative user. In this example, I logged into Joomla as the admin user and browsed some pages that should only be accessible to admins. In particular, I added a news posting. Once finished, I logged out so the session cookie would be removed in my browser.
Now that I’ve finished mapping the site as an administrator, I want to see whether any of those pages are accessible to a non-logged in site visitor. Obviously this would represent a significant issue with the site’s authorization if any visitor could access protected pages.
|Delete the session cookie in Burp’s cookie jar.|
But first I need to delete the session token cookie from Burp’s cookie jar. You can read more about the cookie jar in the official documentation but the short version is that it stores the cookie values the site sent to your browser so that Burp can reuse those cookies. To delete the session cookie from Burp’s cookie jar, select the “options” tab on the top right, and then the “sessions” tab under that. About halfway down the page you’ll find the “view cookie jar” button. Use that view the cookies in the cookie jar and remove the session cookie. In the screenshot to the right I only have one cookie to choose from.
Now we’re ready to compare our site maps. Go back to the “target” tab on the top left, and then the “site map” tab under that. Select the site you’re testing and then right-click that site to get the context-sensitive menu. On that menu, click “compare site maps” to launch the wizard that will walk us through the process.
|Burp’s Compare Site Maps Wizard|
The first page of the wizard allows you to choose from the current site map in Burp or to load from a previously saved Burp state file. However this option is disabled on the free version so click Next. On the second page we’re going to check the box that says “include in-scope” items only as we don’t want to re-request other pages that may be outside the scope of this test.
The third wizard page again allows us to choose the source, and again we only have one option, to request the original site map in a new context. The next three pages give us a number of options to refine our test, but for this demo we’re just going to hit Next on each page and use the defaults.
Finally we finish the wizard and the site comparison begins. You can see the results in the image below. We have the two different site maps stacked vertically so we can compare the pages. Each page with differences is highlighted in orange. And if you scroll through the raw response, the changes, additions, or deletions are also highlighted for easy comparison.
|Comparing Site Maps: The same page loaded under two different user contexts.|
In the screenshot above, I’ve selected the page “index.php?option=com_content&task=edit” that allows us to edit postings on the site. As you can see in the top, when logged in as an administrator, we have access to the page. But on the bottom context, we can easily see that the authorization check prevents us from viewing the page. At this point it becomes very easy to scroll through the pages and look for irregularities and inconsistencies.
|Remove the logout page so that it doesn’t get re-requested.|
One more thing to note. If we re-request all of the pages we’ve visited already, that will include the logout page. In this particular example that doesn’t matter because our second context wasn’t logged in. However this feature could also be used to compare the results of two different logged-in users. Perhaps you want to confirm whether a manager can access administrative pages. In that case, you would want to make sure to NOT re-request the logout page. One easy way is just to select the page in the site map before you begin, right-click on it, and select “delete item.” Another option is on the second page of the wizard, you can choose “use only selected branches” instead of the default “use all items with responses.”
Nathan Sweaney is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.