Comments on: Using the Burp Suite to bypass (weird) access controls

By: Grant Stone

Grant Stone — Mon, 15 Aug 2011 18:27:41 +0000

Kiki’s probably trying to access sites before loading the targets in the “target >> scope” tab. You can’t just visit any site in your browser while the proxy is set, only what Burp allows – and it only allows what you’ve previously established as your target. Sorry to post on such an old topic, but I’m willing to bet that was the problem.

By: Wesley McGrew

Wesley McGrew — Sat, 06 Nov 2010 15:33:54 +0000

It’s hard to say what might be wrong. You may have some personal firewall software blocking Burp, or you may not have configured the browser to point to the proxy correctly.

By: Kiki

Kiki — Sat, 06 Nov 2010 12:54:51 +0000

I configured the browser, now I cannot access any sites. The proxy in Burp Suite was found to be running at port no 8080. Can you please help me in case I’ve gone wrong somewhere .

By: Az

Az — Thu, 17 Dec 2009 15:32:52 +0000

how can i use basic things in burp suit

By: Wesley McGrew

Wesley McGrew — Mon, 21 Sep 2009 18:59:20 +0000

Hi Eric! Yes, that’s one way of fixing it. This was in a student term project, and I’ve never seen the same mistake made in a production application (although it seems like an easy enough mistake to make that it wouldn’t surprise me to see it again).

The original intent of the post was to use it as a unique situation to have a short Burp Suite tutorial, for the students of the class and the readers. Judging from the google referrals I get for this post I’d say it’s working out .

Thanks for commenting!

By: Eric

Eric — Mon, 21 Sep 2009 17:29:11 +0000

Well the if statement should also have an else, and what the admin is supposed to see should be inside of there. If this was done you wouldn’t have the ability to perform this bypass. Pretty poor coding to just have that one check at the top before loading the whole page anyway.

A good find nonetheless!

By: admin

admin — Sat, 14 Mar 2009 03:30:04 +0000

Hi Fred!

Sorry you don’t like the theme. If you’d like to read it in a form that’s pleasant to you, I’d recommend loading the feed up in the RSS reader of your choice.

I honestly don’t use the Intruder funcitonality that much. When I get to that point, I’m just more comfortable writing/extending my own scripts. I realize I’m probably reinventing wheels by doing this, but it’s what I’ve done for a long time, so it’s a comfort-zone thing. Intruder is very nice and powerful, as you said. I’d say it’s probably well worth the $170 if you plan on using it regularly. That’s a pretty small chunk of what you’d make off of one assessment/pen-test/whatever, then it’s yours to keep.

I don’t really see any problem with Portswigger trying to make a buck off of it. He wrote a very nice tool, and I think he deserves it. As you said, if you know what you’re doing, you can roll your own functionality. It’s a time/money trade-off like anything else.

Thanks for the comment, Fred. Gave me something to consider.

By: Fred

Fred — Sat, 14 Mar 2009 01:53:45 +0000

Hi,
I didn’t read the entire page because your fonts are ugly and white on black is not a pleasant facade in which for me to read. But Burp Suite is severely limited. The most powerful functionality is Intruder and the attacks are time-throttled. Portswigger wants about $170 for the real thing. But if you but the book, there is Java source which provides much of the intruder functionality.
What do you think?

By: admin

admin — Sat, 07 Feb 2009 22:36:07 +0000

This depends on what the server is doing to measure the time since you last voted. If it’s doing something like storing the time-of-last-vote in a cookie somewhere, then you’ll need to modify that cookie value. If it’s storing it server-side associated with a session ID in a cookie, then you need to get another session ID (generate one, come in as a different user, etc). If it’s storing it server side with your IP address, you need to come in from a different IP address (which Burp isn’t going to help you with).

By: Neil John

Neil John — Sat, 07 Feb 2009 16:39:36 +0000

how do you trick your time in your host with this burp?
example:

in a site where in a member can only vote for 12 hrs interval. how would you trick that site that you can still vote a lot without waiting for 12 hrs?

pls help.. nid this to learn.. i can’t figure it out!