The Basics
- Features
- Proxy
- interception and modification of requests and responses while interacting
- Repeater
- capturing, modifying and resending same request multiple times
- useful for crafting payloads
- Intruder
- spaying endpoints with requests
- brute force attacks or fuzzing endpoints
- Decoder
- decode captured information or encode payloads before sending them
- Comparer
- enables comparison of two pieces of data
- at word or byte level
- Sequencer
- assessing randomness of token
- can expose lack of secure randomness
Proxy
- intercepting requests
- requests will be intercepted and HELD BACK
- can be edited, dropped or send in this state
- taking control
- complete control over web traffic
- capture and logging
- capture and log requests made through proxy
- even when interception is turned off
- websocket support
- capture and log websocket communication
- logs and history
- retrospective analysis and sending the requests to other modules as needed
Site Map and Issue Definitions
- site map
- map out web applications in a tree structure
- auto generates site maps through usage of app
- or auto crawl pages
- issue definitions
- list of web vulnerabilities
- scope settings
- include or exclude ips or domains
- focus on target
Repeater
- Record a request using the proxy module
Action –> Send to repeater- Edit values
- ???
- Profit
Intruder
Attack Types
Sniper
- effective for single position attacks
- password brute force
- fuzzing api endpoints
- provide set of payloads, e.g. wordlist, range of numbers or letters
- rotates given payloads
Battering Ram
- inserts same payload into every position simultaneously
- useful when testing against multiple positions, without need for sequential substitution
Pitchfork
- one payload set per position
- multiple snipers at once
- all testet simultaneously
Cluster Bomb
- one payload set per position
- iterates through each set individually
- ensures every possible combination is tested
Last modified 2023.10.16