1

I want to create (and update ongoing) a list of input vectors for my site, including forms (GET and POST etc).

I am new to pen tesing, and have been pointed at Burp (free). I have Spidered my site, and see a comprehensive sitemap.

What is the best way to filter that list (or otherwise) so I can get an idea around what points to look at protecting for XSS and CSRF?

square_eyes
  • 113
  • 5
  • 3
    Shouldn't your whole site be protected against XSS and CSRF? I'm really not sure what you're asking for. – schroeder Jun 30 '15 at 22:29
  • You might be looking for web vulnerability scanners. See an extensive and ongoing comparison of them (including Burp pro) here: sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html – Orny Jun 30 '15 at 23:47
  • @schroeder I am looking as setting up a test to create a list of input locations on the website. I could make the list manually (forms, fields, searches, Ajax etc), but the point is to be able to pick up any future URLs that get added to the site, which aren't documented. I'm not even sure if my current list is 100% up to date. Hence the exercise. – square_eyes Jul 01 '15 at 00:08
  • 1
    yeah what you want is (AFAIK) not available in the free version of burp but is available in the paid for version (engagement tools --> analyse site) which comes up with a list of GET/POST requests and the parameters they take. Whilst I don't know that it explictly handles this case if you want a free alternative I'd start with a look at OWASP ZAP if I were you – Rory McCune Jul 01 '15 at 13:24
  • @Orny Looks like that link is down. The google cache still has the contents though. – J Kimball Jul 01 '15 at 17:45

2 Answers2

2

You can filter or view parameterised requests (either GET or POSTs). These are shown in the site map. These will show you where input could possibly lead to an XSS or CSRF vulnerability.

However, be aware that XSS attacks can also happen via HTTP headers or cookies, or any other external source of data to the application.

SilverlightFox
  • 34,178
  • 6
  • 73
  • 190
1

Are you saying that you want a list of request parameters? If so, I don't think it's possible, though you can filter requests containing parameters and requests that don't.

What is the best way to filter that list (or otherwise) so I can get an idea around what points to look at protecting for XSS and CSRF?

The best way to look for XSS issues is to check whether the input parameters are reflected as is in the corresponding responses. There's already a plug-in written to detect if the input parameters are reflected back in the response, called Reflected Parameters, but I doubt it's only for pro version. To look for CSRF issues, you can check whether the request contains a token, and filter requests containing that keyword (For example, Facebook uses fb_dtsg as an anti-csrf token).

With these in place, you may proceed with real testing.

And, as far as I remember, free version of Burp Suite doesn't allow to filter requests :(
FYI, OWASP ZAP Proxy is an alternative to Burp Suite, and is free.

1lastBr3ath
  • 937
  • 6
  • 13
  • Not parameters, but URLs leading to potential input. e.g. the action URL of any forms. Thanks for the additional info about tokens. These are used, so I will include this in my search. However, ongoing, this check will actually be designed to identify any future input vectors that may not have had tokening implemented. i.e. identifying potential CSRF weaknesses. – square_eyes Jul 01 '15 at 21:34
  • I'm testing Zap now and it looks good. I have found a hidden tab listing the parameterised vectors. So could be a go for future use. – square_eyes Jul 01 '15 at 23:16

  • Not parameters, but URLs leading to potential input

    I don't know what exactly you're trying to say, but inputs are generally sent as parameters. In some cases inputs may also be sent along in cookies or HTTP headers. If you take into account cookies as inputs, all URLs may contain cookies. HTTP headers are typically used when the input doesn't change for a long period of time (OAuth Token, for example).

    And I'm not aware of any techniques that will identify future input vectors, it should be limited to what you've programmed to, and future is unpredictable anyway.

     – 1lastBr3ath Jul 03 '15 at 02:46