Friday, September 11, 2009

BToD Ajax & 'Find References' (Pro version only)

Apologies in advance, this post is only helpful if you have the professional version of Burp Suite which can be purchased Here.

This post (specifically) is meant to help folks who test sites utilizing AJAX but the 'find references' function of Burp Suite Pro can be utilized for other reasons as well (of course right?).

When testing an application in which you've found a vulnerable AJAX function, it is beneficial to the customer and your report to note everywhere this function is used within the application.

To use this function it is quite simple. Once you have COMPLETELY finished testing (or at least this is how I do it) and its reporting time, you locate the vulnerable function in your target listing, right click, and click 'find references'. It looks like this..........

Then a results table will pop up with everywhere this function was referenced (my shows none because this was not a real test).

Ensure you check the responses section of where this function was referenced. This is where JS is laid out so it makes sense this is where you will find the function.

Okay, so that is it. Not much to it but something certainly, IMO, worth noting.

Happy Hacking!

No comments: