Monday, September 7, 2009

BToD > Intruder & Dates

Tonight's Burp Suite tip is super basic. You have a parameter that is clearly a date. So you want to re-submit the same request iterating thru various dates ONLY.

For example, lets say a company is going to offer a special (kind of like that pizza company a few months back) but haven't released it yet. Well you may want to submit various dates, FUTURE dates, to see if a response with a coupon pops-up.

In the example below, I found a date parameter which did not fit into Burp Suite's preset list of date formats. In this case, its very easy to create your own custom date format.

Firstly, send the request containing the date parameter to fuzz over to the Intruder tab. Catch the request in the proxy (or use the proxy history), right click, and 'send to intruder'.

You now need to select your target or where your payload is to be set. Navigate to Intruder >  Positions and select your target. Add the variable symbol on either side of the target (the date) by clicking the 'add' button. Should look like this:

At the Intruder > Payloads tab you will notice the 'payload set'. Use the drop down menu that says "preset list" by default and select 'dates'.

Okay, here is where we want to do some customization. So to keep it short, I will only fuzz 3 different days. You can get the gist from the picture but the portion I want to touch on is 'format'. Click the radio button format where it does NOT have a drop down. This is where you can enter your date. So our parameter was 2009_9_7 which we can safely assume is year, month and date. So I will enter yyyy_M_d. If I was to enter yyyy_M_dd then the day would switch to 07 vice 7 which would be incorrect according to the format. So all in all it should look like this:

You are done! Now go to the very top, choose the drop down for Intruder and click start. 
Note: This is very customizable so ensure you play around a bit modifying the 'step' field from 1 day to 1 month, etc etc. A lot of functionality to toy with here so try it out.
Happy Hacking!

No comments: