CNIT 129S Proj 8: Defeating Client-Side Validation with Burp (15 pts.)

What You Need

An web browser configured to use the Burp proxy, which you set up in a previous project.

Purpose

To practice defeating several different types of client-side validation.

Configuring a Proxy

Using Firefox, at the top right, click the icon with three horizontal bars.

Click Preferences, Advanced, Network, Settings.

Configure your browser to use 127.0.0.1 on port 8080 as a proxy, as shown below.

Start BurpSuite

In Burp, on the Proxy tab, on the Intercept sub-tab, click the "Intercept is on" button so it changes to say "Intercept is off".

In Burp, on the Proxy tab, on the Options sub-tab, ensure that Burp is listening on address 127.0.0.1, port 8080, as shown below.

Opening an Insecure Site

In Firefox, go to

http://ad.samsclass.info

The page loads in Firefox, and Burp shows the requests on the Proxy tab, on the "HTTP history" sub-tab, as shown below.

Opening a Secure Page

In Firefox, go to

https://attack.samsclass.info

A message appears, saying "Your connection is not secure", as shown below.

This message is warning you that Burp is intercepting the traffic. To allow that, you must import the certificate into your browser's store of trusted certificates.

Importing the SSL Certificate

In Firefox, click the Advanced button.

Click the "Add Exception..." button.

Click the "Confirm Security Exception" button.

The secure page loads, and Burp shows the requests used to load it, as shown below.

Viewing the Client-Side Challenges

In Firefox, scroll down and click "Client-side Controls Demonstrations".

The challenges appear, as shown below.

Refer to Chapter 5

This project just follows the first half of chapter 5. The techniques are shown in the textbook, my lecture slides, and the lecture video.

Solving the Challenges

Each challenge has a Goal at the bottom. The first challenge is to "buy an iPhone for $50".

Use Burp to solve the challenges. After each one, capture a whole-desktop image showing that you have succeeded, as shown below.

Turning in Your Project

Email the images to cnit.129S@gmail.com with a subject of "Proj 8 from YOUR NAME".

Posted 9-26-16
Image fixed 2-20-18
Updated to stop using Bing 4-7-18

Sam Bowne