CNIT 129S Proj 8: Defeating Client-Side Validation with Burp (15 pts.)
What You Need
An web browser configured to use the Burp proxy,
which you set up in a previous project.
Purpose
To practice defeating several different types
of client-side validation.
Configuring a Proxy
Using Firefox, at the top right, click the
icon with three horizontal bars.
Click Preferences, Advanced,
Network, Settings.
Configure your browser to use 127.0.0.1 on
port 8080 as a proxy, as shown below.
Start BurpSuite
In Burp, on the Proxy tab,
on the Intercept sub-tab,
click the "Intercept is on"
button so it changes to say
"Intercept is off".
In Burp, on the Proxy tab,
on the Options sub-tab,
ensure that Burp is listening on
address 127.0.0.1, port 8080,
as shown below.
Opening an Insecure Site
In Firefox, go to
http://ad.samsclass.info
The page loads in Firefox, and
Burp shows the requests
on the Proxy tab,
on the "HTTP history" sub-tab,
as shown below.
Opening a Secure Page
In Firefox, go to
https://attack.samsclass.info
A message appears, saying
"Your connection is not secure",
as shown below.
This message is warning you that Burp
is intercepting the traffic. To allow
that, you must import the certificate
into your browser's store of trusted
certificates.
Importing the SSL Certificate
In Firefox, click the Advanced
button.
Click the "Add Exception..."
button.
Click the "Confirm Security Exception"
button.
The secure page loads, and Burp shows
the requests used to load it,
as shown below.
Viewing the Client-Side Challenges
In Firefox, scroll down and click
"Client-side Controls Demonstrations".
The challenges appear,
as shown below.
Refer to Chapter 5
This project just follows the first half
of chapter 5. The techniques are shown
in the textbook, my lecture slides,
and the lecture video.
Solving the Challenges
Each challenge has a Goal at the
bottom. The first challenge is to
"buy an iPhone for $50".
Use Burp to solve the challenges.
After each one, capture a whole-desktop
image showing that you have succeeded,
as shown below.
Turning in Your Project
Email the images to cnit.129S@gmail.com
with a subject of
"Proj 8 from YOUR NAME".
Posted 9-26-16
Image fixed 2-20-18
Updated to stop using Bing 4-7-18
Sam Bowne