burp | burp - backup and restore program | Continuous Backup library
kandi X-RAY | burp Summary
kandi X-RAY | burp Summary
burp - backup and restore program
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of burp
burp Key Features
burp Examples and Code Snippets
Community Discussions
Trending Discussions on burp
QUESTION
I'm relatively new to Spring Boot. Currently, I'm making a Spring Boot application with user registration system but I've run into an issue. Some of the fields in a form are registering as ‘null’ on the back end, despite the request being posted correctly.
I have a HTML/ Thymeleaf form which submits 8 fields to create a 'User' object. This is the form:
...ANSWER
Answered 2022-Feb-15 at 13:57You have th:object="${user}"
in your Thymeleaf template, so I have to assume that you @GetMapping
method in your controller has added an instance of User
to the Model
using addAttribute
.
In your @PostMapping
, you should also use @ModelAttribute
:
QUESTION
I'm trying to learn the basics of SQL by setting up a simple database in SQLite.
I created two tables, "people" and "departments"
The people table has three columns: ID(primary key), Name and Age;
The departments table has two columns: ID(primary key) and DeptName;
A single person can work in more than one department, so I created a third table "P2D" with two columns, "PpID" and "DpID" constrained to the ID columns of the other two tables. Maybe there's a better way to do this, but that's what I figured out (is it?)
Now, I need to make a query to display people name, age and departments. I made this:
...ANSWER
Answered 2022-Jan-25 at 21:05You could use COALESCE()
, since GROUP_CONCAT()
output is NULL
for 0 results:
QUESTION
I have a security concern raised by a security consultant with regards to a website of one of my clients:
Using Burp Suite Community Edition, running a POST request with the following parameter string:
search=Search&city=Johannesburg&city=Madrid
PHP populates the POST array to this:
...ANSWER
Answered 2022-Jan-21 at 12:28The problem you have described goes by the name parameter pollution. It is a bit bug, a bit feature of the web servers. It may have security implications if - for example - your filter layer checks access rights on the first occurrence of the userid
attribute, but the business logic takes the last occurrence of the attribute. You will get an inconsistency that may be exploited.
If you are vulnerable to such type of attack - for me it is a strong evidence that you are doing something wrong inside the code, like you take the message body and extract the attributes manually from the POST requests and you do it different way in two different parts of your code.
If you don't do anything really stupid, this kind of attacks will not hurt the system and does not need any kind of mitigation code.
Unless you really must fix stuff like this, in which case I would say - take a WAF to clear the request before it even reaches the web server.
QUESTION
Peeping at the 'Working with HTTP/2 in Burp Suite' to find out why the option to strip the connection header exists, I found the reason to be 'This is because many HTTP/2 servers will reject requests containing this header.'.
Is there a specific reason for that?
...ANSWER
Answered 2021-Dec-18 at 14:42Yes, the HTTP/2 specification states, in section 8.1.2.2:
HTTP/2 does not use the Connection header field to indicate connection-specific header fields; in this protocol, connection- specific metadata is conveyed by other means. An endpoint MUST NOT generate an HTTP/2 message containing connection-specific header fields; any message containing connection-specific header fields MUST be treated as malformed
Having said that, many servers are more lenient and tolerate Connection
headers to be present, although they are ignored.
The reason for this restriction is that the Connection
header makes sense in an HTTP/1.1 request, where one request at a time was sent over a TCP connection.
In a multiplexed protocol like HTTP/2, it does not make sense for a request (a HTTP/2 stream) to carry connection headers, because there may be multiple requests on the same TCP connection.
As an extreme example, if you have an HTTP/2 stream with Connection: close
and another, concurrent, HTTP/2 stream with Connection: keep-alive
(although keep-alive
is deprecated even in HTTP/1.1), what should an HTTP/2 implementation do? Close the connection as the first stream suggests, or keep it open as the second stream suggests?
Clearly this is not applicable to multiplexed protocols like HTTP/2, and that's why implementations reject such requests.
QUESTION
my application is accessible only on VPN (I use Cisco VPN client) and I need to have proxy enabled in my chrome browser using Foxy Proxy.
Only after I connect to VPN and enable Foxy Proxy, I am able to access my application.
How can I monitor the traffic of my app via Burp?
What should I use - Burp build in browser or external browser?
Can you please point me in the right direction? Currently I have no clue about where/how to start.
Thanks!
ANSWER
Answered 2021-Dec-02 at 08:34This is what I eventually did:
- So I set up the browser with Foxy Proxy to point to Burp (127.0.0.1:8080)
- Set in my Proxy Settings of Windows OS to use proxy pointing to my VPN IP
- Set in the Burp the User Options tab in the Upstream Proxy Servers the IP of my VPN as well
- Needed to configure self signed certificate with burp (their docs is a great resource)
So this way all my browser traffic goes through the local burp and he than goes through my VPN and I can successfully open my app page and intercept the traffic.
Also there is a hint just to filter/track traffic from specific site:
- Target tab > define the Target Scope to be the URL of your app
- Proxy tab > Options tab > in Intercept Client Requests check the one with the "And URL In target scope"
QUESTION
In my Android App we are using retrofit web service for communication to server. Some Hacker intercept request and modify it using some tool Burp Suit.
Please help me to let me know how I stop Intercept Attack.
...ANSWER
Answered 2021-Dec-01 at 09:04What Burp Suit does - it basically performs a Man-in-the-middle attack. It generates an HTTPS certificate and pretends to be a browser.
The thing is if your server and your client are protected from this MITM attack - those tools won't work. At least in the mobile apps - the browser will show a security error but still will pass the data through.
The solution you can use is including your specific SSL certificate into the app and making the app consider it to be the only trusted one. It will be more or less secure - depending on the implementation. It is also free because you can attach a self-signed certificate you created yourself since you control the verification. Naturally, the backend should also use the same SSL certificate. While using this technique Burp Suit generated certificates won't work because the app knows only one trusted certificate.
The technique itself is called SSL pinning
or certificate pinning
and you can find plenty of info online about how to implement it both on the client and server.
I will give you several links though:
Here is the nice article about how to do it with retrofit(okhttp).
Here is the official documentation for OkHttp CertificatePinner
Here is the small implementation of retrofit SSL pinning.
Here is one more article.
It is not enough but the issue is complex and one StackOverflow answer won't suffice. But I think it is a good start to do the actual implementation.
Also as a small recommendation - use encryption to store your SSL certificate key instead of plain string storage - it still won't be secure from memory spoofing but it will be much harder for the hacker to use it.
QUESTION
I want to make a bot that detects the word "burp" in every sentence, after it sees one, it'll send a message with "weight kg"
...ANSWER
Answered 2021-Dec-01 at 00:46if "burp" in ctx.content:
# do something
QUESTION
I have a MySQL stored procedure (shown below) that's supposed to build a list of IDs from a table of hierarchically related records. I'm having to re-engineer an older stored procedure to switch from using a simple CONCAT function to GROUP_CONCAT because the former couldn't handle the sizes of the lists being generated (i.e., the lists are going well over the 1024 character limit of the CONCAT function).
...ANSWER
Answered 2021-Nov-21 at 05:39You can't use GROUP_CONCAT()
as a scalar function; it must be used in the context of a set of rows. Similarly, you can't use any other aggregate function without a table reference:
QUESTION
I want to pen test rest apis, the use case I have is a client(desktop app with username and password) connecting to a server. So I am confused from where to start and how to configure burp. Usually I use burp to pen test websites, which is quite easier to configure, you only set the proxy and intercept in the browser, but now the use case is different. Furthermore, I did some search on google I noticed postman is mentioned many times, I know it's a tool for building apis, but is it also used in the pentesting with the burp?
...ANSWER
Answered 2021-Oct-10 at 09:26As you know, burp, intercept a http/s protocol network and it isn't a tool for intercept network traffic. so To achieve your goal, you can use the wireshark
or something else, for finding a software rest api endpoint.
After that, you can start your penetration testing using the burp as you did before.
so how you can find rest api endpoint in wireshark? you can filter network results, using this pattern:
QUESTION
I've added some args to a script with argparse which function fine. Now I'm trying to format the --help
output. I've added metavar=''
to each one which has produced a much cleaner output, however there are spaces after the single flags making the text rag oddly.
Flag will display as -m , --model
instead of -m, --model
Flags with type=bool
with const
and nargs
display as -x [], --xip []
, having the extra space and []
added.
Not finding much info on how to clean this up. Did find discussions on python.org that the extra space is a known problem and using metavar=''
is not ideal.
example code:
...ANSWER
Answered 2021-Nov-18 at 17:59Well, I managed to figure it out after finding some old posts on SO.
The code from This Post sets up an add_argument_group
. You then add your args and hide the help text by setting help=argparse.SUPPRESS
.
The actual text that is displayed in --help
is the title
and description
of the group. This makes it very easy because you're just concatenating strings at that point and can add in your colorama styling easily with +
where needed.
The code from the post:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install burp
Debian/Ubuntu: apt-get install make pkg-config check g++ librsync-dev libz-dev libssl-dev uthash-dev
RHEL or CentOS 7: yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum install make gcc gcc-c++ bzip2 pkgconfig librsync-devel libzip-devel openssl-devel uthash-devel libacl-devel ncurses-devel openssl-perl libcap-devel
RHEL or Centos 8: dnf install epel-release dnf --enablerepo=PowerTools list uthash-devel dnf install make gcc librsync-devel openssl-devel libacl-devel ncurses-devel zlib-devel
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page