Hello guys. So this is going to be an interesting blog as we are going to watch a practical demonstration of two awesome tools in the penetration testing industry.
One is Burpsuite. If you are here, then we probably assume that you know what Burpsuite is and how it works. This post will give you some better insights into it. Also you can enrol yourself in a course on Udemy on ‘Web Application Penetration Testing Using Burp Suite‘, a full fledged course on being Zero to One in web application penetration testing using Burp Suite.
The other is Knoxss. If you don’t know then just know that Brute Logic develops it and if you know XSS, then we guess you must have used the Brutelogic Website at least once.
Burpsuite is a hacker’s toolbox as it contains tools for every purpose. Whereas Knoxss is only for finding XSS vulnerabilities so here we will only try to find XSS bugs in the application and compare both the results.
Now the thing is we will be comparing the Burpsuite Pro version against the Knoxss Pro version and give our conclusions so you will know more about them and how will they be useful.
The first thing that you need to do is get Webgoat up and running.
Webgoat is an intentionally vulnerable web application and is basically used for training new security researchers. You can see the different steps involved to get it running from here.
If all is good, then upon opening the URL
http://localhost:8080/WebGoat/, it will look like this:
Scanning with Burpsuite Active Scanner
Let’s start with Burpsuite first and then we will again check it with Knoxss.
One thing which you will need to do is to change your Burpsuite proxy listener to any value except 8080 because Webgoat is running on that. We have changed it to 8000 in our case to avoid problems. See the screenshot below.
Similarly, you need to change the browser’s proxy to 8000 also so that Burpsuite could act as the proxy.
See the screenshot.
If you are facing problems with this setting, watch this video on setting Burpsuite.
So all set and done, let’s start finding XSS with Burpsuite.
So go to Cross Site Scripting -> Stored XSS challenge in Webgoat and write anything in the input boxes. Make sure the Intercept is on in Burpsuite. Capture the request and do an active scan on it. Remember, Active Scan is only available for Pro versions. Active scan sends multiple requests to see if a vulnerability is present, so in this case, we will look out for XSS vulnerabilities.
This is what we got by doing an active request in Burpsuite Pro for this request.
Though it was able to find some other vulnerabilities, it couldn’t find out that the input fields in this page are vulnerable to XSS. Burpsuite results can be false positives also sometimes.
Let’s see for Reflected XSS challenge now.
You can see that it worked in this case correctly.
It correctly found Reflected XSS vulnerability in that page for certain. So Burpsuite passes in this case.
Testing with Knoxss Pro Extension for Firefox
Let’s get back to Knoxss for this two cases.
As of this moment, we are using Firefox Quantum and the Knoxss extension is not working for this latest version of Firefox. The deadline for this issue is still unsure so it will be wise to use the Firefox-ESR instead of an outdated Firefox version and install the extension there. We will make sure to update this post as soon as we get the new extension which will support Firefox Quantum.
For the extension to work, go to the page where you want to check for XSS, and then press the ‘K’ button which must be there if you installed the extension correctly. Then the extension will get ‘ON’ and you can then see if it found any XSS on the page or not.
So let’s check for Stored XSS first. Go to the stored XSS challenge page and start the extension.
See the screenshot below.
If you see in the top-right corner, it says Knoxss wasn’t able to find any vulnerability in the form. The same as with Burpsuite. But we know that the page is vulnerable to stored XSS, so both of them couldn’t find it.
Turn the extension off by clicking and once again start it after visiting this page and stay there for 10-30 seconds.
Knoxss wasn’t able to find the XSS vulnerability in this case also.
Please don’t get us wrong. While you will see many posts on successful working of tools, this post was to show that even such popular scanners can fail. This post tells that you can’t always rely on the findings of an automated tool. Sometimes the results can be false positives but many a time it’s possible that they won’t even catch the vulnerability. We knew about both cases that they are vulnerable but the scanners couldn’t get it. But if we had inserted a simple payload, checking for XSS it might have worked.
We would like to mention that these two have worked magnificently for many other users while live testing. This post was just for demonstration purpose. Where Burpsuite Pro requires 349$ per year license, a year license for Knoxss Pro is 107$. So, try out with the free versions and if you think you should buy the pro version go for it. As for us, we are trying both of them now and we will be updating this post again if we find something interesting to share with you all. So stay tuned for that.
Until then keep trying and if you get stuck, please comment and someone from ENCIPHERS will surely help you out.