Burp, OAuth2.0 and tons of coding: a testimony of my internship in the penetration testing team at NVISO!

Hi my name is Turpal and I did my internship at NVISO starting on the 24th of February until the 29th of May 2020. In this blog post, I want to provide a bit more details about what exactly I did during this time, and what my experience felt like!

The internship was part of my Bachelor paper as I had to write about the results of my tasks including a research topic.

NVISO’s headquarters are located in Brussels which is 6 hours of travelling (to and from) from where I live. Since the college I study at didn’t allow for remote working during the internship it meant I had to travel each weekday. The travelling wasn’t really a problem for me, I had more than enough motivation to get up early every day. Ever since I took part in the Cyber Security Challenge 2019 and got destroyed I knew I wanted to be the very best and that meant I had to do my absolute best every single day.

The tasks for my internship were a nice challenge for me. It consisted of three parts:

  • Making an extension for Burp Suite to facilitate the collection/extraction of evidences during a pentest.
  • Creating guidelines for penetration testers to discover advanced web attacks (e.g. HTTP desync)
  • Researching OAuth2.0 and researching if it’s possible to automatically detect the vulnerabilities an OAuth2.0 application is vulnerable to. Alternatively create a cheat sheet of possible vulnerabilities.

During web application penetration tests, Burp Suite is actively used by colleagues at NVISO. Since after a pentest a report of the found vulnerabilities has to be delivered to the customer and since that consists of requests and responses (evidences) to and from the webapp it means that pentesters have to manually copy-paste these evidence from Burp Suite to the filesystem. This is not an efficient process and can take quite some time if many vulnerabilities are found in the web application.

Burp Suite is an awesome tool as it allows you to extend its features by adding a custom extension. So the first task was to write such an extension which provides pentesters a nice overview of the findings (found vulnerabilities) and evidences (requests and responses related to a finding) and a way to easily export them to the filesystem. NVISO’s pentesters use a particular folder structure which the extension had to provide.

Sneak peek into the Burp evidence collector plugin, which was part of my internship and which will be released soon publicly on the BApp Store.

I chose to create the extension in Python instead of Java or Ruby because in Python it’s easier (in my opinion) to write small to medium sized scripts. The start was quite the challenge since I had zero experience with Burp extensions and the documentation was quite abstract. I used other Python extensions to understand the flow. Once I understood this the progress came rapidly.

During the development of the extension I got some great feedback from my coaches and colleagues at NVISO. Their feedback and support really elevated the extension to the next-level. It’s quite a success, a lot of pentesters really liked it. It’s also soon to be released to the BApp Store under the name “Evidence Collector”. Another blog post will follow once it’s been published, so keep an eye out for that!

For the second task of my internship I had to research and understand advanced web attacks including HTTP desync, web cache poisoning, race conditions, ā€¦ For that I read some great papers written by James Kettle on PortSwigger. James has an excellent writing-style which made it really fun and interesting to read those articles. In combination with those papers and other articles written by Egor Homakov, Josip Franjkovic and Aaron Hnatiw I had quite a solid understanding of these attack techniques and was able to write general guidelines for discovering them.

For my research I was quite disappointed to not find any automatic scanners which can detect vulnerabilities in OAuth2.0 applications. OAuth2.0 exists since 2012 and I thought there would exists something but as my research continued I realized why: it’s quite difficult to make a program which can detect such vulnerabilities because there are many possible attack vectors. OAuth2.0 should be implemented very carefully because some measures have to be taken to protect users. I concluded my research and created a cheat sheet which pentesters can use to determine if an OAuth2.0 application is vulnerable.

The support I received during my internship helped me a lot to improve my results so I want to thank Vincent De Schutter (my coach at NVISO) and Sam Agten (my coach at PXL) for providing valuable feedback during my internship!

Thank you to Timo Vergauwen (pentester at NVISO) for submitting excellent feature requests for the Burp Suite extension!

Thanks to all my colleagues at NVISO for the awesome time!

Leave a Reply