What Moving To the Bay Area Taught Me About Loving My Pentesting Tools

jamie-street-512689-unsplash

Let’s talk for a moment about love, relationships and commitment…

Most application security engineers I’ve met have already settled down and found their special one. They stick with that one, stay committed and never have a second thought about another.  I’m talking about Burp and Fiddler

To be honest, I was one of those guys. I had found Fiddler and we were exclusive for 5 years. It was a beautiful relationship.  A perfect match it seemed. Every time my co-workers tried to introduce me to Burp it went in one ear and out of the other. I only had eyes for Fiddler. I was sure that Fiddler was the best choice for me.  We were soulmates you might say. Burp, as I saw it was just cumbersome software for people who like to spend money.

The Move That Opened My Mind

 Photo by Lili Popper

More than a year ago I moved to California to start a new adventure in Silicon Valley and immediately realized two interesting things:

  1. Open minded Californians helped me understand not every relationship must be exclusive and there are many ways to love.
  2. I realized that using Windows alone in the Valley made me stick out. Sitting in Starbucks with my Dell laptop made me feel like an alien who had just landed on Earth.

Motivated by these revelations I gave in, moved to Mac and decided it was time to give Burp a chance. I’m hoping to use my experiences to help others and now, I’ll try to convince you why you should use both Burp & Fiddler.

 

Fiddler – The Beauty

I’ve loved Fiddler for years. My connection was quick and clear. I know some of you might think that Fiddler is a tool just for web developers and no good for security engineers. I disagree. Let me share my philosophy about pentesting and why Fiddler is a perfect fit.

After a pentest, there are two types of reports you can present:

  1. The “banal” type – Findings are straightforward and most of the vulnerabilities uncovered could likely be found by automatic scanners. Nothing too exciting.
  2. The “holy cow how did you do it” type – Findings are unique and exciting. The exploitation is out of the box, and the report usually leaves the client speechless. This is the stuff that gets me out of bed in the morning.

In order to fulfill the dynamic and flexible nature of the second type, you need the right “partner” – Fiddler. In my mind, every good pentest starts with the “evaluation” phase.

The Evaluation Phase

The app is used as a regular user checking the main functions to get to know the business logic. After getting a baseline of what the app does, you can drill in and focus on a specific area in the app. During the “drill in” process you should be continuously sniffing the app traffic with a web proxy.

Personally, this is my favorite part of the test – I try to feel more comfortable with the app by looking at the HTTP calls and asking myself questions, like:

  • What is the structure of the APIs?
  • Are there multiple versions?
  • Are all of the APIs running on the same server?
  • How did the developers choose to pass input – REST or SOAP?
  • How do they prefer to index objects – GUID or sequence numbers?

Hundreds of different ideas and assumptions start to fill my head during the evaluation phase. Some of them might be silly like an attempt to exploit an SSRF with gopher://. While some lead to really impressive exploitations. All these ideas and assumptions need to be validated or disproved as quickly and smoothly as possible to be efficient. You don’t want to waste time moving between tabs or views – things that can distract your mind and slow down your process. You don’t want your tool getting in the way here.

Why Fiddler Is Best In The Evaluation Phase

Fiddler is the best tool for the evaluation phase. It has a great UI and a set of shortcuts that makes the process super easy and efficient. Here’s why:

  • Most UI components are under the same view
  • The history of the HTTP requests and the manipulated requests are in the same view
  • Filtering of HTTP the requests / responses can be done in a few clicks
  • Repeating and intercepting one or more HTTP requests can be done in one click (just mark them and click ‘R’)
  • Presenting different data formats is built in for JSON, XML and even viewstates for those of us who test systems from the last millennium.

Without this level of convenience the evaluation phase is much slower and exhausting with tools like Burp.

 

Burp Suite Professional – The Overlooked

At first glance Burp is a more cumbersome tool especially when compared to Fiddler. As I’ve dug in I’ve found that it has a great framework and many features that can make life easier during a pentest. You can say that I’ve learned to love Burp too.

Comparing Burp To Fiddler

Comparing the two, the main advantages of Burp over Fiddler are:

  • Project management and stability – The Burp environment is super rich and allows you to manage a pentest using features for logging, mapping and filtering data, like:
  1. Detailed logs that can be filtered using multiple parameters.
  2. A “sitemap” feature that shows all the URLs accessed in a convenient tree view.
  3. Filtering of common domains / URLs like “google analytics” with the ability to reuse these filters in further launches of the app (unlike Fiddler)

On top of these advantages Burp can handle a large number of steps, large responses and it even has an automatic backup mechanism.

  • Support – Burp has great support for a wide variety of use cases making it really flexible with capabilities like:
    • Support for multiple operating systems
    • Better WebSocket support
    • Frequent updates
    • More export options – you can export specific user/project configuration and specific HTTP calls.
  • Automation – The Intruder feature makes a pentester’s life easier with the ability to automate certain actions, like IDOR exploitation (identifiers enumeration) and information gathering.

One More Thing On Burp

One last thing to mention not necessarily related to the comparison, but Burp is also a great automatic scanner with a “live audit” approach, differentiating it from many other scanners. This helps solve problems like expired tokens and insufficient crawlers’ discovery.

 

Why Not Enjoy The Best Of Both Worlds?

After a few weeks using Burp I was left wondering which tool to use. Fiddler, my first love, or Burp the one that I had previously overlooked. I found the perfect solution to use both – use Burp as a proxy to Fiddler! Here’s how I do it:

(firefox is the best by the way)

Open Fiddler and go to “Tools” → “Options” → “Gateway”


I’ve been using this set up for more than a year, it works really great and I’m not compromising on the convenience of Fiddler or the rich features of Burp.

This combination let’s me use Fiddler as a whiteboard to quickly validate or disprove my ideas, and Burp to manage my findings and automate specific actions.

Burp + Fiddler – My Setup

Here’s my screenshot from a pentest of “OWASP Juice Shop”. During the evaluation process I was testing the “add to basket” and this is how I used my setup:

  1. I saw an API call to and endpoint with a numeric ID – “rest/basket/4
  2. I suspected it might be vulnerable to an IDOR, so I just marked the API call and used the “E” keyboard shortcut
  3. Fiddler created a copy of the same request, and I just changed the ID from 4 to an ID of 2 – a basket I shouldn’t have access to
  4. The server returned details of another user
  5. I found the request in Burp’s “HTTP history” tab and sent it to the repeater
  6. There I tried a few other IDs and set a name for this tab (“IDOR – basket”).

In the same view you can see a few other vulnerabilities I found and documented. I also have the option to send this call to the “Intruder” tool, automate the exploitation and get all the details of the baskets.

Closing Thoughts

Even though it might take some time to get used to this setup, I find the combination very efficient and it makes many of the things that I do smoother and faster.

I hope this post has opened your mind a bit and made you consider the benefits of both of these tools. I’d love to hear your thoughts on Burp or Fiddler in the comments below and if after reading this let me know if you’re considering using them together like I do.

Share this post