Burp v1.4 preview – Comparing site maps
Somewhat later than planned, as is customary, Burp v1.4 is nearly ready, and it’s time to share with you the highlights of what is coming. This release focuses on a small number of frequently requested features which, though you may not use them every day, can in some situations really make your life easier. Over the next few days, I’ll be blogging about different features, to whet your appetite. Then I’ll release a beta version for Pro users to play with. Everyone with a current license will receive an automatic upgrade to the new version.
The first broad area of new functionality in Burp v1.4 is various features to help test access controls. Fully automated tools generally do a terrible job of finding access control vulnerabilities, because they do not understand the meaning or context of the functionality that is being tested. For example, an application might contain two search functions – one that returns extracts from recent news articles, and another that returns sensitive details about registered users. These functions might be syntactically identical – what matters when evaluating them is the purpose of each function and the nature of the information involved. These factors are way beyond the wit of today’s automated tools.
Burp does not try to identify any access control bugs by itself. Instead, it provides ways of automating much of the laborious work involved in access control testing, and presents all of the collected information in a clear form, allowing you to apply your human understanding to the question of whether any actual vulnerabilities exist.
One exciting new feature to help with access control testing is the facility to compare two site maps and highlight differences. This feature can be used in various ways to help find different types of access control vulnerabilities, and identify which areas of a large application warrant close manual inspection. Some typical use-cases for this functionality are as follows:
- You can map the application using accounts with different privilege levels, and compare the results to identify functionality that is visible to one user but not the other.
- You can map the application using a high-privileged account, and then re-request the entire site map using a low-privileged account, to identify whether access to privileged functions is properly controlled.
- You can map the application using two different accounts of the same type, to identify cases where user-specific identifiers are used to access sensitive resources, and determine whether per-user data is properly segregated.
You can access the new feature using the context menu on the main site map:
This opens a wizard that lets you configure the details of the site maps you want to compare, and how the comparison should be done. When selecting the site maps you want to compare, the following options are available:
- The current site map that appears in Burp’s target tab.
- A site map loaded from a Burp state file that you saved earlier.
- Either of the above, re-requested in a different session context.