Configure an Upstream Proxy for Burpsuite

I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed. For more information on this, see the Burpsuite help. To configure an upstream proxy for Burpsuite, such as OWASP ZAP, follow these steps:

First, configure your upstream proxy that will sit between Burpsuite and the web application to listen on a different port since they both bind TCP 8080 by default. Here I’ve configured ZAP to listen on port 8082 :

Configuring ZAP's Proxy Port
ZAP Proxy Port Configuration

Then, edit Burpsuite’s configuration to point to the upstream proxy. Here, I set a wildcard destination host using ‘*’ and set the proxy host to ‘localhost’ and proxy port to ‘8082’:

Configuring Burpsuite's upstream proxy
Configuring Burpsuite’s upstream proxy


Shifty Lander V1

Here is a small sideproject that I had wanted to do for awhile, but hadn’t made the effort until I got some downtime in a hotel.

Creating a unique URl/address/lander/etc that you can find easily, but is hard to locate for a outside party even if they have access to full packet capture (albeit not likely analyzing realtime).

Not inventing the wheel here, but I hadn’t made it myself so why not learn. This same sort of tactic is used by people that hardprogram malware to beacon out to a generated list of domains which shifts according to time. My personal idea for this one is that you have a command and control login page you don’t want people brute forcing, or maybe you are just storing data scraped from cookies on a server and you don’t want it to be static. This allows you to very easily have a resource changing it’s name in a way which you can figure out from any computer that has access to sha1sum. Because you can go to that is every device with a NIC interface….

Obviously if you use this on anyone on the defense side worth a darn will write a rule to block or trigger any callouts to

If you use this generator to make subdomains like the same tactics apply. That being said, what if you use this code with a smtp library to send an email out to and this changes every 24 hours? A bit more difficult to detect.

This is V1, I hope it will grow in capabilities.

On the server with your landing page run this script. python “secret code” path/to/file filename.php
Set it and forget it.

Then wherever you are and you want to login, or check hash dumps that are being posted, etc.
type into your command *nix prompt echo -n “YEAR-MONTH-DAY:secret code” | sha1sum
take that sha1sum output and slap a .php on there and go to your url. login and rejoice that google isn’t indexing it.

This is what it looks like when you run it initially on the server……..
Screenshot from 2015-02-24 19:10:57

This is how you find your landing page wherever you are. Or through an online sha1sum creator…
Screenshot from 2015-02-24 19:09:45

NOTE: I used system calls for hashing, etc. This will not run on a non *nix server. So if you are running this on windowz it is most likely going to have to use python libs and be compiled by the likes of pyexec. If you’ve gone that far you might as well duplicate this functionality in powershell and then post it here 🙂

#!/usr/bin python

from datetime import date
import datetime
import time
import sys
import os

print '''
 __ _     _  __ _           __                 _                    _ 
/ _\ |__ (_)/ _| |_ _   _  / /  __ _ _ __   __| | ___ _ __  /\   /\/ |
\ \| '_ \| | |_| __| | | |/ /  / _` | '_ \ / _` |/ _ \ '__| \ \ / /| |
_\ \ | | | |  _| |_| |_| / /__| (_| | | | | (_| |  __/ |     \ V / | |
\__/_| |_|_|_|  \__|\__, \____/\__,_|_| |_|\__,_|\___|_|      \_/  |_|


if len(sys.argv) == 4:
	code = sys.argv[1]
	path = sys.argv[2]
	page = sys.argv[3]
	print "------------------------------------------------keyzer[at]"
	print "This version changes the landing page every day. You can edit it as you see fit, I wouldn't go under hourly for sure"
	print "The point of this method is that packet monitoring won't give up the landing page unless the analysis is near realtime"
	print "This same method can be used to create subdomains, or exfill to a unique rotating email account (HINT HINT:"
	print "---------------------------------------------------use legally -----------------------------------------------------"
	print "Your secret code is: %s" %(code)
	print "The page that will act shifty is: %s/%s" %(path,page)
	print "To find your lander from a remote computer type: echo -n \"YEAR-MONTH-DATE:CODE\" | sha1sum"
	print "Remember to use the timestamp of the server hosting your website..... Or edit this to be GMT"
	print "Oops!  Proper format (3 args( is as follows...."
	print "python \"secret code\" /absolute/path/ filename.php"

def codecruncher():
	#current format is YEAR-MONTH-DATE  ...... remember this is according to the server time
	currentdatewithcode = str(
	#current format is YEAR-MONTH-DATE:CODE
	currentdatewithcode += ":"+code
	formatstring = "echo -n %s | sha1sum" %(currentdatewithcode)
	hashcode = os.popen(formatstring).read()
	#strips out spaces and "-" at the end of hash output... may vary ?
	hashcode = hashcode[:-4]
	hashcode =hashcode+".php"
	return hashcode

#get the ball rollin before the loop
hashcodeold = codecruncher()
mvstring = "mv %s/%s %s/%s" %(path,page,path,hashcodeold)
print "%s is now: %s" %(page,hashcodeold)

hashcodenew = hashcodeold

while True:
	if hashcodeold == hashcodenew:
		hashcodenew = codecruncher()
		#tests to see if the date has changed every minute
		hashcodenew = codecruncher()
		mvstring = "mv %s/%s %s/%s" %(path,hashcodeold,path,hashcodenew)
		print "filename is: %s" %(hashcodenew)
		hashcodeold = hashcodenew

Education: Injection, PHP, and MySQL

Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection.

According to OWASP, injection is the number one attack vector for web applications. Injection attacks can target many different contexts in a web application: HTML, PHP, ASP, Javascript, SQL, etc. Any context in which an interpreter parses input to execute instructions is potentially vulnerable to an injection attack. There are several – many, rather – excellent tutorials on Injection attacks available on the web. Here’s a brief selection of SQL injection attacks for reference:

I will describe the background of the technologies that came together to make SQL Injection attacks so prevalent on the web, since I believe Context is important. I will focus primarily on PHP and its connectivity to MySQL as a database back-end due to the ubiquity with which this technology stack drives the current web.

Continue reading Education: Injection, PHP, and MySQL