A good security professional has a list of tools that they know they can always rely on and a list of strategies they know they can always follow. A good security professional also knows the common things to look for when tasked with ensuring that a computer or web app is secure. They can either spend years compiling data and common mistakes from trial-and-error experiences, or they can use a premade list, like DISA STIG.

The DISA STIG viewer (Defence Information Systems Agency Security Technical Implementation Guide) is a list of security vulnerabilities created by the US government agency DISA to help combat security threats. You can download the viewer hereand the correct STIG’s for your operating system here. You can use it to follow along with me, or just look at my screenshots.

First off, open the viewer.Empty DISA STIG Viewer

Not much to see right now, first, we have to load the STIG by clicking File and Import STIG.Import DISA STIG

Now your viewer will look something like this:Full DISA STIG Viewer

This page isn’t actually all that useful to us, so go ahead and click Checklist and then Create Checklist – Selected STIGDISA STIG Checklist

This may look a little daunting, but it’s actually really simple. Down the middle is the full list of every common vulnerability for the operating system you chose. They can be divided by how dangerous they are by clicking the CAT I, CAT II, CAT III tabs. CAT I is the most dangerous, CAT III the least. All you have to do is select an item, click the Check Content tab on the right side, and follow the instructions. If it turns out to be a “finding” also known as a vulnerability, click the “Open” radio button on the right side, next to Status, and write down some information in the Finding Details and Comments sections if you want. Now just go through each one (or download a program to do it for you), and start tackling each “Open” finding one by one.

And that’s about it, click around to find out some more administrative/bureaucratic stuff, and when you’re finished with the list, save or export it.

Before we can get into the real nitty-gritty of what Burp Suite is and what it does, we’ll have to take baby steps getting into it. And the first step is configuring Burp Suite to work with our browsers. This Burp Suite setup guide will show you how. First, let’s open it up. I should mention that to run the Burp .jar file you need version 1.6 or later of Java. If you’re not sure what version you have, you can just type “java -version” into Command Prompt and it’ll tell you. Unless your computer has a virus made specifically to stop Burp Suite from running, you should see a splash screen, and then this:New Project

I’m going to assume you didn’t already buy the premium version or Burp, so just click Next with ‘Temporary Project’ selected, and select ‘Use Burp Defaults’ and click Start Burp on the screen after that. Now we’re here:
Burp Home

I remember the reaction I had the first time I came upon this page, which was “Woah”; that top bar has more tabs than I have immediate family members. Don’t you worry dear reader, I’ll go over each tab one by one, and you’ll be a pro at this in no time. For now, we can ignore most of these and focus on what we’re trying to do right now, which is set up Burp with a browser of your choice. Let’s go to the second tab, ‘Proxy’, and then the ‘Options’ subtab under it. I’ll show what we’re looking for specifically:Proxy Listener

Check to make sure that in the Proxy Listeners table there is an entry that has the values I underlined here. If there isn’t, press the gear to the left of the table and then ‘Restore Defaults’.

The next thing we’re going to do is set up your browser to use Burp as an HTTP proxy server. It’s different for every browser, so I’ll just put them all and you can skip ahead to the browser you’re working with.

Internet Explorer:
Press the gear at the top right corner and then ‘Internet Options’. This will take you to this window:IE Internet Options

Go to the Connections tab at the top and press ‘Lan Settings’. Uncheck the ‘Automatically detect settings’ and ‘Use automatic configuration script’ boxes. Check the “Use a proxy server for your LAN” box and enter the Burp proxy listener address and  port which are and 8080 by default. Uncheck “Bypass proxy server for local addresses” box if it’s checked. Click ‘Advanced’ and check the ‘Use the same proxy server for all protocols’ box, and make sure that are no entries in the ‘Exceptions’ field. 

Chrome uses the same proxy settings as your computer, so you can just follow the instructions for Internet Explorer and Chrome will pick up on it as well.

Press the three lines in the top right corner, click on ‘Options’ and then ‘Advanced’ on the left. Click the ‘Network’ tab and click on the ‘Settings’ button under ‘Connection’. Now you’re here:Firefox Connections Options

Select ‘Manual proxy configuration’ and enter your Burp proxy listener ( in the HTTP Proxy field and 8080 for the port. Check the ‘Use this proxy server for all protocols’ box and make sure the ‘No Proxy for’ field is empty (unlike in the picture example).

After Setting Up Browser
I just made this subtitle so you wouldn’t get confused about where the Firefox heading ends. Anyway, try out what you have so far by going to any HTTP website (not HTTPS yet, I’ll get to that).The site shouldn’t load completely, and that’s what’s supposed to happen. Open up Burp again and go to the ‘Proxy’ and then the ‘Intercept’ tab under it. Your HTTP request should be there. This just means that Burp intercepted your HTTP request for tinkering. Click on the ‘Intercept is on’ button so it changes to ‘Intercept is off’, and that will allow the website to load. If you tried to load an HTTPS URL though, you would get a warning from your browser. To allow you to work with HTTPS URL’s, you need to download Burp’s CA certificate, which is different for each browser.

Internet Explorer
With Burp running, go to http://burp/ and click on CA Certificate at the top. Download the file and open it. Click ‘Install Certificate’, then ‘Next’, then ‘Place all certificates in the following store’ and ‘Browse’. Here it should give you a small window with a bunch of different folders. Select ‘Trusted Root Certification Authorities’ and then just click ‘Next’, ‘Finish’, and ‘Yes’ to complete the installation process. Restart IE and you should be able to go to any HTTPS website.

Just as before, Chrome uses the same settings as IE does so just follow the instructions for that.

With Burp running, go to http://burp/ and click on CA Certificate at the top. Download the file, but you don’t have to open it. Press the three little lines at the top right and then ‘Options’. Click on the ‘Advanced’ tab, and then the ‘Certificates’ subtab. Click on ‘View Certificates’. Select the ‘Authorities’ tab, and ‘Import’. Find the file you downloaded just now and click ‘Open’. A dialog box should pop up, check ‘Trust this CA to identify web sites’ and click ‘OK’. Close everything and after restarting Firefox you should be able to go to any HTTPS website.

In The End
If everything is running smoothly, you should be able to intercept HTTP and HTTPS websites without a hitch. In a couple of day I’ll start posting about the different bits and pieces of Burp, and what makes it such a powerful tool.

  • Least Privilege  “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” —  Jerome Saltzer 
  • Least Privilege Benefits:
    • Code stability
    • Controlled data access
    • System security
    • Vulnerabilities are limited and localized
    • Easier to test actions and interactions
  • Simple Is More Secure
    • Use clearly named functions and variables
    • Write code comments
    • Break up long sections of code into small, more manageable functions
    • Don’t repeat yourself
    • Legacy code is a security concern
    • Try to use built-in functions whenever possible
    • Disable all unused features when possible
  • Never Trust Your Users
    • People are prone to mistakes
    • Don’t trust even admins
    • Identity can be stolen
    • Use cation with contractors
    • Establish the process that allows to revoke user access instantaneously
    • Remember that hacks happen offline as well(Phone, printouts…)
  • Defense In Depth
    • You should have a number of layers of defense
    • Over time attacks lose momentum
    • Redundant Security
      • People (security policy, best practices implementation …)
      • Technology (IDS, SIEM, system administration, encryption, access controls…)
      • Operations(periodic security reviews, data handling procedures, threads handling…)
  •  Security Through Obscurity
    • More info benefits hackers
    • Limit exposed information
    • Limit feedback
    • Obscurity doesn’t mean misdirection
  • Whitelisting Is Much More Secure Than Blacklisting
    • Whitelisting means restricting by default which is much more secure approach
  • Map Exposure Points
    • Incoming Exposure Points
      • URLs
      • Forms
      • Cookies
      • Sessions
      • Database reads
      • Public APIs
    • Outgoing Exposure Points
      • HTML
      • JavaScrip/JSON/XML/RSS
      • Cookies
      • Sessions
      • Database writes
      • Third-party APIs
  • Map Data Passageways
    • What paths does data takes?
    • Know your site topography and your environment architectural landscape
    • Ideally you should have a graphical representation of all of your access points