MIS 5211 Intro to Ethical Hacking

Wayne Wilson

MIS 5211 Intro to Ethical Hacking

Fall 2016

Burp Suite Analysis

Philadelphia Gas Works (PGW)

I used Burp Suite intercepting proxy on Philadelphia Gas Works (PGW) website. PGW is the residential gas company for Philadelphia residents and is the largest municipally owned gas utility in the country, Providing service to over 500,000 customers. My test environment consisted of a Kali Linux virtual machine running Firefox web browser and the Burp Suite application. Burp Suiteacted as the Proxy server intercepting packets from PGW. PGW public facing web page uses the http proxy. PGW homepage has links to Facebook, twitter and YouTube. While reviewing the initial data Burp Suite provided I was able toquickly determine PGW’s usernames for Facebook, Twitter and YouTube.

Something that stood out to me while reviewing the analysis from Burpe Suite was a line in the sitemap that pointed to after additional investigating I determined that kit.mit-license.org points to a license used for software developed at MIT for Unix based systems. So, I believe PGW website must be built on a system using a form of Unix. Burp Suite also showed the homepage contained JavaScript and that a Content Delivery Network (CDN) is being used.CDN’s are used to retrieve scripts instead of the local web servers to improve performance. PGW is using Microsoft Ajax Content Delivery Network(MAXCDN), which lets me know that API.Net framework must be in play somewhere. As I navigated further along on PGW website I found a page with forms. Burp Suite showed that the .asp extension was being used indicating that the server hosting the forms are on a Microsoft Windows server running Microsoft IIS. The forms reside at www2.pgworks.com which is a subdomain to websites with www2 are mirror sites used for load balancing.

PGW has a customer login link which grants customer access to their account with PGW. This link points to a website that uses the HTTPS protocol, which requires username and password for authentication. Burp Suite revealed this webpage is linked to a server running Apache Tomcat with the Coyote connector. I attempted the login process by entering a username and password at which time Burp Suite was able to capture the username and password in plaintext before passing information along. All throughout the process Burp Suite also captured information regarding cookies, such as CSRF token creation, validation and expiration.

PGW website is well thought out and hasdecent security features in place where needed. I examined other websites which required username and password and noticed the same problem with text being passed in plain text. I would recommend duo factor authentication in which the authorization code is random for each login and sent by text or email to user for authentication.