Proxy IIS Express Traffic with Burp in Linux Guest VM (VirtualBox)
As a Web app penetration tester, you’ll sometimes need to assess the security posture of .NET Framework web apps. In a crystal-box assessment, you may have the opportunity to run the application locally in IIS Express.
Of course, .NET Framework apps won’t run on your Linux guest. While it’s arguably more straightforward to run Burp Suite from the Windows host, there may be scenarios where it’s more advantageous to use it from a Linux guest virtual machine.
Why Use Burp from the Guest Rather than the Host?
- You have
sqlmapinstalled and running on the guest, and want to push requests through Burp proxy to view and analyze injection traffic. - If you want to push
niktorequests through Burp to analyze general vulnerability scan requests and responses. - You typically use your Linux guest VM as your main pen testing toolkit, so Burp configs and a host of other tools and data are already at your disposal on that machine.
Allow External Requests to the Web App Running on the Host’s IIS Express
- Open
C:\...\.vs\YourWebApp\config\applicationhost.config - Then, find the site you wish to access from the guest VM, and add a wildcard binding similar to the following (with the actual name of your Web app):
<binding protocol="http" bindingInformation="*:18321:*" />
See the following discussions for more details and additional steps you may need for your environment:
- https://stackoverflow.com/questions/3313616/how-to-enable-external-request-in-iis-express
- https://stackoverflow.com/questions/30242593/wildcard-hostname-in-iis-express-vs-2015
Test the Connection from the Guest Virtual Machine to IIS Express on the Host
- In Oracle VM VirtualBox Manager, select an existing guest Linux VM on the left panel
- Next, click “Settings”
- Under “Network”, make sure NAT is selected
- Start/run the VM
- Open a terminal/shell inside the VM
- Finally, run a Web client HTTP GET command such as
wget -q --server-response 10.0.2.2:18321(Apparently10.0.2.2is what VirtualBox uses as the address for the default gateway for guest VMs. See this discussion: https://superuser.com/questions/310697/connect-to-the-host-machine-from-a-virtualbox-guest-os)
If you receive an HTTP/1.1 200 OK response, you’re able to run requests from the guest to the host. This means you’re all set to proxy HTTP traffic through an instance of Burp Suite running on the guest virtual machine, even though the local Web server is listening on the host. This can be tremendously useful if your primary pen testing toolkit exists on the guest, rather than the host itself.