Burp for Beginners: A practical intro to help you find your first bug

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone and welcome to this book introduction for people who really are beginners just starting to learn but the motivation behind this is really the a lot of videos go really in depth from birth and birth who's a great toy it has a lot of functionality however that's so overwhelming people who really are just how do I find my first book so I'm gonna go through but tap by tap and talk about the practical uses and the kind of taps you want to be using the most as you just thought you start out so first off we have the dashboard here now the dashboard kind of has these split windows here now this half we can safely ignore because it's mainly mainly pro features and this is just the Community Edition so we don't really have access to that we have the TAS which once again not really that useful unless you have the pro versions we can ignore that and finally we have the event log now the event log is the most important one in this kind of array of windows because it tells us when our proxy isn't working now if it's being weird if it's not quite capturing data properly if it's missing things you can see here I've got a lot of errors in here if you find that's interim interrupting your ability to test a website you can go in here and start diagnosing problems so that's useful so that's the dashboard let's go on to target so I have spent a few minutes going into yahoo.com and just browsing around and as you can see the target kind of fills up as you explore a website we've got everything from Mozilla because ou is testing on Firefox to kind of add sites like Google ads and also the ones I'm actually interested in which is Yahoo so what we need to do is really hide them the less important things which is where this tab scope comes in so here we can say define of scope now we can do reg X listing at the scope but I always find the easiest going to here and go add to scope and then yes so we've got mail Yahoo so if I go back here and I go in here click on this thing up here we can go show any in scrip items now don't be tempted to click the buttons because the buttons are very tempting and if we click off you'll see that we've now narrowed it down to just you who mail.com and we can go into the scope and go to the advanced scope control and we can go in here and say we want to get you know got mail yahoo.com we want to add I don't know login yahoo.com we get back into the sitemap let's see login is there as well and what this really does is it organizes the requests you make by folder now these aren't necessarily actual folders because they might just be root so they might just be you know telling the website no way to organize websites but there is some stuff here that's organized by this kind of by URL and then by folder so we can kind of think of that as being about kind of proxy traffic organized by functionality although that's not necessarily the case so this is the primary use of this tab is really to go in here and be like okay I've got count there's a challenge okay it's logging my password somehow was it sending was it coming back now the good thing about but is that when we get a response or we get a request what we can do is we can send to the other tools we've got Center intruder and sent a repeater these are the ones you're going to be using but most often to find sort of your first bugs because they're the ones that actually you can find the interesting stuff in so I'll go over those in a second boer I want to start with is just going through kind of the proxy stuff so the next tab is the proxy now the primary use of the proxy is to turn off intercept intercept basically stops your request the request you're making to the website before it gets sent and before the website has a chance to respond so you can fuzz it you can sort of interact with it and change some of the values now for most kind of basic testing you probably don't to intercept something until you get to that point you're like wow I really need to intercept that so we can ignore that and just turn it off now the other really useful thing here is really the HTTP history now if we look at the sitemap being organized by functionality this is organized by time so you can go up here to the filter sharing in scope items and here we've got a kind of timeline of when we did stuff we can organize by request number which is the which is they when you want to organize by because then it's just straight up you do something you can take the history and equally you can also see the request and the response I prefer the HTTP history over the sitemap because I think the HTTP history organized by time makes sense for me as I'm testing the features because I want to be like I clicked the button ok what is that doing on the kind of side rather than trying to figure out where the button was clicked ok so you also have options now the only one that's worth mentioning in here is down here for the ssl pass-through if you're testing on mobile sometimes you won't be able to connect to iCloud or Google Play because of their own security functionalities like sir pinning if you do find that you just cannot access a website and it's getting all these errors you can tried adding SSL negotiation failure here which will if they can't make the S if Burt comics the s can't make the SSL connection it would just send it as if it was a regular request so it won't show up in burp but it will make the request ok so then there's intruder and repeater which are the two big ones I want to talk about if I'm gonna start with repeater and then go on to intruder so repeater allows you to repeat a request we've we go back into target and we go into our one of our s we've made here we've made a login request and it's doing something in here so we go here we can go right click send to repeater and the request appears here so you can do is we can try and fuzz some of these values we can edit them we can delete them like do we need that y-value I don't know what happens if we delete it nothing so that y-value does something we're not sure about now for something like this look on page which has just a ton of stuff it's not that useful well when we start to look at login forms where we're sending something like a username or a password you know or if we're doing something we're interacting with an API where we have a kind of you know product can we do things like okay what if I log in to another account can I do something on the second account which is actually a request I made from the first account by just changing the cookies so that's called final idols so all you need to find an ID or is really the repeater you can do it all manually you can go in here you can find the cookie which is a s and you can physically edit that cookie here you can just remove it what does it do nothing interesting but yeah that's the kind of primary use of this is to find idols the other use of it is to find interesting end points and really what you want to do when you're testing is trying to take in all of the data you know we have so many requests in our thing here what oh these are actually important like what does create do is it doing anything interesting probably not like login that sounds interesting and there's just something called D there which could be interesting it could be just abusing ated endpoints so this is really useful for finding those idols where you're able to access something you shouldn't be able to have access to because you're logged in to the wrong account and you're using you know the cookie from one account but you're making changes on the first account it's useful for finding business logic errors if you're say got something where you can set a quantity of something what happens if you say I talked on to do instead of one minus one you know you can add a coupon code are you sending the actual coupon like the amount it's discounted by and using something like repeater you can sit there and you can edit these requests then kind of fuzz that so that is the first the first major use of burp now a second one is st. quit intruder and what intruder does is it's a brute forcing now brute forcing I think a lot of people have the idea this like oh yeah we're going to brute force passwords we're not so if we go on to something like payload all the things we'll see okay SQL injection here there's so many different types of SQL injection how enough we're supposed to test all of this we can't do that manually so what we're gonna do is we're gonna go in from the intruder here and you'll see that depending on what database were using we've got blind s SQL injection for different databases and fuzz DB here is very similar and we have things like discovery things like predictable file paths so we can test if any of these exists quite easily using intruder so how do we do it okay so we go back to either target or proxy or even repeater you can do this straight from a repeater request and send to intruder all going here we're going to proxy and we'll go okay we send me anything there yeah let's go for that one so we've got a username and a password and verify password here so we'll send that to intruder and one of the good things that we can do is called a blind SQL injection so if we're doing an SQL injection openam SQL map it takes a time so let's find let's do our only kind of test to see if it's SQL injectable so you'll see here the little Somalian signs the paragraph separators have decided what it wants us to funds and to change but we're just gonna clear those because we want to check these ones here I want to check the name the password the context whatever that is and the password so we can go here and we can add a Somalian and we can go here and add a smellier and we can go here and add a Somalian and here I neither smell you so whoops make sure I cover that hole with this mullion okay so what I'm really doing here is I'm saying that within this this is what we want to replace with whatever our text files are so let's do a blind SQL injection so we've set this up so we think the SQL injectable ones are going to be the display name the user name password context and the password itself so we're going to payloads now this is where we load in all of our payloads so we can go here payload all the things and let's try a generic time base SQL injection now a generic time base SQL injection is super useful because it can tell us whether or not something's SQL injectable by just looking at the time difference so what we say when we do a time-based SQL injection is we let the database wait and that's all we're doing we're not trying to access database we're just saying hey wait if it's SQL injectable that page will wait for us so we're gonna paste this list in here so we've got some sleep and sleep we've got some maths going on cool so we do that and that's all we need to do we just press start attack and then it's doing the intruder attack so what you'll see is oh we don't we don't have a list of at the times and we can look and we can see but there's a response received and a response completed you just need to enable them so what we're looking for is if something takes far too long like when the King for essentially anomalies here if we go up to response received we might be out sale those took those took some time could that mean that their SQL injectable might be might not be might just be the webserver is taking longer but really what we're doing here is we're looking for those endpoints that seem suspicious right we're not looking for bugs we're looking for something that could be a bug so looking at these you know we're looking and that one is the display name and that one might also be display name and that one might be display name so what we're doing there is saying hey well maybe maybe the display name is SQL injectable we can then load that up into SQL map and test it that way so that's one of the kind of use cases for finding SQL injections using intruder it's also super useful for using something like fuzz DB where you can use the discovery file and really there's a ton of stuff here that's all about finding themes of just finding folders that no one really wanted us to find we have webs different web servers different languages they all have these kinds of potential files in there so that's always a really good one to test with intruder just because you're looking at okay does this file exists does that file exists finding interesting API endpoints by looking at what the common ones you know we can predict login but if we have something like products and ads and stuff like that we can discover that using intruder so primary user intruder is to either do kind of like this send payloads see what comes out do you get a different lengths a different response you're looking for things outside the ordinary here this is like a little sign post that says hey that looks weird then we have the use case of disk offering things that we was ever supposed to find from discovering API endpoints discovering files and each of those can lead lead to a book so I'm just going to stop this and I'm going to go over one final feature or two final features one is the decoder which just allows you to URL encode things you know if you're sending something like this to a webpage you can encode it as URL so you don't have to be messing about with it and you can also decode things if you mouse over things it will attempt to decode things anyway so you don't need to worry like if I if I mouse over this one here it will tell me what it's um pointing to so finally I want to talk about extender now extender just allows you to install accept accept extensions to burp so we go these the extensions I have JSON beautify turned on so I can see JSON look very nice there's also a BAPS tour and there are so many of these like some of them require the premium version but some of them can be really useful like SQL integration which doesn't require premium but you concerned responses from birth directly to SQL map and tell it what the parameters are and get make sure the cookies get sent properly and stuff like that so that can be really useful for kind of finding the or kind of integrating everything into like one area and there are some really useful ones here about finding idols is a great video that stock put out about finding idols and I think that covers about everything this is I promise all you need to find your first bug just intruder repeater proxy target that's it you don't need to pay you don't need to find like amazing bugs for your first try you can just look at the kind of low-hanging fruit it's not going to be necessarily easy to find but it will be easy and especially once you start to get used to kind of the powerfulness that intruder has and the ability to work out what looks weird that's what you want to develop your sense of like that request looks a little bit weird that response looks a little bit weird finding those or what finds your first bug so thank you for listening to my talk on burp and I hope you guys find some nice bugs thank you have a good day
Info
Channel: InsiderPhD
Views: 24,224
Rating: undefined out of 5
Keywords: burp, burp suite, burp professional, bug bounties, pentesting, tutorial, bug hunting, hackerone, bugcrowd, find a bug, cyber security, infosec
Id: Ezs19sj04DU
Channel Id: undefined
Length: 18min 17sec (1097 seconds)
Published: Sun Sep 08 2019
Related Videos
Burpsuite Basics (FREE Community Edition)
John Hammond
268K
The Bug Hunter's Methodology 2.0
Coding Tech
69K
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
409K
Burp for Beginners: How to Use Intruder
InsiderPhD
14K
TryHackMe Advent of Cyber 3 - Day 3
ghsinfosec
299
Live API Hacking Demo
InsiderPhD
21K
Live Bug Finding Using Burpsuite | bug bounty live | XSS Payload Triggered
Hacking With NSK
3.7K
JMeter tutorial 27 - JMeter Real Time Project | Learn JMeter in 50 Minutes!
Quality Assurance Lab
73K
How to scan a website for vulnerabilities using Burp Scanner
PortSwigger
82K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.