Burp Suite Fundamentals | TryHackMe Pentest+ Web Pentesting Lab

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey everybody what's good what's going on jb here it's been a minute since uh we've done one of these live streams been having a lot of stuff going on uh with summer enjoying summer and stuff like that but wanted to get back put together this live stream today uh going over the burp suite room and try hack me had a lot of people reach out definitely wanted to uh cover this i've been meaning to cover this um so yeah really excited to finally knock this out i think we've been talking about doing it for maybe i don't know now a month and a half something like that so uh yeah finally we're here we're going to do it um if you've been following along we've been doing some of the other uh try hackney rooms we actually did cover a little bit of burp suite i think it was either in the web fundamentals or the hydra room i'm not sure exactly which but today we are going to go and do a deep dive into it at least a deep dive from an introductory perspective um this is kind of a long room which is also why i wanted to do it on a friday instead of wednesday because i have a feeling this is probably going to take a little bit longer than an hour or whatever we normally do on these live streams so uh having said all that uh yeah if you got any questions comments or anything like that throw that in the chat window if you're just dropping in to say hello and hang out that's cool too since we haven't done one of these for a bit um as always make sure you smash that like button share the video subscribe all that stuff i really appreciate that and uh yeah if nobody has any uh questions or anything like that before we jump in then uh yeah we'll just kind of move over and get everything spun up and uh hop off from there so let me just move over to my browser and we will go from there all right so um burp suite if you're not familiar with it it is probably one of the most widely used web app pen testing tools that is out there uh some interesting things about it is there's both a free version and a paid version um i believe that here in the try hack me stuff we're just going to be using the free version i believe if you do want to get the paid version it kind of opens up some additional things that you can do it's not that expensive i think last time that i paid for a license i think it was maybe like 300 or 400 dollars uh as an annual license so if you're actually doing this type of work um in your real job or you're a consultant or something along those lines then you're obviously gonna wanna pay for the um the pro version or whatever they call the paid version but for us and what we're doing today and kind of just getting an understanding of how to look at traffic that's being sent uh to a website and kind of uh mess around a little bit with injecting some other things um this is gonna be perfectly cool for us so um yeah i'm just gonna kind of move down through this try and highlight the stuff that i think is kind of the important things and uh yeah if we have any questions or anything that we want to kind of segue off into or anything like that we can obviously do that so um let's see burp suite framework of different types of application pen testing tools and they say it's a de facto tool for doing this um if you're using kali linux then uh you should have burp suite there um i think you can download it on different types of os's as well um at least that's what i seem to remember back in the day is that you could do it on different os's so as i said we're just going to kind of go through this and they recommend doing the web fundamentals room which if you haven't done that i do have a video for that you can go check that out uh that's pretty good so as far as the installation goes uh we aren't going to have to do any of that we are using the tryhackme built-in browser machine so that is going to be easy for us um but if you did need to go do this then you would just go and download the their community version um get the appropriate operating system so yes as i mentioned it should go on different operating systems and you will need jre to be able to run it so you want to download that java there so we will just go ahead and knock those out now uh before we start using uh our new installation or pre-installed burp suite we'll have to fix a certificate warning we need to install a ca cert as burp suite acts as a proxy between your browser and sending it to the internet or whatever server it is that you're trying to test so um if you aren't familiar kind of with what a proxy is pretty much it's going to sit in the middle and it's going to kind of hand off those communications that would normally be happening between your web browser and the server that you're connecting to so it is one quick note in this lab we'll be using firefox and foxy proxy that's already installed on the um on the tryhackme box i remember doing that in one of the previous walkthroughs that we did we had to use foxy proxy for some stuff so i do know that that is there so we're gonna go ahead and launch burp pretty much we're just gonna go up to applications and i believe let's see yep under other burp suite community edition let it do its thing as far as opening up here hopefully uh the browser box doesn't take too long today to do stuff heard some people complaining about that recently we'll kind of see how it goes an update is available we'll not do that right now okay so we open this up did that once we've launched it we'll get this greeting screen and uh this pops up click temporary project and next now if you uh likely noticed a new project on disk and open existing project both grayed out as annotated at the top of this window saving uh projects is associated with burp suite professionals so that was the one that i was telling you about that you have to pay for um so that's obviously very helpful if you are a consultant or doing some type of work where you can actually save multiple projects for different clients and things like that so we are just going to go temporary project hit next next we'll be prompted for what type of configuration we'd like to use um again we're going to just go with the defaults there so use burp defaults and then we should be able to just i believe just hit start burp yep so i'm just going to hit start and let that spin up and here we go so i did that did that and it should look similar to this i've got some people dropping in let's see professor black ops what's good hey i'm still going to have you on here at some point to talk about stig stuff it's going to happen especially now that i'm kind of getting back uh from my summer break we're definitely going to have to get that uh put together at some point here let's see so uh i said it would look similar to this since we now have burps we run the proxy service we'll have started by default in order to fully leverage this proxy we have to install the ca certificate included with burp suite otherwise we won't be able to load anything that's ssl so to do this we're going to launch firefox which we should already have here okay come back okay uh let's see so we launched firefox uh let's add an extension to our web browser uh so i said foxy proxy i said i believe that that is already there so we will take a look there it is right here over in this corner um so at the moment it's using the firefox settings default settings so that's already installed we can do that all right after that click on options and click add and they're gonna have this burp set up here right and that looks like that is already there so we won't actually need to add that but we can take a look at what those settings look like should be able to go to options and it's just using uh 127.0.0.1 let's see what else is in here and then uh port 8080 and nothing too crazy there okay so we're kind of good with that now move on to adding the certificate to burp so let's go uh we're gonna navigate to localhost 8080. i think we might need to actually didn't mention turning it on but i think that actually does need to be enabled we'll see what it kicks back so http localhost colon 8080 ca certificate there we go and i think that wants us to click on that and then download to save the cert save file let's see if that actually saved that getting there completed cool then it wants us to [Music] and we've downloaded it we're going to move over to the settings menu in firefox and search for certificates and then we're going to import that so let's go firefox protection you have to forgive me because i actually don't use firefox all that often so looking for the settings yeah that'd be it let's see look that's under edit new hmm now that's more in-depth stuff if anybody knows where the settings is in firefox i would appreciate it this is this is what i get for using google chrome all the time uh let's see preferences bam appreciate that mr mysterious take it okay uh and let's see that's probably going to be under privacy and security but we'll see what it says general and we'll just search for that search and then it was view certs and then it was import and it was under downloads i believe there it is right there okay okay and since this was a try hack me thing i guess they already had that installed which is awesome for us but at least you've kind of seen what the process is as far as getting that in there so we can go ahead and knock those off as completed cool and we are good to go with that so that would be all the things that you'd want to do as far as kind of prepping this to get ready to do what you need to do now let's actually move into the uh meat and potatoes of what's actually going on with burp sweet and the different things that we can do with it so this here is kind of a little bit of a an overview of the different features that are available these are different types of things that we can do with it there's a lot of different things here as i mentioned some of these are things that you can only do with the paid version um so keep that in mind if you see something here that seems like really really cool and you actually go to use this and that is grayed out then uh yeah you're just gonna have to fork up some cash i guess so all right so let's hit these up uh so the proxy this is what allows us to funnel traffic through burp suite for further analysis right so um this is going to be one of the main things that we're going to be looking at target is going to be how we actually define what it is that we're going to be looking at as far as i believe it's like the ips or the actual site map of the application that we're going to be testing intruder is one that allows us to do different things as far as inserting different types of credentials or trying to mess around with different fields within the web app to kind of try to fuzz some information and hopefully get kicked back some type of information that we shouldn't be able to see or maybe some type of errors causing different types of things i don't remember if intruder is a paid one or not well we'll see repeater allows us to repeat requests that have been previously made this is as i said here it's off often used as a precursor to fuzzing with intruder sequencer allows us to present some type of randomness as far as what we're sending to the web app so that we can look to be somewhat unpredictable they say here that this is often used when doing some type of testing with session cookies decoder is a tool that performs various types or various transforms of pieces of data so specifically dealing with decoding and encoding uh different types of bases of data i assume they're referring to like base64 or something like that and then also url encoding compare is something that we're going to use compare different types of responses or other pieces of data whether that's uh something with the site map or they say proxy histories extender allows for adding different types of mods different types of tool integration and then scanner automates uh web vulnerability scanning um you can do this i think you get a report out of that trying to remember i think that one definitely is a paid one but um again we'll see so let's kind of uh hit up these questions here pretty much as this normally goes with these try hacking rooms it's pretty much going to be asking questions in the exact language of what they just put it up here so normally it's not too hard so uh which tool in the burp suite can be used to perform a diff on responses in other pieces of data i believe that's going to be the comparer and please forgive me because i always do end up jacking up some spelling here whenever we go to type this stuff in so what tool could be used to analyze randomness in different pieces of data such as password reset tokens i believe that that was sequencer what tool can be used to set the scope of a project that should be target well only available in the premium version of burp sweet which tool can be used to automatically identify different vulnerabilities in the application we are examining so as i mentioned i thought scanner was one that you would actually have to pay for i think that is the case yep encoding or decoding data can be particularly useful when examining url parameters or protections on a form which tool allows us to do just that so decoder i think so we'll go with that which tool allows us to redirect our web traffic into burp for further examination that's what we were talking about the fact that this is pretty much acts as as a proxy so go there uh simple in concept a powerful and execution which tool allows us to re-issue requests that'll be a repeater with four modes which tool and burp can we use for a variety of purposes such as field fuzzing i believe that was intruder and last but certainly not least which tool allows us to modify uh burp suite via additional uh extensions and so that was i believe extender cool all right and as with all tool sets at this point you have the ability to have a dark mode and before we hop into this i normally like to spin up these machines kind of the task before we get to it because sometimes this takes a couple minutes so we'll let that go and while we do this dark mode stuff yes working on a project late at night fear no more uh this task so who actually like what percentage of people actually like dark mode compared to light mode i think most of my stuff is in dark mode but i don't know that's just me uh this task is optional you can simply uh click uh complete on all these questions if you'd like to skip it right uh there's actually purely a quality of life improvement that's funny so i will take a look at it anyway so uh let's bring up so it was under user options and display and what's it under dark mode is cool it's always cool for sure and you started using light mode again yeah i mean at some point it's going to come back around right so a year from now we're all using light mode again uh so look and feel i say dracula is what's going to change it to that i mean why not we're here or darcula not dracula and that's when i restart it yeah whatever i'm not going to restart it that's fine we'll just keep it uh okay yeah i'll knock those out and we'll see if this box ended up being done yes so that looks like that is good to go now exactly like fashion it comes back around eventually always does all right so generally speaking proxy servers by definition allow us to relay our traffic through an alternate route to the internet i mean so you might see this in your work environments um normally proxies that we have set up for those outbound proxies are doing some type of security scanning looking for different types of things conversely if you're working environment that's hosting web servers sometimes you'll have some proxies sit in front of that doing different types of inbound protections could be doing some web application firewalls it could be using proxies actually just for load balancing purposes so some tools or um devices like f5s are very well known for that um especially when it's built out at scale so this can be done for a variety of reasons from educational filtering right so restricting uh content to accessing content that might otherwise be unavailable due to region uh locking or ban using a proxy however for web application testing allows us to view and modify traffic in line at a granular level so pretty much it's gonna give us the ability to interact with the data in a way that we wouldn't be able to if we or not we wouldn't be able to in a easily in an easy manner just from uh the browser itself throughout this task we'll explore the major components a proxy including interception request history and various configuration options we have access to yes a beautiful basic diagram of communication through a proxy so we already talked about making sure that we are using uh the right cert by default burp will be set to intercept our traffic this means a few things requests will by default require authorization to be sent we can modify our requests in line similar to what you might see in a man in the middle attack and then send them on we can also drop requests we don't want to be sent so this is able to do quite a few different things here this can be useful to see the request attempt after clicking a button or performing another action but maybe we don't actually want to send that on yet last but not least we can send these requests to other tools such as repeater or intruder for modifications and manipulation to induce different types of vulnerabilities so uh deploy the vm to do this we already did that okay by default uh burp suite proxy listens only on one interface and what is that so if you remember when we were looking at that um it was uh 127.001 8080. and if you don't remember where that was there's a few different places so we were under [Music] let's see so intercept is on and we see here we have the 12701 8080. you'll also remember that when we were doing the foxy proxy um that was there um as well under the options for for burp if i remember that what were we doing here we did have that going to burp yep cool all right uh return to your web browser navigate to the web application hosted on the vm we just deployed a bit ago note that the page appears to be continuously loading change back to burp suite now we have a request that is waiting uh in our intercept tab take a look at the actions which shortcut allows us to forward the request onto repeater so let's make sure that we have that there [Music] so uh oh we do want to make sure that we navigate to intercept subtab a proxy and make sure that's enabled intercept and intercept is on cool and let's see there we were gonna go to 10.10.150.64. i guess 10.10 150.64 150.64 i said that it's just going to look like it's spinning there so if we go back to let's make sure that we're seeing that right navigate to the web application hosted on the vm note that the page appears to be continuously changed back now we have a request waiting in our intercept tab let's make sure that we have that let's drop that so that was so these are like a whole bunch just because i actually had the web browser opened up going to uh uh i have in the uh firefox browser i had try hack me opened up so there's actually a whole bunch of these other ones that were waiting oh now we're waiting to be approved and that was the one that i needed so let's go back and just do that again real quick we're gonna go here do that again and that's gonna spin and here we go okay so we see that this request came in going here to port 80. we see that it's a get request and what do they want us to do probably want us to accept it so uh return to your browser take a look at the actions which shortcut allows us to forward the request onto repeater maybe probably forward oh uh oh what shortcut uh so control plus r okay oh plus r do not do that right let's see make sure we got that c t r l that's probably all capital c t r l hyphen r let's try that there we go and what if we wanted to forward the request to intruder i think that was i l dash i okay burp suite saves the history of requests sent through the proxy along with varying details this can be especially useful when we need to have proof of our actions through a pen test report where we want to modify and resend a request we sent a while back what is the name of the first section wherein general web requests are saved is that going to be uh maybe http history maybe that looks good to me yep defined in rfc 6455 is a low latency communication protocol that doesn't require http encapsulation what is the name of the second section of our saved history in burp suite these are commonly used in collaborate applications which require real-time updates so that was saying the second web sockets is that what they were talking about websockets history that looks like it look it's history cool before we move on to exploring our target definition let's take a look at some of the advanced customization uh that we can utilize within the burp proxy more over to the option or move over to the option section of the proxy tab and scroll down to the intercept client requests here we can apply further fine-grained rules to define which requests we would like to intercept perhaps the most useful out of the default rules is our only and rule what is its match type so we're going over to the options section of the proxy tab intercept and and the match type is url okay so you do have some other options so you can match on different things request method file extensions but that was url how about its relationship in this situation enabling this match rule can be incredibly useful following target definition as we can effectively leave intercept on permanently unless we need navigate without intercept as it won't disturb sites which are outside of the our scope something which is particularly nice if we need to google something in the same browser this relationship is is in target scope cool all right any questions so far um before we move on to target definitions i'm going to take a sip of water real quick hey joe just want to thank you for making these videos makes me feel like i have a study but oh that's awesome glad you uh glad you're finding the the videos useful it's useful for me too just going through all this stuff because it's kind of kind of good to uh do a refresh on this especially as it's not stuff that i normally use in my day-to-day work so it's fun to go back uh and do this type of stuff all right target definition so we did the did the proxy stuff first now we're gonna look at target definition and this is uh where we're going to be able to define our scope uh view a site map and specify our issue definitions um and say although this is more useful when uh or within report generation scanning so when starting a web application test you'll very likely be provided with a few things the url of the web app that you're going to be testing a list of different users and roles within the application maybe some test accounts or other types of credentials that are associated with the application a list of forms or pieces in the application which are out of scope for testing and should be avoided right so maybe some stuff that uh if you end up messing with it might actually break some stuff from this information we can now start to build the scope within burp something which is incredibly important in this case is we're planning on performing any type of automated test yeah you want to make sure that that's locked down so you aren't wasting time or causing any type of impacts so typically this is done in a tiered approach wherein uh we work our way up from the lowest privileged accounts so maybe even in in some cases that's a web server where there isn't even any type of credentials right you're just uh able to openly access general use information that's on there and then maybe if there are some other types of forms to log in then going up from you know the lower credentials to higher credentials hey mitchell i appreciate that thanks thank you very much that's awesome glad glad you're enjoying it uh let's see um talking about building a scope lowest privileged accounts first um browsing as a normal user would browsing to discover the full extent of the of the site is commonly uh referenced as to happy path following a creation of sitemap if you're browsing happy path we can go through and start removing various items from scope these items typically fit uh one of these criterias the items has been designated as out of scope automated uh exploitation of the item would cause a huge mess so especially in a credentialed manner so they're talking about something that you're trying to do some type of login that would end up kicking off um a whole bunch of let's say in this case password reset emails um yeah that's no good uh automated exploitation uh would lead to damaging or potentially crashing the web app right so those are those are some uh ideas of some areas that we would want to avoid uh on the app once we've removed or restricted those potentially dangerous items from our scope we can move on to other areas of testing with various tools of burp suite okay so before leaving the proxy tab switch intercept to say uh to disabled we'll still see the pages we navigate to in our history and target tab but we won't have to be uh constantly approving the requests as they go through so we're going to go to proxy intercept and we're going to turn that off cool done navigate to the target tab in uh burp in our last proxy we browse the website on our target machine find our target site in this list and go add to scope so that's cool that based off of what you've already gone through you can then highlight that and add that to your scope so oh what's that we go to [Music] target we have here and go add to scope if you've added an item to the target scope do you want proxy to stop sending out of scope items to the history or to other burp tools i don't think that we need to hit new on that no okay so that then took that and added that into our target scope oh i should hit yes on that oh well no worries browse around the rest of the application to build out our page structure in the targets tab once you've visited most of the pages of the site return to burp suite and expand the various levels of the application directory so we're just going to go back here and we got oh come back it's finicky okay so we got a whole bunch of stuff we got a login customer feedback we've got a whole bunch of different things that's just changing the the language about us there's gonna be links going elsewhere those are external links so we're not going to care about that too much and if we kind of go and look at some different things here we kind of just click on some different stuff and go to the next page cool yeah if we wanted to go search on juice let's kind of poke around and see what this does we've got search results for that cool okay that seems reasonable so uh browser application once you visit most of the pages of the site yeah return there and expand the various levels of application directory what do we call this representation of web application i think it's going to be a site map yup okay let's go back and look at sitemap so a bunch of things that were kind of picked up there products those are going to be different things we clicked on right all the different products that we clicked on different things yeah so we got some stuff in there all right what is the term for browsing the application as a normal user prior to examining it further i think that was called perfect path is that what they were called or not perfect happy path there we go path one last thing before moving on within the target tab you may have noticed a sub tab for issue definitions so tab for issue definitions yeah there we go so these are all different things that can be detected by burp suite a whole bunch of stuff go by severity or alphabetically okay the issue definitions found here or how burp suite defines issues within reporting while getting started these issue definitions can be particularly helpful for understanding categorizing various types of findings that we might have which poisoning issue arises when application behind a cache process input is not included in the cache key would be nice if i could search on that at least for something with cash let's see that might be web cache poisoning cache process input that is not included there we go web cache poisoning there we go moving on to repeater any other questions before we hit that up we're moving along not doing too bad about what halfway through it i think yeah i think extra credit doesn't count so i think it only goes to 13. so all right uh as a name suggests repeater allows us to repeat requests we've already made these requests can either be reissued as is or we can modify the request and then resend them uh contrasted with intruder repeater is typically used for the purpose of experimentation or more fine-tuned exploitation wherein automation may not be desired so this might be a little bit more uh boutique we'll be checking on repeater with the goal of finding a proof of concept uh demonstrating that juice shop is vulnerable to sql injection sweet all right to start doing we're going to click on the account in the top right corner of the page go back here was that it that we had there so yeah so it might be logging if we're using a different juice shop version so we're just going to make something up we're going to go test at cyber in site.com we'll just make something up invalid email or password valid email or password but wait didn't we want to send that request to repeater even though we didn't send it to repeater initially via intercept we can still find the request in our history switch over to the http sub tab of proxy look through the request until you find our failed login attempt right click on this request and then send it to repeater and then send it to intruder 2. okay so if we go back now we go to proxy web history so yep that would be our login we can see that there so we're gonna send to repeater and intruder i believe is what they wanted us to do it to repeater and then send it to intruder okay now that we've sent the request to repeater let's try adjusting the request such that we are sending a single quote as both the email and password and now we are getting into some sql injection stuff here which is cool let's see so uh what's that repeater that's what we're doing that under now we're going to go to raw let's adjust the request such that we're sending a single quote i'm just going to get rid of that single quote and then we're going to send bam and then the error that we get is a sql sqlite error underscore error let's capitalize all that sql underscore error cool now that we leverage repeater to gain proof of concept that juice logins uh juice shops login is vulnerable to sql injection let's try something a little more mischievous and attempt to leave a devastating zero star review first click on the drawer button in the top uh left of the application okay let's see it doesn't look like we have that there so they said to move on if we don't do that so go to customer feedback try that and that doesn't look like we did get that you successfully solved the challenge error handling okay let's see what that was trying to get to customer feedback uh let's see where that is along top of the page next to log in under contact us nothing there just try clicking on and see if we can do this within burp proxy on submit feedback on the post request so i should be able to maybe do that here i don't know uh test review submit then i should be able to go to proxy submit feedback right yeah yep and then i should be able to send that to repeater send to repeater and i should just be able to go like this updated preview okay what field do we have to modify in order to submit a zero star review and maybe let's see if i got this right nope it's kind of weird because i'm not actually seeing that on there so we might just have to skip that because i'm not seeing i think what it's what they're looking for is a let's just see if it's under contact us customer feedback oh here we go okay so the area that we'd have to do is like a rating uh 10 is gonna be zero boo oh uh do multiplication first uh so 40 negative 30. there we go okay now let's go see what that was thing is the section i think is going to be called rating we should be able to see that there yeah comment yeah it's rating okay so we will go rating and the thing that they wanted us to do because we couldn't submit a zero star right i think it had to be one through whatever we can still go send that to repeater it's gonna be rating here we can go zero send there we go oh let's go uh try that there we go and we gave it a zero rating all right let's knock those out all right moving on to task nine help there's an intruder all right any questions with this before we move on there's a task file we got to download i already downloaded that and have that on the desktop so we should be good to go with that we are almost an hour in but we are powering through this all right arguably the most powerful tool in burp suite is intruder which can be used uh for many things including fuzzing and brute force and at the core of what it's able to do is automation while repeater best handles experimentation or one-off testing intruder is meant uh to repeat testing once a proof of concept has been established so some common use cases are enumerating identifiers such as user names cycling through sessions or password recovery tokens and attempting uh simple password guessing also harvesting uh user data from profiles and fuzzing for different types of vulnerabilities including fp file path reversal cross-site scripting and sql injection to accomplish this there's four different types of attacks that intruder uses sniper which is the most popular type of attack cycles through our selected positions putting the the next available payload so in this case it might be items from a word list or password list uh in each position in turn so kind of just cycling through almost like a dictionary attack uh this uses uh only one set of uh payloads or in essence one word list uh after snipers battering ram which only uses one set of payloads unlike sniper battery ram puts every payload into every selected position uh think of how battery ram makes contact across a large surface with a with a single surface hence the name battery ram for this type of attack pitchfork attacks allows us to use multiple payload sets one per position selected and iterate through both payload sets iterate through both of them simultaneously for example if we selected two positions say a user field and a password field we can provide a username and password uh payload list right um intruder can then cycle through the combinations of user names and passwords resulting in total number of combinations equaling the smallest payload set provided cluster bomb attack allows us to use multiple payload sets again one per position selected and iterate through all combinations of payload lists we provide for example if we selected two positions again say username and password field we can provide a username and password payload list intruder will then cycle through the combination of the username and password resulting in the total number of combinations equaling usernames times passwords do not this can get pretty lengthy if you're using the communication of burp hopefully they do not have us doing that for our purposes we will be returning to the sql injection vulnerability we previously discovered using repeater okay so what type of attack allows us to select multiple payload sets uh one per position and iterate through them simultaneously i think that was pitchfork uh what type of attack allows us to use one payload set in every single position we've selected simultaneously uh battering ram type of attack allows us to select multiple payload sets one per position and iterate through all possible combinations cluster bomb and perhaps most commonly one commonly used one which is up at the top with sniper then it wanted us to download the word list which we've already done return to the intruder tab in the previous task we passed our failed login attempt to both repeater and intruder for further examination open up the position sub tab and intruder with this request and now verify that sniper is selected as our attack type sniper is selected as our attack type yes okay burp attempts to automatically highlight possible fields of interest for intruder however it doesn't have it quite right for what we're looking for at this instance hit clear on the right hand side to clear the selected fields so it kind of highlighted this this this this and this so we're going to clear that next let's highlight the email field between the double quotes this will be whatever you entered in the email field of your previously failed attempt so we're going to highlight that and then we're going to select add was it we're highlighting the whole thing or just a field just a field between the double quotes okay cool we're gonna go add that to that now let's switch to the payload sub tab of intruder once there hit load and select the word list that we previously downloaded so that was the payload sub tab and then load and then it should be x platform there we go okay uh hit load and select the word list you previously downloaded it almost there scroll down and uncheck url and code these characters we don't want to have these characters sent our payloads to be encoded as they otherwise won't be recognized by sql we do not want that so we're unchecking that cool yep finally start the attack what is the first payload that returns a 200 status code showing that we have successfully bypassed authentication so start attack so we're looking for status of 200 here see how this goes so it's going through what 83 different things that could potentially evoke some type of sql injection okay let that keep going there we go so the first one we hit was this guy so it's uh a apostrophe or one equals one dash dash let's get that we'll copy that over no how does that want that a a or one okay a or one you call this one no what am i doing wrong here there we go all right as it turns out the machines are better at math than us obviously well not a commonly uh used in a practice environment sequencer represents a core tool in a proper web application pen testing uh burp sequencer is a tool for analyzing the quality of randomness and application session tokens and other important data that are otherwise intended to be unpredictable yeah so if you can figure out that the sessions or those tokens aren't actually random then you are able to determine what the session what those tokens are going to be and then you can spoof the tokens i think it's kind of the point in what you're trying to test against make sure that isn't happening so some commonly analyzed items include session tokens site request forgery tokens password reset tokens sent with the password request that in theory uniquely tie users with their password uh reset requests take a quick peek at how sequencer is uh use how we can use sequencer to examine session cookies uh which juice shop issues okay so switch over to the http history sub tablet proxy we're going to dig for a response uh which issues a cookie parse through various responses we receive from g shop until you find one that includes a set cookie header all right let's get out of that okay proxy uh so we're looking for response and set cookie header um can i oh i wish i had pro that would be that would be a lot easier let's see for make sure that request response and let's see if we can find maybe same origin let's see let's see if we can find just wants a right click and send to sequencer response which issues a cookie hmm now i am just not i'm just not seeing something there for that i'll poke around a little bit more but if we don't find it then we can just move on let's see if it'll log in api challenge we're kind of looking or at least i figure i'm looking for something where the login might have went through yeah we just might skip all of that if we can't find it because i don't want to sit here for too long hmm what was it asking for yeah yeah if i had the uh if we had the pro then i would just search for set cookie header within that and we'd be able to identify that so we will just move on from that um and so what we would have done with that once we found the request we would that issues a cookie would right clicked on it we would send it to sequencer change over to sequencer started live capture would have collected a whole bunch of different requests and then we would have analyzed that then based off of that we would parse through the results and the effective estimated entropy um would have been measured in uh i think it's bits let's see we can go and look at that uh if we go over to sequencer token handling all right i think what it is called is bits we'll see yeah and in order to find uh usable bits of entropy we often have to make some adjustments to have a normalized data set what item is uh converted in this process there's a token yeah okay and then you could look through the rest of that so sorry about that that we couldn't necessarily find that but i didn't want to sit there going through um all those packets for a super long time so let's move on to task 11. all right decoder and compare comparer well lesser tools within burp suite uh are uh they're still essential to understand and leverage as part of being a professional web app tester as the name suggests decoder is a tool that allows us to perform various transforms uh on pieces of data these transform transforms vary from decoder encoding to various bases or url encoding we chain these transforms together and decoder will automatically spawn additional tier each time we select a decoder encoder or hash similarly comparer as you might have guessed the tool that we use compared different uh responses or other pieces of data such as site maps or proxy histories they say that this is very similar to the linux tool diff common uses for comparer are when looking for username enumeration conditions you can compare responses to failed logins using valid and invalid usernames looking for subtle differences in response this is also sometimes useful when enumerating password recovery forms or similar uh recovery or account access mechanisms another thing that it might be good for is when intruder attack has resulted in some very large responses with different lengths uh then the base uh response you can compare these to quickly see what the difference is so let's take a look do this let's first take a look at decoder by revisiting an old friend previously we discovered the scoreboard within the within the site javascript returned to our target tab find the api endpoint highlighted in the following request i don't remember that we saw that but let's go take a look and that was under target site map uh api challenges scoreboard here we go okay so we're going to copy the first line of that request and paste it into decoder is that oh uh is that what that was let's see what that was saying return to find the if yes copy the first line of that request and paste it into decoder and then select a code as okay let's see it doesn't like that let's try copy decoder that's annoying maybe i have to send to decoder let's try that okay decode as url so that uh percentage 20 just acts as a space yep similarly to cyber chef decoder also has a magic mode where it will automatically attempt to code the input as provided what is this mode called did we smart decode we can load in compare to see differences in what various user roles can access this is very useful to check for access control issues what can we load uh is that like a user list or word list site maps see if that's it yep compare can perform a diff against two different metrics which uh which one allows us to examine the data loaded in as is rather than breaking it down into bytes words okay cool all right almost there installing some mods so extender similar to adding mods to games like main minecraft extender allows us to add components such as tool integrations additional scan definitions and more here are some of the most popular extensions i suggest checking out not all of them are free so be aware of that so have a whole bunch here they're probably going to let's see logger plus plus is some enhanced logging request smuggler allows you to smuggle requests to back-end servers autorize is useful for authentication testing burp team server allows for some collaboration retire checks for out-of-date javascript libraries and vulnerabilities uh j2ee scan is looking at some java stuff request timer captures response times for requests and i'm sure there's a whole bunch more so let's go ahead and switch over to the options tab of extender scroll down until you reach the python section note that it requires a standalone edition of jython let's see yup there we go download the stand alone version from here i should be able to just do that like that yeah we're cool with that i'll do that okay [Music] now i meant to do that i did that in the wrong browser i knew that was going to happen that's okay here we go are we under here let's try that again and stand alone yep that was quick which is good and we should be able to go there okay did that turn back to burp suite select file did that yep cool switch to the bapp store sub tab extender and look through various extensions offered and there's a whole bunch of different ones that are there that we could get and which extension allows us to bookmark various requests i'm gonna say bookmarks sounds sounds reasonable let's see cool all right now we are on to the last one all right uh before we conclude let's take a look at into some features of burp suite professional offers the burp suite scanner and collaborator client arguably the most powerful feature in burp squeeze is burp suite scanner which allows us to passively and actively scan and spider the website we're testing for vulnerabilities in burps 2.0 task based model we can launch these scans scanner and spider from the dashboard and let them run the background we continue to examine the web app in this case uh we can run a unauthenticated scan against you shop or they have run and off unauthenticate scanning and shop and attached it to this task these reports can provide starting place for further enumeration exploitation via other burp tools commonly used in manual tests for collaborator client allows us to gain insight into issues that may otherwise seem to produce no output often during testing we may come across item which either due to timing or slowness of the web app or lack of any reactions are likely vulnerable but don't produce surefire indicators with collaborator however we can produce out-of-band alerts via generating payloads that reach back to burp suite servers for us cool okay so we downloaded the report let's take a look at what the only critical issue let's was we should be able to ah so that is this one here and what do they say that is that is a really long so it's going to be a socket io and the issue is cross-origin resource sharing arbitrary origin trusted cross-origin resource sharing see there we go yep cross origin resource sharing arbitrary origin trusted all right so let's see if we can paste that there perfect how many certain low issues did burp find certain low take a look so if we're looking kind of at these colors here certain low is going to be 12. sweet right and they do mention some extra credit which we are not doing obviously but there are additional um additional what is that classes or training that you can do um both uh what is that with port swigger i think so yeah if you want to go learn some more uh get your hands dirty a little bit more with uh some burp suite then that would be pretty cool um so that kind of wraps all of that up not too bad i thought it was going to be a little bit longer than than our normal stuff so about an hour and a half um but yeah pretty good breakdown of um of burp in general uh so we talked about kind of installation we talked about overviews of all the different features even dark mode then we talked about using the proxy setting and using that with foxy proxy through a web browser to be able to allow us to see and manipulate data that's going between the web browser and whatever web app we're testing talked about target definitions so identifying the scope of what it is that's within you know with that we have that is within scope for whatever it is that we're trying to test both from a url perspective an ip perspective even within the site map we can identify certain places um that are either in or out of scope we talked about using repeater to be able to send multiple attempts we talked about intruder and kind of modifying some different things then we looked at sequencer and we talked about decoder and compare a little bit covered the mod stuff briefly and then the last bit dealing with the um automated testing that we can do the proxy and the spydering and then the reports that are generated generated from that so uh yeah that was quite a bit um i appreciate all of you who stuck around uh for for this go and do this room uh yourself if you do have a try hack me subscription um i think this one actually is a paid room so if you have the free account i don't think you'll be able to use the vms but honestly um you can just go if you have kali linux you can use uh the burp suite community on that or as i mentioned you actually can download uh burp suite on different os's so you can do that and then you can download some different test uh web apps that are available don't take this and use this and point it towards anything out on the internet that you don't have permission to scan that would be a bad thing yeah so don't do that uh we don't want to get in trouble and uh i don't want my videos uh being taken down because uh somebody came here and watched this and then went and did something dumb and i got in trouble for it so uh professor black ops great video appreciate you hanging out on a friday that's that's always good uh any other questions or comments before we wrap it up i'm sure people are hungry want to go uh jump into the weekend at this point so uh if not then i appreciate uh everybody who's watching this um as i mentioned i'm kind of back from my summer break so we're gonna start spinning uh these up uh again frequently uh i think we're almost done with all the pen test plus rooms so i think we're going to start looking at doing uh some more windows specific stuff and then uh maybe some of the blue team stuff i think would be kind of cool and then obviously we're going to keep doing other videos that aren't necessarily related to pen testing um i'm sure there's plenty of networking and system stuff that uh that people want to hear about too so we can always jump into that so all right well i appreciate everybody uh again make sure you smash the like button share the video subscribe if you haven't already go get at it go have a great weekend and we will talk soon alright bye

Info

Channel: CyberInsight

Views: 6,577

Rating: undefined out of 5

Keywords: tryhackme burp suite, tryhackme burp suite tutorial, comptia pentest+ lab, pentest+ burp suite, tryhackme pentest+ burp suite, pentest+ lab, pentest+ burp suite lab, tryhackme pentesting, burp suite for beginners, burp suite tryhackme, burp suite tutorial, burp suite lab, cyberinsight, tryhackme burp suite walkthrough, pentest+ web lab, web security tryhackme, burp suite 101, oscp burp suite, oscp burp suite lab, burpsuite, burp suite basics, PT0-002, new pentest+

Id: x4qhGxrYJBk

Channel Id: undefined

Length: 89min 5sec (5345 seconds)

Published: Sat Jul 31 2021