Burp Suite Tutorial | BurpSuite Basics | Burp Suite For Beginners | Bug Bounty For Beginners

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thanks for joining the video guys my name is sunny so in this tutorial i will be teaching you the de facto tool for bug bounty hunters or web pen testers yes you guessed it right the mighty purp suite and i have created this tutorial specifically for absolute beginners and let me assure you even if you know the basics of burp sweet then i'm pretty certain that you are going to take away something from this tutorial because i have covered most of the you can say the core components of burp sweet in great detail so guys if you are just starting out then this tutorial is gonna help you a lot so guys let me give you a brief theoretical overview of burp suite burps with is basically a tool that you can use for for you know finding loopholes or you can say bugs on a web application and let me tell you burp suite is undoubtedly the best tool available out there for finding bugs in a web application basically guys burp suite is a proxy now what does it mean when i say that burp suite is a proxy i will explain proxy later in the video when we will you know actually do the practical because in that way it will be a lot more easier to understand what the proxy is and how does it work we will start from absolutely scratch from setting up the proxy then you know configuring the target scope then we will move to the the very important tool called intruder intruder is a very vast tool that you can use for brute forcing usernames and passwords on a web application but intruder basically does a lot more than just brute forcing that you are gonna find out later in the video then we will move to the sequencer then we have to like like encoder encoder tool basically lets you you know encode or decode data in multiple forms then we have something called repeater repeater allows you to modify the requests so guys without wasting a single bit let's begin burp suite is pre-installed on operating systems like kali linux and apparatus in order to download burp suite for platforms like mac or windows go to the portswigger.net and in product menu go for burp suite community edition then from here you can download the the burp suite from this button just hit the button and your downloading should start right away installation steps are very simple after installing start the burp suite in order to start burp suite on kali linux just type sudo burp suite and hit enter on your first run burp suite going to ask you to accept its terms click on i agree from this page temporary project is the automatic selection because community version of burp suite does not allow you to save project into hard disk so click on next here you can use burp defaults basically the default configurations of burp suite or you can load configurations from an existing file just click on load from configuration file since we are just starting out let it be use burp defaults click on start burp suite so guys this is the burp suite as you can see it is absolutely overwhelming especially for a beginner but do not worry i will explain all these fancy tools in the best possible manner step by step all right so guys before doing anything practical i want you guys to update the burp suite to the latest version because if you are using an older version of the burp suite then you are missing out on many key features that i am going to use in this tutorial so go to the help click on check for updates and if you are using burp suite on kali linux then run the sudo apt-get update and sudo apt-get dist upgrade command then it then the command should upgrade all the packages including the burp suite all right now guys the first thing that i'm going to do i will change the font size as you can see the default fonts are barely visible so go to the user options and under the display tab we have font size now select the size from the menu that fits you 14 should be enough and we can change the theme as well click on theme and let's switch to the dark as you can see guys dark theme is certainly better in my opinion but for the the recording purpose light is better so i'm switching back to light theme and back to the dashboard so guys here burp suite displays all the links that it is it has crawled or either it is crawling and down here it displays uh you know all the information as you can see this is the event log section basically it displays everything that you know burp suite does in the background if any error pops up then we can certainly identify here and then fix accordingly on your left side right side these features are available to prove version only as you can see basically guys the difference between the community version and the pro version is the automation with the pro version but suite kind of automates most of the tasks but i assure you the the community version is more than enough to find the vulnerabilities all right even with pro version you will have to do a lot of you know manual stuff now uh click on the proxy tab now let's understand how the proxy section works so click on proxy proxy is absolutely essential part of the purp suite because in the proxy section we can monitor the requests that you send out from your web browser and the responses that that you get back from the servers proxy section also keeps track of the urls that you have visited so let's understand how the proxy works earlier in the tutorial i specifically mentioned that burp suite is a proxy basically burp suite sits between your web browser and the server let me simplify this when you search anything from your web browser on let's say search engine like google the search query directly goes to the google server and then google responds back by sending the search result back to your web browser so this is how a normal flow of communication is but when you set up a proxy like burp suite the request that you send out from your web browser gets intercepted by the proxy then we can you know decide what to do with the request whether to forward the request to to server or just drop or delete it here now guys your question may be why does burp suite need to intercept the requests or urls that is because the tools that you are seeing here they need data to work and in web applications data is passed uh through urls so proxy section basically intercepts the urls and then we can you know forward the urls or requests to appropriate tools now down here you can see use burps embedded browser if you click on open browser then it should open up the embedded browser now guys this browser the embedded browser is specifically configured to work with burp suite and this browser basically comes along with the installation of burp suite and you can also configure external browsers like firefox to work with burp suite there you will have to you know perform additional tasks like installing see a certificate then you know setting up your entire browser as the proxy if you go to the dashboard down here you can see proxy started on one two seven basically this is the local host and 8080 is the port number basically inbuilt browser is automatically configured to listen all the incoming traffic on port number 8080 so guys what i recommend is update the burp suite to the latest version because the inbuilt browser works absolutely you know flawlessly in the latest version now let me actually demonstrate what i explained a few moments ago make sure to turn on the intercept feature now back to the browser and let me request let's say youtube and press ctrl and enter it will automatically add dot com as you can see burp suite is flashing and if i go to the proxy as you can see it has intercepted the request that i made from my web browser youtube.com and if i go back to the browser as you can see it is hanging here it is because browser is waiting burp suite to forward the request that it is holding or has intercepted and we can drop or delete the request right here but i'm going to forward now if i go back to the web browser as you can see youtube has been loaded into my web browser and you can notice a strange thing here not secure this is because burp suite removes the ssl layer ssl layer basically encrypts the traffic that a web application receives and sends out and burp suite needs data in plain text to work now back to the burp suite and let me forward the remaining requests now go to the http history http history basically saves the urls that you have visited as you can see youtube and down here we have these bunch of you know javascript files basically these files are linked to the the youtube purpose with crawls everything all the links that are linked to the website that's how guys the purp suite proxy works now that we have understood how the the burp suite proxy works we can move to the next uh thing called a target so click on target tab by default burp suite basically intercepts all the web applications or urls that you visit and when you are actually doing or or testing a website then you don't care about you know anything else except the website or application that you are testing so guys that's where we can use you know uh target scope feature in the burp suite basically target scope allows us to you know tell burp suite uh to crawl the application that you are testing it will ignore everything and only intercept the application that you are testing so there are two methods for adding a website into the target scope actually before adding an item into the target scope let me explain these links as you can see we have these bunch of links in two colors gray and and the black fonts and the gray font basically is indicating that you have visited the website and these black colored fonts uh are basically the sites that are linked to the youtube all right we haven't actually visited them and these links are basically linked to the youtube perp suite basically crawls all the links that it finds in a web applications now in order to add an item into the target scope we have two options first one you can right click on the application that you want to add to the target scope click on add to scope go with yes click on scope and here you can see guys it has added the url into the target scope and the second method that we can use let me remove the existing url first click on add write the full url https www.youtube.com now click on ok as you can see item has been added to the target scope and we have to complete two more additional steps go to the proxy and options check the button from intercept client request section and check the button from responses section as well now we are good to go now let's actually check whether the target scope is working or not and youtube is in our scope so let me visit let's say if this pops up click on keep it gold.com now as you can see guys it hasn't been intercepted and because it is not in our scope now let me actually visit the website which is in our scope i think it is youtube as you can see guys it has intercepted the site which is in our scope so i'm going to forward it hopefully guys you have understood how the the proxy and target scope works now we can filter out you know these unnecessary links just click on the box which says filter click on show only in scope items now click outside the box as you can see we only have the you know item or url which is in our scope now you can basically you know now check out the file structure how files are saved in the in the server as you can see now guys that we have understood how the core components of burp suite work we can finally move to the next component called intruder and intruder is personally my favorite part of the burp suite basically intruder allows you to brute force usernames and passwords in a web application and intruder is the most flexible tool available out there for brute forcing and intruder does a lot more than just brute forcing you can automate attacks like sql injection or xss as well alright you are gonna find out later in the video now guys i am going to demonstrate intruder in another website so i will have to remove uh website from our target scope so in target scope let me remove youtube from the from the proxy section under options we have to uncheck buttons from intercept requests and responses sections as well back to the intercept if you see this button logging off out of scope proxy traffic is disabled then re-enable this and from the http history i'm gonna get rid of all the junk that we have intercepted right click and delete selected items back to the intercept i'm going to turn off the intercept feature for a bit back to the browser the website that i am going to use for for demonstrating intruder is acunetix basically this website allows you to test your web pen testing skills online in a legal environment so visit the domain test php dot one lab now let me turn on the intercept feature and i'm gonna visit sign up back to the work suite and let me forward the request so guys this is the page login page where we are gonna test the intruder and in the username field let me type test and in password field i'm gonna type a random password and down here you can see the password that i have put in here is the correct this is very much intentional you are gonna find out it soon for now click on login back to the burp suite proxy as you can see it has intercepted the information that we passed to to our login form and we can check the parameters that we sent out to the forms on your right side as you can see if you click on body parameter the information is listed in much more you know organized way now we can send this information to any of these tools all you need to do right click in the blank area and then you can send information to any tool for now i'm gonna send it to intruder as you can see intruder has flashed if i go to the intruder as you can see intruder has received information uh from this domain so back to the proxy there is another method that you can use for sending this information to any of the the tool here just click on action then you can send information to any tool and i'm gonna forward by forwarding the information will be you know saved into the http history and in case guys you forward you know the urls or information accidentally then you can basically send information from http history tab as well and i think it is the user info page where the information was passed to from login page and down here yes as you can see if you right click on the url then you can send the sam information to any tool all right now back to the intruder as you can see guys uh we have information for these for this domain on serial number two basically information is being received in the ascending order the number one will always be the default as you can see this is the local host it will always be here now in number two now click on positions as you can see guys burp suite has marked you know a few areas as you can see basically these are the areas where we can inject the input right that's why they are being marked by default so burp suite basically thinks that you know these are the potentially vulnerable areas that you can exploit so i'm gonna clear this all these marked areas first and in the attack type menu if you click on here as you can see we have you know different types of attacks sniper battling ram pitchfork cluster bump cluster bomb i will you know demonstrate all these attacks all right for now we are gonna test this sniper now sniper attack is used in the scenarios when you already know either username or password in our case we are gonna test the passwords all right so username is going to be constant because we already know it is correct we are only gonna try the different passwords so you have to mark the field that you want to test so i am going to test the password field so i am going to select it and then from the and then hit on add as you can see field has been marked now it is going to inject passwords in the password field now click on payloads now here we have to supply the word list to the intruder as you can see payload set it is one this is because we only have to supply one word list and pillow type you can basically use all these tools that intruder provide but for now we are only gonna need simple list so down here in this box we can either load the existing word list from your hard disk or you can basically supply words manually so in order to load from your hard disk click on load and browse the location and let me and let me select this list as you can see it has listed all the words that were present inside the list so i have prepared this short list for demonstration purpose and clear button basically clears the list we can add words manually to let me add let's say root hit enter then we have two now we are good to go and click on start attack so this is just a warning pop-up there are some functionalities that are not available for the community version this is all right just click on ok sniper has you know started to inject the passwords into the password field as you can see now intruder has tried all the five passwords that we supplied to it now in order to find out which one worked there are a few methods that you can use on the length column as you can see we have you know these numbers basically length column displays the size of page in bytes as you can see for the most part it has returned length of 253 let me click on a random 253 and down here guys in the response and request and response section what basically it means request means what did you send to the login form as you can see this is the username and this is the password that we tried and in the response column as you can see response that we got is you must login means these credentials are not correct so here the trick is you will have to hunt for a different length and in our case we have the different length 6 2 7 if i click on here as you can see we supplied password and username test and then in response tab we have got a whole bunch of information basically when you login successfully a web application has to pull additional information about the user like like you know user username email and all the relevant information so naturally the page size gets bigger so this is the case here and you can analyze everything from top for example this is the you know http code as you can see it has been 200 mains page has been loaded successfully and down here you can see set cookie cookie has been set now what does it mean a web application usually sets either a cookie or session when you login successfully as you can see in our case it has set the cookie so down here let me check the response and so as you can see we have log out page it automatically means we have logged in so guys you will have to analyze everything line by line there are a few more effective methods that you can use for you know verifying whether you have logged in successfully or not and one of them is sending information to the comparer tab so i'm going to send two pages one with 373 length and another with the bigger length so select after selecting right click and send to compare compare responses as you can see compare has flashed and as you can see screen has been split into two sections in the in the top half we have information for the for the 373 bytes and down here we have for the bigger page now click on words now it is going to basically compare word by word so we can basically identify colors down here and yellow color is indicating the newly added words blue is deleted and this color is basically indicating the information that has been modified so as you can see if you analyze from the top again we have the set cookie the usual 200 response now let me scroll down here i'm going to look out for yellow text because i want to see the new information that has been loaded and let me scroll down as you can see we have absolute this is just the css down here as you can see user info your profile so your profile this is a new word and yes this is the information for the user so here you can see guys we have information for the user and if i scroll down as you can see user info page and it has basically you know pulled the information after logging in so guys that's how we can use the comparer tab now we have an interesting feature here sync view if you check this button then what this button is gonna do it scrolls both the pages simultaneously for now i can't do it because page on my left side it doesn't have the sufficient information so when you test a real world application uh there will be a plenty of information on both sides so now i'm gonna close and back to the intruder best method for finding out is just click on the request in response click on render button basically render button displays how the page is actually looking inside a web application as you can see we have log out page down here we have information for the user you can't actually you know click on these buttons it just renders and then takes the screenshot alright so guys this is probably the better method or you can see the best method so guys that's how the sniper attack works now i'm gonna close this thing out and back to the intruder now now we are gonna test the battering ram attack so i will have to clear this request i need to send the fresh request from http history so again let me send this information to the intruder and in positions let me clear the default market area and select battering ram and this time guys i will have to select both the fields now after marking both the fields we are good to go so guys what basically battering ram attack does it takes the word from a word list then inject same word into the both fields it will inject let's say a word test in the username field and same word will be injected into the password field as well this attack basically exploits the common mistake that people make like putting the same word for username and password field for example username admin and password admin so click on start attack sorry guys i will have to set the payloads before starting the attack and let me load the list and now i can start the attack now as you can see it has used all the words that we supplied if i click on any word down here in the request you can basically see it injected you know same word in the both fields as you can see it you know eventually found the correct credentials as well and we have already gone through how to check for the correct credentials now we can test another attack now let me select pitchfork in the pitchfork mode we have to supply two word lists so i am going to mark both the fields username and password first word list will be for user names and second for passwords now pitchfork mode works by taking words from both the lists one by one of course then compare them against each other for example it will take one word from user name word list and one from password word list then compare them against each other so let me start the attack again guys i forgot uh to load the payloads as you can see we have two payloads this time so let me load the same list and for the password let me start the attack so as you can see down here in the request tab it took words from both the lists then compared them against each other and eventually it was able to get the correct credentials as well now the last attack we have is the cluster bomb let me select cluster bomb cluster bomb is similar to pitch fork it also takes two word lists but it works differently for example it takes first word from username word list then compare it against each word present in the passwords word list and then it will repeat the same cycle for all the usernames and passwords all right so it also needs two word lists so i will have to mark two areas and payload let me set word list for the first payload this is username and for the second payload let me select the word list now start attack so as you can see it has tried all the combinations there are total 16 tries right and like i explained earlier it compared every single word from username word list to passwords a word list and with this attack also we were able to find correct combination eventually as you can see so guys that's how you can use the different modes of of attacks in intruder so guys earlier i also mentioned that intruder can be used for you know automating attacks like xss or sql injection so let me demonstrate that as well i will have to start my apache server because i have prepared a page specifically for the sql injection attack local host i think it's inside the demo folder i have sqsqli dot php file file not found sql i think let me remove i sqi yes this is the squi and i am going to try a an sql injection payload and let me hit enter as you can see request has been intercepted now let me send this request to intruder and in the intruder go to the positions as you can see the potential vulnerable areas have been marked let me clear them and we are going to use the default sniper attack because we only want to inject payloads into one field add back to the payloads now let me add the manual payloads and one or one equal to one and comment or one equal to one and again comment now we are good to go let me start the attack now as you can see we have different response length for the first one let me go to the response and render as you can see for this length we have try harder last payload did not work however for this payload or this payload as you can see it has leaked the information username dimalu as you can see username email all the fields have been exposed so guys that's how you can basically try a different payloads automatically now guys let's move to the repeater repeater can be used for modifying requests for example we tried sql injection in auto mode with intruder but many times you will have to perform attacks like sql injection or xss manually that's where we can make use of repeater you can send the request then it will return the response in detail so let's try it let me send the sql injection page to repeater yes this is the page let me send it to intruder sorry not intruder repeater this time and as you can see now down here i can pass the information let me modify these two or one equal to one and comment now click on send and guys as you can see we have the response payload did not work it says try harder we may need to encode the url when you perform sql injection you have to encode url for the most part and if you don't know read about url encoding so repeater tab basically gives you flexibility to encode urls as you type automatically what we can do let me it is everything and right click we have url encode as you type just click on it and now let me write the payload or 1 equal to 1 then comment and now let me send the request as you can see guys this time it has leaked the information with the url encoding so that's how guys you can you know basically try the things like sql injection manually from repeater all right now let's check decoder tab as well decoder basically allows you to encode and decode data in multiple forms so in this box if i type let's say sony now i can basically encode or decode this word in in multiple forms if i click on encode menu as you can see we have option for plain text this is already a plain text if i click on url then as you can see down here it has been encoded into the url and we have option for encoding it into base64 url as well so guys you can basically experiment around these features yourself they are relatively easy and i can also apply hashing algorithm just click on hash then we have all the relevant hashes like sha and down here as you can see we have bunch of varieties here and if you click on smart decode then data will be decoded back to its original form so guys decoder is a useful feature to have now we have something called extender now extender as the name suggests allows you to you know extend the functionalities of burp suite if you click on b app store here we have extensions for purp suite this is the marketplace and extensions are available for both free and community version as you can see and let me install auth analyzer extension just click on here on your right side you can read about the extension and down here we have option for installation let me click on the button as you can see it has been installed now as you can see in the tool bar it has added an extra button auth analyzer now you can configure this and make use of this in order to uninstall go to the extensions and here all the installed extensions will be listed just click that you want to uninstall and go for remove button yes and that's it as you can see it has been removed so guys that's pretty much it for this tutorial and thank you very much for taking your time and watching the video

Info

Channel: Sunny Dimalu The Cyborg

Views: 8,307

Rating: undefined out of 5

Keywords: burp suite, burpsuite, bug tutorial, burp suite tutorial, how to use burp suite, burpsuite for beginners, burpsuite basics, burpsuite scan website, bug bounty, burp suite tutorial in english, burpsuite sniper attacks, burpsuite intercept, burpsuite kali linux, burpsuitee proxy, bug bounty with burpsuite, burpsuite community, burpsuite professional, bug bounty practical, bug bounty xss

Id: 8cfb46-2osk

Channel Id: undefined

Length: 39min 27sec (2367 seconds)

Published: Sat Mar 13 2021