Burpsuite Basics (FREE Community Edition)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everybody my name is John Hammond I've had a few requests for this video so I really wanted to bring it to you I'm excited about this in this video we're going to dive into some burp sweet basics but before we dive in I want to give a quick shout out and thank you to hosting er for helping sponsor this video if you haven't heard of posting her before they are one of the best companies for web hosting and spinning up an online server hosting your offers a ton of plan to quickly build out a whole website and they are honestly really affordable it's super easy to set up and use a whole new server that works right out of the box and the prices can't be beat you can go to host singer comm slash John Hammond to get up to seriously 91 percent off yearly web hosting plans that's awesome this is one of the best ways for you to get yourself out there whether or not you want to be starting your own blog with WordPress or you just want a custom web page where you can share your own content and ideas so thank you hosting er for helping sponsor this video and please I really hope you guys go check them out host singer comm slash John Hammond 91 percent off that's awesome okay now let's dive into some burp suite if you're running Kali Linux you probably already have burps we installed if you aren't or if you're on another distribution of Linux like me I'm gonna assume you're on Linux if you aren't you should ask yourself why you aren't I don't know what my grammar did there all right if you just simply Google burp suite you can go ahead and download it's from port swig or net you can find the Community Edition you can download totally for free the other professional editions are much more powerful with some of the tools that they'll let you use but in our case we don't really need them let's go ahead and download this it takes a little bit of time to download it so I already have I sort of in my op directory and that's where I tend to put a lot of my files or other tools so we'll hop into there and I have a burp suite community file what you want to do to install it if you are doing that is to mark it executable then you can go ahead and just run that it's a simple dot Sh bash script it'll go ahead and create some Java Runtime stuff you need to be able to work with unpack it run the Installer etc I've already got that set up so once it's installed you can go ahead and fire up burp suite and we have the community edition I've tweaked the font size just you can actually see it originally you'll pop up with the screen that says hey do you want to open up a project you're already working with or do you want to create just a simple on-the-fly temporary project if you're doing this for some captured the flag oriented stuff or for a pen test maybe for a pen test you might save a project you can keep track of your stuff or if you're trying to tackle a capture-the-flag challenge or just some simple hay picking and poking at a website usage a temporary project works just fine for us and with that we can use our burp defaults or if you end up saving some of your configuration from a later use you can load that or have it kind of included in your project again I'll just do this and I'll actually set that default the above in the future so you can make that real easy okay now burb sweet we'll go ahead and get started for us this is a later rendition I'm using version 2.1 point zero seven it has a lot of cool fancy things in the dashboard except most of them are kind of just a pro version only so I'll go ahead and ignore that for the time being really what I want to showcase is the burp suite proxy so the burp suite proxy will allow us to do some other great things and little actually allow us to kind of get in the middle of a web request as we're accessing a web page the way that we need to actually set that up though is telling our web browser to use burp suite as the proxy so we can actually intercept and grab the requests and kind of manipulate them however we would like to while we're browsing through our web pages so I'm gonna actually do that in Firefox there is an awesome utility a little add-on or extension you can add called foxy proxy that offers a nice little icon you could add to the side and actually just hop and switch between proxies you might have set if you need to add this to Firefox you can I think I hit foxy proxy basic yeah that's totally fine hit add to Firefox if you need to and I actually do already have it set up and once you have foxy proxy set up and installed in Firefox or your web browser of choice you might need to go down a different route if you're using Chrome go ahead and check out the options and you can go ahead and add a new proxy you see I already have burp suite set up here but I'll go through these steps to show you just this Add button up here with a big plus sign you can call it burp suite or whatever you'd like to the proxy type of HTTP is totally fine and the proxy IP address it's gonna end up being your own machine or your local interface because that's where burp is running I'm gonna say one two seven zero zero one you can change the color if you want to I think the default is totally fine and then you'll want to set the port to whatever port you have told burp suite to run on by default it will use port 8080 so I will stick with that okay now that that's setup we will go ahead and set up burp suite but we need to actually have a target to work against the vessel that I'm going to use for this video to kind of showcase and teach some of the features of burp suite is actually going to be dvwa or the damn vulnerable web app if you haven't seen that or heard of that it is a super cool application that is intentionally broken and misconfigured and has pre-planned vulnerabilities for you to help learn and kind of educate yourself on how you can exploit these and take advantage of these when you see them in the wild maybe add a bug bounty or pen test or capture the flag we can go ahead and download it it'll give you a zip archive and you have to setup really what you want to use for Apache or a web server to run those PHP it's written in PHP right and my sequel is a back-end database so you'll have to set up those servers and really get that software up and running to do that really quickly I'm just gonna actually run it as a docker container so I'm just going to Google hey docker dvwa you can see I've clicked on this before and will actually just go ahead and grab the image for running the damn vulnerable web app you can have Lee simply run that command if you have docker installed if you don't you can usually just sudo apt install docker IO and then you might need to change your user to go into the docker group and then kind of log out and log back in so that change MIT takes effect then you can run docker commands and you work with it so in our case I pulled this image already so I can quickly spin up that docker container and we'll be ready to rock you can see I'm actually running this interactive and it's going to use a specific ports mapping let's say 80 on my machine will map to 80 on the docker container and that's going to end up being our web application so it is running and let's go see if we can access it now on web page I'll just go to localhost and I don't need to supply a port because it's just running on port 80 by default you could change that if you want to do in the docker command but we don't have to in our case so by default dvwa the login is admin and password go ahead and log in with that and you'll immediately brought to a page the database setup this is just kind of initially kind of configuring everything and getting the dvwa application up and running I'm just gonna breeze through this stuff because this isn't the real burp suite instruction that you came for but just trying to show you everything that I did to get us up and running let's just go ahead and hit the create and reset database here scroll down it says database is created we created the users table put data in there etc etc etc now we can go ahead and log in so I'll go to admin and password again as our credentials now we have the damn vulnerable web application ready for us to work with and tinker with at this point I haven't turned on our burp suite proxy you can actually check out burp suite it's running proxy over here intercept is on that proxy tab is gonna be where you spend most of your time when you're working with burp suite maybe we'll see what we could do is go ahead and actually turn on our burp suite proxy by using foxy proxy now but before I do that I want to actually specify a target scope because if we just turned on this proxy all of a sudden all of our communication that's going through the webpage is gonna be funneled through burp suite and if it's gonna stop every single request and let you kind of manipulate it sometimes that gets a little annoying I'll show you that let's say I were to go to turn on burp suite I'll try and go to Google maybe I'm doing some other research or Mozilla is gonna send some stuff back and forth I got to move those and okay there it comes again I haven't even been able to get to Google just yet let's go to Google and now I've got a click through all of these and every single request that those pages are gonna make will either forward or drop let those packets go through but you could see them they were displayed to you right on the screen and burp seat will allow you to kind of manipulate the HTTP or the hypertext Transfer Protocol that's coming through so let's turn off intercept right now and let's kind of minimize really what we're looking at the way we can do this is actually just grabbing the URL of our target in our case I'm gonna use localhost because that's just where this is running and we'll go ahead and we'll say in the target tab all this stuff we can go ahead and select them right click them and delete those because we don't care all that much that sitemap will gradually build as you explore different pages that are in your scope if you go ahead and specify that in the filter here you can see that tab and you can click on that and you could have it show only in scope items or only requested items or maybe filter by mime type is it an HTML page that you're looking at are you trying to gather some JavaScript that you want to pull down or XML for xxe attacks etc etc or status code file extension etcetera we could tweet those and play with that but for right now I just want to showcase the scope that we can set so hopping over to that sub tab within the target tab let's go ahead and add a new scope and we'll just specify a prefix for the URLs that we want to match so I know that everything I'm gonna be testing right now because I'm working with that damn bone of a web app is all within localhost so let's just paste that in okay now that that is enabled we should be good to go right be careful if I were to go ahead and turn proxy right back on again if I try to go to another page oh okay Firefox is gonna do its thing I'll go to Google make a mess and then again all of these things are coming through and that just nonsense so what you need to do is if you are wanting to turn on that target scope and you don't want to get all those other annoying notifications from other web pages that might be trying to interact with you or maybe YouTube is over in the corner you're listening to some music jamming out if you want that to be ignored by burp suite and just have that communication happen in place go over to the options tab of the proxy you can see ma you can actually see up here that proxy listener you can specify here's the interface you're gonna listen on again localhost and you can specify the port 8080 s what we have just for now you can edit that if you wanted to but really what I want to showcase is how we can intercept client requests really what we can use now is actually with dart hardscope we can specify and our URL is going to be in the target scope that we've already specified that's often a box that's already ready and available for you you just have to make sure to click it and turn it on now if I were to turn on in our proxy intercept tab intercept on so burps Pete's gonna grab and copy and actually allow us to manipulate all of those requests copy is not the right word my bad if I were to refresh on our index dot PHP or a home page of our damn vulnerable web app now it'll prevent those requests from going through without us being able to see them first we need to be actually able to catch that and manipulate those requests if I were to open up a new tab and go to Google or any other webpage or have YouTube running in the background you can see burp suite wouldn't prop up and annoy us for some of the requests that we don't really care about really this is good for us to kind of keep our target really within the scope of our rules of engagement right earth all we really care about attacking and beating up and abusing is this web app more than that's our target that's what we want to be looking at so now with intercept on all I'm looking at is our damn vulnerable web application and if I were to go through all these different pages you can see them actually grow within the site map I'll have to forward some of these different pages that we go to but if I look at my target now that site map you can see localhost is kind of something that we're looking at and everything that's already been requested everything that's been pulled down or things that we could just see are now automatically things that burp suite will keep track of for us and that's super cool you can actually explore each of those pages and even see what we could potentially retrieve from them if you've already retrieved them maybe you'll get some of the response information here and you can see some of the headers etc that are being pulled back and forth that's what proxy will allow us to do because when we requested a page you could see the raw HTTP communication we're running a get method on a specific URL and the version of HTTP we're using the host that we're working with what our user agent is and these headers we can manipulate because it's a request that we are sending to the web server or you could view that in kind of a table view check out those parameters our cookies that are being passed and the headers everything that we just saw in that RAW format now just kind of being in a nice gooey representation we could go ahead and edit or move up and down so we can do interesting things with that hex display you could look at I don't know how much you might particularly use that for but if there are some interesting bytes or encodings or hashes or salts or things that you're maybe trying to abuse or tweak at that low level you can certainly see that with that hex view or we could just drop these connections and then well now our proxy you won't allow that to pass through maybe there were some packets or some HTTP communications we didn't want to actually send the server I just refreshed that page okay now let's get into some of the other functionality that our proxy is up and running let's go ahead and that sequel injection tab it'll get the vulnerabilities sequel I as that you or I or the path that we're going to we're just reaching that page and now you can see on the web page we have a simple form where we're showcasing a sequel injection vulnerability we can search for a user ID and we could actually explore some of this let's enter one and you can see just exactly how that request is being sent to the web server because burps we just going to show that to you as it's grabbing these requests in the proxy you can see these are get variables that are being supplied or you can use an ID equals one that's the value that we just supplied in that form and the submit button is kind of being carried along with it something we could do if we wanted to is just forward that request see what it does we get our result just in the web page and that works just fine for us if I were to do that again with number two what we could do is we can right-click anywhere inside of this raw section and we can send it to different tabs within burp suite or we could change the request method or copy the URL or get a curl command out of this or bring it to a file save it etc etc a lot of different options we can do inside of that proxy tab what I'd like to see is how changing the request method will actually have that web page interact with us so I'm going to post two vulnerabilities sequel injection and now rather than the GDP variables or parameters that are being passed included in the URL post requests have them kind of include less data that's the body of the request so now we can see our variables ID is equal to 2 and submit is included ID is that parameter or that variable that we've included in our form submission if I were to send this that works just as well for us so it looks like our page is kind of worthwhile and getting some of these responses here let's see that just one more time I want to make sure that did what I thought it did I'll change that to a post request change request method I'll send it along and that also did it just as well so good enough it's interesting the URL appears actually converting that right to a get variable I digress let's go check out really what more we can do with this if you're using DW a or a dvwa by the way make sure to test some of these vulnerabilities or injections or techniques that might be exploiting maybe you want to change the security level of how the vulnerable web app is running with by default when I spun up this docker container I saw that it was actually at impossible and that made some of my testing a little bit difficult when I wanted to like get a quick example to show you guys so set that to whatever you're interested in maybe you can try and avoid some filters or evade some kind of techniques that might mitigate your attacks now you can see we post to that security page and again we could modify any of these header fields we can become suddenly a Google bot or change our user agent to be maybe something for the Internet Explorer or Google Chrome you could actually right-click on this and actually have some of those options in there I've seen that or you can automate some of those if you check out the options here some of these match and replace options you could use will automatically set your user agent or any header that you want to use to a new value so if we wanted to go ahead and emulate something else give me a late ie or an Android device we could go ahead and match and replace on the fly automatically what requests are going to end up being sent to our web server let's turn one of those on let's set our request and user agent to now be an Android device so we can emulate Android if I go back to intercept I'm gonna stick with that Google bot one for now if I forward that now you can see the responses in the quest that we make are using that new match and replaced on the fly burp suite will automatically replace some information for you and they just did that with a regular expression you can change that or tweak that or add as many of those as you would like pretty cool it's forward that ok I'm gonna go ahead and turn off that option now just kind of want to demonstrate that but something that we could do in that sequel injection tab if I were to take the user ID of one get that information that works just fine for us maybe you're gonna do some manual testing though and you're doing this over and over and over again maybe you're kind of fuzzing just piece by piece what data or what input can you supply to the web page and what will it do so let's make another request so I'll just say two here and now what we could do is we could actually send this to the repeater tab that's over here in bird suite just a little bit above or past that proxy tab and we could send some of the requests that we're working with just kind of copy and paste it in there that would work for us or you could actually hit ctrl R and you can see if that repeater tab just lit up because we've sent that request over to repeater control shift R will bring me there and now you can see that request is already there for us what we could do is modify this as much as we'd like to and then send it with that send button and over on the right hand side you'll see the response pane kind of being populated with their raw response that the webpage might give us now we're not looking at the rendered HTML that our web browser would show for us but we're looking at the raw response that we could get with HTML all included and the HTTP headers so that's kind of handy for us that might allow us to see some of the information so you could scroll through it and get some raw maybe HTML comments or see it accessing other CSS files or Java files the page might request if we wanted to we could copy all of this maybe that's requesting user ID - and just in the case where maybe we're looking at other options or routes for our web application server to go down and how it executes its code you might get different results and there might be a lot of changes or maybe a minut detail that you didn't notice had changed so what we can do is we can actually use that with the comparer tab over here if you wanted to you can right-click to send to compare and any pain and that will go ahead and populate one entry in the compare tab with those raw bytes or data or values that we just saw if I were to do that exact same thing go back to your repeater and change it with an ID of one let's send that if you don't want to hit that send button over and over again the hotkey for that is control space and now we could copy and paste all that bring it over to the compare and hit paste or as we saw just a moment ago right click and hit send to compare now the compare has a couple options that it can compare against and it can compare byte by byte if you wanted to use that fine-tune kind of granular differentiation that you're looking at that might work for us you can see that window just pops up or you can compare by words you can see okay the timestamp is different the content length is just slightly different if I were to scroll down either of those panes you can see okay ID number two here are the values vs. ID number one and those the values that included there you can see that keys or modified deleted and added just kind of a color code for what you're looking at in this compare a tab and that will work really really well for us we could use that that's one option if you didn't like right-clicking over and over again if you're kind of a keyboard junkie like me to send to compare whatever again in the user options you can actually go ahead and specify how you want for one thing burp suite to look like and that's how I tweak some of these font changes so you can see it and in the miscellaneous tab you can actually add more hotkeys so you can see I talked about send to repeater or sent to compare we can go an had in one we can edit something maybe add a new hotkey for that maybe alt C or something there you go ctrl shift alt C I just put a bunch of stuff in there I don't really need to do that but I wanted to show you that that is where you can add hotkeys and the user options tab in the misc tab cool ok now let's actually do some worthwhile stuff let's go back to our repeater and let's try some sequel injection right we know so far that all we can manipulate is an ID value that's everything that our form is allowing us to send we could fuzz that we could send it some interesting stuff let's try and send it if we're doing sequel injection add a simple single quote in there if I send that now I have a new response and I didn't have to go back to the webpage to see that or have it refresh every time burp suit will allow me to do that just right here in the repeater tab it says you have an error in your sequel syntax go ahead and check the manual that corresponds to your sequel server and for what a one with an extra single quote might mean ok so because we have a sequel error maybe we are in fact doing some sequel injection let's try and use the classic sequel injection technique or one equals one and I'm gonna use a hash tag here or that pound symbol of the octothorpe good good word guys science that will allow us to actually comment out the rest of that sequel query so all we have is our injected or one equals one evaluates to true and maybe we could return every single query or every single row inside that database if they were trying to limit us with a where a clause or something with the filter I'll try and send that but I get a 400 bad request we send a request that this server could not understand and that might be interesting to us because well this totally looks like valid sequel injection the way we think of it but don't forget now within burp suite we're using raw HTTP or that hypertext Transfer Protocol what we might need to do is actually URL encode the data of the changes that we're making so you can do that with a cool hotkey or you can right click is a convert selection URL URL encode URL decode control you as a hockey for that decode control shift you or you can convert it from HTML or base64 etc etc if you didn't want to do that as you're working with the hotkey or maybe turning on that option you oral encode as you type let's see that real quick I'm just gonna remove that and I'll right-click and turn on URL encoders I type here is a single quote here is a space let's type in or space 1 is equal to 1 and then a hash tag or that octothorpe pound symbol now you can see it automatically URL encoded all of those for me and I didn't have to I could control shift you but my unity version I think there's weird things with that it just creates a small window for me so I'm gonna go ahead and right-click and on URL in code that lets you or I'll decode that cool so that would work for us or there is the decoder tab which will allow you to do that as much as you want so let's say I had or one equals one with our hash tag there and you can see it'll create kind of a pain for me and how it's going to be manipulated or transform that data let's go ahead and encode that as a URL now that's done all of the different values is URL encoded which might be cool it might be handy for us and maybe some techniques you might end up doing will allow you to try and inject some double encoded values let's go and encode it again with your L encoding now you have double encoded stuff which might help evade some filters or some other techniques to mitigate your attack or your exploit et cetera or we could encode this as base64 right you could add as many of these layers as you particularly wanted to and that's kind of neat kind of cool if you wanted to remove any of those just go ahead and delete them and slowly you will lose those options there as needed but you could do that just as you're working as you're typing with those hotkeys and again you can add as many of them as you want with that hotkeys tab so now in the repeater let's go ahead and URL encode this or one equals one I'll send that along URL encoded hit control space to send that and now we have a valid response back from the web server and we can see we have successfully done some sequel injection we got our first name admin surname admin first name Gordon hack is the next entry Pablos and next entry etc etc so now we've got some sequel injection leaking all of the database out really that's how we can use burp suite to manipulate some values and variables and information the post requests versus the get request the user agent the headers that we send or anything that might be present inside of the raw HTTP communications that are going back and forth from a website so that's that that's a quick run-through on the proxy tab the repeater tab the compare in the decoder tab there's some other really cool stuff between the intruder and other options that burps we can do but we'll get in that maybe in a later video I got a lot of videos that I want to do I want to cover some dvwa stuff I think that'd be cool to showcase some of these techniques for you guys and maybe level up that security tab level here or the difficulty of the vulnerabilities so thank you guys so much for watching I hope you enjoyed this video if you did please do like comment subscribe please go check out hosting er use that code John Hammond 91 percent off hosting services very very cool thank you guys so much love to see you on discord loves you on patreon paypal Facebook LinkedIn Twitter Instagram social media YouTube thanks again guys I'll see in the next video take care
Info
Channel: John Hammond
Views: 268,287
Rating: undefined out of 5
Keywords:
Id: G3hpAeoZ4ek
Channel Id: undefined
Length: 28min 0sec (1680 seconds)
Published: Fri Jan 24 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.