what's going on everybody Welcome to nettec explain and in this video we're going to show you how to do a web app pen test using burp Suite now one problem with a lot of modern tutorials especially around tools is that they tend to sound a lot more like Man pages or documentation so they'll show you the little command line Flags or all the little buttons but they won't tell you why you should use each of these options so for this video we're going to do things a little different instead we're going to walk you through a typical pen test and show you where to use each option in burp along the way if you're new to burp Suite you're going to walk away with a pretty basic understanding of how to perform a pen test and how burp fits into it all if you're a little more experienced it's always good to see how somebody else uses these tools now this isn't going to be my full pen test methodology that'll take way longer to make but if you're interested let me know in the comments down below and I might just make that into a future video with all that out of the way I'm excited so let's get started the first thing we're going to need is a target I find the oauth's Juice Shop to be a safe and reliable resource for testing some of these things out so we're going to use that I have a link in the description on how to spin up your own version using Docker which is what I'm going to use but if you want an easier one to access there's a Heroku version that's online already I'll have the link in the description for that as well next we're going to open up burp community and we're just going to hop over to the proxy tab make sure that intercept is turned off and we're going to go ahead and open our browser this will open the Chromium browser that's already pre-configured with burp Suite I'm going to go to my local Docker instance and access g-shop there and I'll zoom in a little bit just so that it's a little easier to see awesome now the first thing you want to do with any new web application is reconnaissance I typically do reconnaissance in two phases so the first phase is to figure out what the app even does and then the second phase is application mapping now this Phase 2 takes much longer so we're going to do a simpler version of it so looking at phase one we can take a look at this application and see that it's a simple e-commerce platform right it's got products we can look at the product reviews we can create an account and we have a couple other things that we can access as an unauthenticated user later in the video we're going to register a user account and then we're going to see what a registered user can take advantage of while I go through my application mapping phase I like to have my browser kind of side by side with burp and I'll hop over to this HTTP history tab just so that I can see how each request or each link that I click on is sent through the application so for instance I can click on this product and I see product One reviews if I look at the product I see one review from admin at juice.shop and it says one of my favorites so if I look at the product reviews request this is a rest API request for product One reviews and I look at the response and I see 304 not modified that's some caching that they have built in instead I can see the original request which is this one of my favorites review which we already saw for product one and the author is admin at juice.shop so that's pretty easy we can tell that in the application as we go through each product we click on has a different API request so this banana juice is product 6 reviews and if we wanted to see the reviews in that we can take a look at the API request awesome super easy to do next let's take a look at some of the things that a regular user who's not authenticated to the application yet can do so we'll go to this customer feedback it looks like just a simple customer feedback form so let's go ahead and add a comment this is cool and I'll give it a rating of 5 stars because why not so the capture we need to solve is 4 minus six plus one so that should be negative one if my math is right so let's go ahead and click submit there we go thank you so much for the five star feedback and over in our burp history we see a couple things so we see this rest captcha and if we look at the response it's capture ID 0 with our captcha four minus six plus one which is the answer we had to and which was the question that we had to answer and then the answer of negative one so already we run into a problem where this captcha is giving us the answers so if we wanted to automate creating reviews we can just make a request to this captcha endpoint collect the answer and then submit it in our feedback so in our feedback we can see this is the post request this is the information that we submitted our capture ID that we had to test was capture zero which we just saw the answer we provided was negative one the comment was this is cool it looks like it added in our author since we're not logged in we're considered Anonymous and then rating five so already there's a couple things that we want to try and play around with on this and this is just part of our reconnaissance phase right so already we want to play around with a couple things so the first thing I want to know is can I replay this request can I automate this request and then can I automate either the rating or the author to forge author comments make it seem like a different reviews are coming from different people so let's go ahead right click send a repeater and the first thing I do whenever I send something to repeater is I just replay the request I want to get a baseline now if they implemented their capture properly this should fail so let's see nope 201 created it just created a new feedback I can see this feedback ID 10 and so if I click Send again we get a new feedback feedback ID 11. so we can play around with this let's try 500. and this will give us a rating of 500 it's still created it says status success um what if I change from Anonymous to Anthony just because click Send and it's accepted it so already we have the ability to forge feedbacks the other thing that I like to do in repeater tab is up here you can click on it and rename the repeater tab so in this one this is for feedback and I consider this a finding so we're going to say replay which is insufficient anti-automation so this is going to be a finding that we'll want to write in a report later on replay plus impersonation and whenever I have a repeater tab that has a finding I like to put a star next to it so it's really easy to spot I typically have a lot of different repeater tabs open sometimes I'll get a couple dozen in any sort of burp session and so having the Stars so that I can quickly go back and find the exact request that allows me to redo or demonstrate that exploit or that finding is really helpful the other thing I like to do is go to the proxy tab and we can just go ahead and highlight this so I right click highlight and I already found or I should say we have a finding so I'll highlight this in red and then this capture request will highlight this in yellow since it's attached to that other finding that we'll see how we can use these highlights later but for now this is just going to get us started so let's go back to the web browser and take a look at the next thing which is going to be our photo wall so as soon as I click on photo wall we see this application configuration and this memories before we look at those we see the photo wall is just a bunch of different pictures they have a caption if you over hover over them so now we can take a look at the requests we see this application configuration now the application configuration it's just a get request to rest admin application config if we look at the response this says 304 not modified what we can actually do is send this to repeater we want to get rid of the if none match and this will send us the original 200 okay and this has a lot of configuration information for the Juice Shop application now there could be sensitive information in here or it could just be extraneous information so informational finding right something very low but it's something worth keeping an eye on so I'll leave that as a homework for you to kind of dig through this and see if you can find any sensitive information instead I'm just going to rename my repeater tab to application configuration we're not going to put a star next to it because I'm not really concerned about it as a finding even though I would consider it in a normal pen test to be an informational finding something that they shouldn't show Regular users let's hop back to the proxy Tab and we see this get rest memories if we look the response we can start to scroll down and we see some of the things that we would expect to see right so we have the image path we have a caption but we also see something that's a little extraneous for each image that's uploaded to the photo wall we have the user object which includes a person's user ID in this case this is 13 their username their email their password hash which is a big No-No and it also looks like this is an md5 hash which is also a No-No we have the role which is Deluxe and we have their Deluxe token so here's a bunch of information that we can essentially steal from the application or about its users if we continue to scroll down we can see other users who have uploaded things so we have here user id4 user id21 so this is user enumeration and definitely a problem so I'm going to right click Send a repeater again Baseline request so here's our 200 okay I'm gonna do a star since this is a finding and then I'll say photo wall uh user enumeration plus information leakage and then I'll hop back over to our proxy and right click highlight and this is a finding this application configuration since we're going to want to look at it a little later on I'll just highlight it in blue again we'll see how the highlights work a little later on let's keep going so if I go to the about us page we can see the application configuration popping up again but we also see this API feedback so this one's a little new if we look at the about us page we can scroll down this is all lorem ipsum which is just basic text the idea is we're not supposed to read it uh check out boring terms of service if we wanted to take a look at their terms of service so I'll just go ahead and open that in a new tab we can see that this is part of their FTP server so that's definitely something worth taking a look at I'll leave that as homework for you and we also see in our about us page customer feedback down at the bottom and here's ours which is this is cool we see Anonymous undefined Anonymous five stars and uh Anthony uh so these are the three feedback submissions that we made earlier so I'm just going to scroll up a little bit more let's take a look at the actual API endpoint so feedbacks this is a simple get request to rat API feedbacks we take a look at our response we scroll down we can see the user ID of the person who submitted so a lot some of these are Anonymous some of these are not we can see their rating and their comment it looks like they are anonymizing their users just a little bit which is just kind of helpful but if I scroll down to the feedbacks that we created we can see the two from Anthony and Anonymous that have a rating of 500. so that just shows that what we submitted earlier in the feedbacks definitely turns into something that's returned back to the user now this is something we might want to try maybe a cross-site scripting payload on maybe we can inject some sort of cross-site scripting payload in the comment or in the user ID itself without the application doing any proper filtering so I will also leave that as a piece of homework for you but I want you to get to start thinking about how we go about identifying different little rabbit holes that we want to go down as we're playing around with this application so I'm going to right click this and highlight it blue because this is something that I'd like you to continue to dig into and this FTP legal I'm curious what else is in that FTP folder so I'll highlight that as blue as well so let's keep going let's go ahead and create a user account so I'm going to click on login and we don't have a login information now there's a couple things that we can do as far as attacks we can try user enumeration we can try password spraying we can try SQL injection I'll leave all of those as homework for you instead I want to map the registration process itself now this is something that'll likely create a number of different requests and whenever I'm about to do something that I think will cause a number of different requests I want to keep track of which ones are part of that and which ones are uh outside of it so what I'll do is before I start registering a new customer I clicked the most recent request I'll right click and I'll highlight it just a boring gray color so I know that anything after this gray color is part of the user registration process so I'm going to click not yet a customer and we see the security questions pop up let's go ahead and create an email address password and our security question and register so now that we've registered an account we can see all the requests that were involved so the first thing that pops up is API security questions now this is a simple get request API security questions we see our response we can see the security question ID so we see ID 1 2 3 and the questions your eldest sibling middle name your mother's maiden name so it gives us essentially a list of options for our security ID and that's probably used in the next request so if we look at users this is our post we have a post to API users our parameters are the email address that I submitted the password and repeat password that I submitted and then we have a security question object the security question that I asked or that I answered was id1 your eldest sibling middle name and then the answer that we provided before I show you the response let's take a look at the security answers this is another post request to API security answers and we see our user ID which is user 22 has the answer of ASDF to security question id1 so that could be useful let me look at the response here we see that it's created it's attached to user ID 22 it was us and the answer itself is encrypted now we can do a hash ID on this to figure out what uh what type of hash this is so hash ID and Kali and then I'll just paste in the hash and it thinks that it's a Shaw 256. so we're not going to reverse that anytime soon so instead we can just ignore that and go about our day so let's jump back to this API users because there's something interesting here that I want you to take a look at so we submitted our email our password and our security questions and in response we get a user object so this is username our role is customer we do not have a deluxe token we have a default profile image our user ID is 22 and then it has our email address now whenever you see something like this it's really important because you can try and play around with it and test out some Mass assignment and see if you can possibly change the role or the deluxe token but I'll leave that as a homework for you we're still doing our Recon step and we're not even really deep into the exploitation phase so this is definitely something that we'll want to follow up on later so I'll highlight this blue and before we log in I just want to show you why the highlights are so useful so burp has a couple features you notice the gray highlight I used just for me in my own visual reference but if we go up to this bar right here click on it and we click show highlighted items apply it will only show the items in the requests that are highlighted so these are things that we're either findings attached to findings or things that we'd like to follow up on later so this is super helpful especially if you're collaborating or if you're doing a multi-week pen test and you want to try and remember what some of the other rabbit holes are that you want to go down and just as easily you can right click comment and then unhighlight if you don't want one of these requests to show up anymore now even though this is an opportunity to add notes into burp and if we scroll over you can see a little comment section where you can also add notes into burp I don't exactly recommend it instead it's a lot better to create an external notepad or template so that you can write your notes specific to the pen test because burp States get large first off we're using Community Edition so there's no saving the burp state but even when you have Pro Edition and you can save the burp date and you can share it nobody's going to go back through it because these become tens of gigs in size so it's always best to take the information out of here use it really quickly and then put it into some external notepad or external note source awesome so the next bit we're going to uncheck highlighted items and we're just going to go ahead and log into the application logging into the application is another thing that can respond with a couple different requests so I'm going to do that same little trick right click highlight and I'll just make it a gray color and then let's go ahead and log in whoa all right so there's a few requests that popped up which is the perfect opportunity to show you why highlighting a request and then performing those actions helps out so we can see this post request which was the actual Act of logging in this is where we submitted our email and our password we see the response which provides us this token this is a JWT token if you haven't seen this format before but you'll also notice that it's base64 encoded so if we want to try and read this JWT token we can right click copy it go to decoder paste that in and then decode as base64. now because it adds in a lot of little binary stuff it's going to default to hex in the response but let's just make it text that way it's a little easier to read so we can see at the beginning this is a type JWT with rs256 uh in the middle we have our ID which is user ID 22 that's us we don't have a username it has our email and it has our password hash which is a problem that should never be returned back to the user so that's a funding that we're going to want to highlight at some point again there's not an easy way to note that inverp especially as a JWT token but we can easily take that out and put it into our notepad saying that the JWT token leaks user credentials in md5 format and then it has some of the other information right last login IP Deluxe token profile image totp secret that's for our multi-factor is the account active is true when it was created when it was last updated and it's never been deleted the last little section is how long the JWT token lasts or at this point it's when this was initialized so I think this JWT token lasts forever which is another problem and then we have the signature at the end this is part of that RS 256. so I'm not going to go into detail in this video about what Jr JWT tokens are and how they work and different components of them this is just a quick and easy way that we can use burp decoder to read base64 encoded information and it's not just base64 right we can encode and decode in url in HTML ASCII hex regular hex and binary so let's head back to our proxy so that's our login we see this who am I request and in the first whom I request it's going to respond with we don't know who you are and that was the original um that was the original 200 response eventually we're going to get an update and so now we can do a who am I request with that JWT token and in our response it says your user 22 here's your email address and here's your last login IP so this isn't particularly useful but it's kind of good to know what every endpoint does in the application we also see this search box this is something that we might want to take a look at at some point down the road we can send this to repeater delete this if none match click Send if it wants to send oh it looks like my burp has crashed so let me go ahead and fix that and we'll hop right back in hey well I'm working to get us back on track let me know what you think of the video so far I really appreciate your feedback and would like to continue the conversation well after the video is over and if you like what I'm doing here leave me a thumbs up because it really helps out with the YouTube algorithm thank you for your patience and now let's get back to the video sorry about that it looks like I didn't allocate enough memory for my virtual machine so lesson learned all right leading off from where we were we just logged into the application with a brand new user account now let's take a look at adding an item to the basket and see what the purchasing workflow looks like so we're going to take a look at this apple juice we'll just go ahead and add it to our basket we can see the workflow over here in our burp where we send a get request for basket six which is the basket that belongs to us and in the original request it will show or in the original response it will show that there are no items in the basket then the next request is going to be a post which adds an item to our basket we can see that with our post it adds product id1 which is the apple juice to basket ID 6 which is our basket and it adds one of the initial product in response we can see that it will give us a success there is a basket to product ID mapping and that's going to be this id9 but we'll see how that operates later on we also have information on the product itself so this API products one this is a simple get request and it just gets the contents of what belongs to product id1 which is that apple juice right super easy and then finally it re-gets our basket ID in which case we see a 200 okay with our basket id6 belonging to user ID 22 and that contains product ID one the apple juice now something I want to key you into is whenever you see a number like this at the end of an API endpoint I want you to start thinking okay so I'm number six I see number six what happens if I change this to a 5 or what happens if I change this to a 4 will I be able to see somebody else's contents so let's go ahead right click Send to repeater gonna go ahead and click Send and so this is going to show us basket ID 6 for user ID 22. and now all I have to do is change this to a 5 click Send and now I see basket ID 5 for user ID 16 and the contents of the basket are different in this case it's holding the egg fruit juice and a couple other things we can do the same by changing it to a four we can see that this is basket id4 belongs to user ID 11 and it contains raspberry juice now this is great and easy to do with repeater but let's see if we can automate this process instead what we're going to do is right click Send to intruder and then Intruder is a way that we can automate search so the workflow for Intruder the first thing you want to do is clear the content sometimes Intruder tries to be helpful and add a little variable so for example if we wanted to set that as a variable clear we'll just remove all variables and we want to capture this id4 and click add we want to leave it at Sniper I'm not going to go into the details of which what each of these do separately but sniper is going to be the one that you use most commonly we're going to go to payloads and we want to change from a simple list to numbers because we want to try number one basket id2 basket ID3 and all the way up to let's try basket ID 10. so we'll start at basket id1 we'll go all the way up to basket id10 we'll step by one so that means it'll go one two three four and this little option has always bitten me in the butt so we're going to turn that off there's no other changes that we need to make so we can go ahead and start the attack this little box just says that using burp Community it's not using uh threaded threaded approach so it's going to go a little slower than if you were using Pro which is fine for us for now so I'm going to click OK and it's going to make all the different requests as that's going through you can see we're requesting basket one basket two basket three basket four basket five and each one has a different response we can see the size of the response we can see the contents of it we can see the user ID that's associated with it but instead of looking at each of these individual baskets to try and figure out who they belong to I'm going to show you something really cool so let's go to settings and if we scroll all the way down to the bottom we have this grep extract and we can extract items from our request now you can write your own custom regular expression if you don't want to do that I don't want to do that I tend to be a little lazy when it comes to things like this so we're just going to go ahead and fetch a response this is going to give us a typical response to our request and we're going to highlight what we actually want to what we actually want to capture which is this user ID and then the ID number so you can see in the start after expression it finds null you can also see the end at delimiter created at this null can actually be a little tricky for us so instead I'm just going to highlight the 11 so it captures the user ID to start and it ends at created at and then we go ahead and click ok so now when we go to our results tab we have the user ID column and it shows what user ID each basket belongs to so our initial request which was basket id4 we can see that here uh belongs to user ID 11. we can see the same thing here but other than that basket one two and three correspond to the same ID number for the users and then basket 16 for basket five and then basket 20 basket six is for us which is user ID 22. cool now this Intruder trick is really helpful so I want to show you another way to do this where we can extract even more information out of it so I'm just going to go ahead and discard this I'm going to jump back over to my proxy history and this endpoint API products one let's jump to repeater so you know what this looks like and all this does is just return the product based on the product ID we can get rid of some of this extra stuff so product ID one is apple juice product ID 6 for example is banana juice we can see that there so let's do the same thing but we're going to extract the name and the description and the price for each of these using burp intruder so I'm going to right click Send to intruder same workflow we're going to hit clear we're going to change the ID number we're going to jump to payloads change this to numbers we're going to start at one and let's go all the way up to 50. just to see what the first 50 products look like turn this off and let's go to settings this way we can automatically do our grep extract turn that on click add and we're going to create two of them so the first one we're going to fetch the response here's our example response so we're going to grab the name banana juice and we'll copy that and then we're going to fetch the response again we're going to grab the description monkeys love it the most okay and just for fun let's do one more and we'll add the price which is going to be this 199 here so now we can go ahead start our attack and as it goes through and enumerates each of the products we can see the product name the description of the product and the price all through burp intruder this is something that as soon as I found out how to do it I've been using it all the time so this is worth understanding how to operate we can see that the products there's some product gaps in between uh and then it looks like the products end at product ID 43. cool so this is a really useful technique on how you can use burp Intruder and why you would use burp Intruder along with its uh grep extract so let's go ahead close this up and jump back over to our repeater tab because this is where we were able to change the basket ID this is a finding this is a form of insufficient authorization which means that I as user a can access user B's stuff and that's a problem so this is baskets and we'll call this uh off the Z it's an off the Z issue and it's just like last time we'll go ahead right click and highlight this red the next thing that we're going to take a look at is logic flaws now if you've never experienced a logic flaw I'll walk you through the process but basically a logic flaw is where developers have an application assume that a user is going to follow the same steps in a workflow that's presented through the user interface now you'll usually start step one step two step three step four and then from there uh we asked the question what if we can skip from step one to step three or step two to step four uh or even just straight from one to four so we're gonna walk through that process now the first thing we're going to do is purchase an item as though we were a regular user so as we go through each of these steps we'll take a look at what's going on on the left hand side in the burp history so we have our basket so I would say step one is add item to basket step two change quantity of item in basket so the process for changing the quantity is this will get the basket information so basket items nine which is the basket to product mapping uh so basket items nine we have one it's product ID one and it belongs to basket six when we change the quantity we get this put request which is put and then it changes the quantity number to two and then it requests the new basket information this is a simple get request so it will show currently we have two of product one we can see the same thing again if we increase it we see this get put and then get the basket again so that would be step two step three is check out and here we need to enter an address and just enter you know fake information it's not important we're gonna use this address we're gonna choose our delivery method one day delivery just because I'm lazy click continue now we don't have any Wallet balance so we're going to add a credit card and this needs to be 16 numbers exactly there we go we have no money in our wallet so we're going to use our credit card I'm going to go ahead and click submit the new credit card has been created we can see that over here on the right with our post API cards with the credit card information that we've provided this is going to do a call to get API cards which is going to return the credit card that we have on file so we are user ID 22 credit ID number seven and it belongs to us so we're going to select that card scroll down and continue and the last little thing that we're going to do is essentially uh just here's your order summary make sure that you approve we can see what's going to happen here on the left I'm going to approve the purchase and this is our checkout process and it gives us the opportunity to track our order so if we look at the checkout process this is a post request that is using payment ID 7 address ID 7 and delivery method one there's no significant coupon details and we have purchased our product so to recap we have step one add to basket step two change the quantity step three use a credit card and an address and then step four is to approve so let's see how we can modify any of the steps along the way so let's start from the beginning we're going to jump back to the home page we're going to add to basket and we're going to take a look at our basket now we already know as we increase the quantity it performs a put request with the specific quantity that we want so we can do put quantity five and I'll say success we have five of product ID one in basket six we can say put quantity 20 and it'll say success again oh we can only order five items of this product never mind so let's drop that back to five but what if we try to mess with the logic of the application already they're assuming that we're adding numbers we're increasing in a positive direction but what if we tried a negative number so what if I did negative 50 for example OC success so that's interesting so now we have negative 50 quantity to basket id6 of product one now before I minimize burp what do you think we're going to see or what should we expect to see in the basket as far as how much we owe for negative 50 of an item if I go ahead and refresh this page we're going to get Negative 99 credits coming back to us so instead of us having to pay money it's going to pay us money so we can go back through the checkout process right check out pick our address one day delivery because I am impatient and then instead of using our credit card notice we can use our wallet now because in the back end we can imagine that our Wallet balance is zero but as long as our Wallet balance is greater than how much is in the invoice which is 98 98 credits um it's going to say okay you can pay with your wallet so let's go ahead and actually pay with our wallet and then this is going to be our purchase summary it shows that we're going to do uh next day delivery we have negative 99 credits in uh items in product and so our final price is going to be negative 98. so we can submit our order and pay and Bam just like that we confuse the application into giving us money instead of us having to give them money so that's a logic flaw now this is a lot of fun and I encourage you to continue to play around with the application in fact I'm going to give you a little piece of homework there's a product on here that they are out of right this is the oauth Juice Shop King of the Hill face mask so the homework I'm going to give you for this one is I want you to purchase at least one of these face masks it's going to take a little bit but with all the tools that we've gone over so far you'll be able to do it okay last thing let's put it all together how can we use the burp history repeater and Intruder tools to take advantage of another logic flaw I'm going to show you now there's a four-star challenge where we need to purchase what is called the Christmas special now it's not listed on any of the products so we need to think of a clever way to find it and then buy it so let's try that out okay I created a new burp session and did a couple things just so that we can walk through the process together so I log back in as my user and the first thing we want to do is try and catch these products so let's go ahead add a basket and grab this product ID so we can send this back to intruder and from here let's just go ahead and delete all this stuff we want to list out all of the products get their names and descriptions you do clear everything and then add we're going to set the payloads we're going to set this to numbers we're going to start at one and go up to 50. disable this payload encoding and the only things we need to extract are the name and description we're looking for something Christmassy I need to change this position and get rid of the caching code now I can go back to settings click add fetch the response and the first one you want is the name click ok and the next one we want is the description okay we can start attack so we have the names and descriptions of all of the products that are listed in the oauth Juice Shop application but what's strange is that we can't see anything named Christmas go ahead and sort by name as I wait for this attack to finish we see carrot juice but we don't see Christmas anything and it's the same thing for the description we don't see Christmas anything so what that means is that this product is not listed the other thing that we can do is try to see if this endpoint right this product's endpoint is something that we can list all of the products at once but just instead of having an ID number here we just have API products go ahead click Send and so this will list out all of the products that are in the application and we'll see the same problem there's no Christmas so how can we find a product that's not listed well where I would start is what if we try to add every product to our basket so let's see what that looks like so if I jump over to proxy look at the proxy history and I add a new item to my basket we see this post to basket items and when we see this post to basket items we see the product ID the basket number and the quantity so let's send this back to intruder we'll clear everything and we'll change this product ID just like we did for the original attack when we tried to list out all of the products so we'll go to payloads change this to numbers we'll go one to 50. we'll step by one turn off the payload encoding and click Start attack so this is going to add every product in the application to our basket we can click on any of these and we can see in response to this post we have the success statement saying this product has been added so what I would hope to see at the end of this is every product added in my basket including the ones that aren't listed in the application so we're going to wait a second for this attack to finish and now that that's done I can go ahead and discard this and looking at my basket in the web browser itself you can see every product added including the Christmas surprise so this is the product that we want to make sure is in our basket and this is the only one that we want to purchase so first we're gonna have to delete everything else out of our basket and then we're gonna have to find the ID of this item and re-add that in manually so let's do that one at a time first thing is I want to see the basket information so let's go to proxy history we see rest basket I'll send this to repeater click Send and I want the Christmas so the Christmas surprise box the 2014 edition is product ID 10. and product ID 10 is something that wasn't listed in our original uh Quarry for the products so id10 is the only one that we want to keep so now that we know it's id10 let's get rid of everything else and then re-add in product ID 10. so let's see what it looks like to delete our first item off this list I'm going to go ahead highlight in Gray and I'm just going to click delete and we have a delete request so this is going to delete basket item 10. now this is not product id1 or anything like that this is basket item 10. and that's kind of where this gets a little tricky because we have products that have an ID we have the basket that has an ID and we have the basket to product mapping that has an ID and for this product and this basket the mapping is id10 we can see that if we go to delete another item this is now delete basket 11. so if we wanted to we can increment each of these numbers and we can say delete basket 10 delete basket 11 delete basket 12 or delete basket items I should say 11 12 13 and so on or we can use Intruder for that so let's go ahead and get the last item in our list because we don't want to affect other users so we only want to stay within our bounds so we don't want to delete basket IDs that are lower than number 10 or number 11 which we've already deleted so 12 would be the lowest number that we're going to use but we want we don't want to delete any ID that's higher than the highest ID that we have so I'm going to scroll all the way down to the bottom here and I'm going to delete the latest item and that's going to be basket item 48. so the bounds for me deleting items is going to be 12 as my lowest and 47 as my highest since we already deleted 11 and 48. so let's go ahead right click Send to Intruder one more time we'll clear this out re-add this in change our numbers so this is going to be 12 to 47 we're going to step by one it's going to delete 36 items from our basket we're going to turn off urld code and we're just going to start the attack so this is going to go ahead and delete every item in our basket by going through and incrementally picking the basket item once this is done we can go ahead and close this we'll oops we'll refresh our basket and now there's nothing in our basket so now we need to add in another product I'm a little lazy so we can go back to the original request in the burp history or we can use intercept mode now we haven't used intercept mode in this video yet and it's pretty straightforward so instead of using the repeater tab we get to intercept the request as it's coming through so I'm going to go ahead turn intercept on and then add to basket we can see it's going to get the basket items and then this is the post so this is the post two basket items where we're going to add product id1 and we want to change that to product ID 10. it's going to add it to our basket ID which is basket id6 and we're only going to add one of them so I can turn off intercept and it's going to automatically go ahead and forward the rest of the requests just as normal and on the application I can open up the basket and here is our Christmas surprise so let's check this out we're going to add our address one day delivery and we'll use our wallet this is our confirm page and we're going to go ahead and place our order and congrats you successfully solved the challenge to purchase the Christmas special now I know I ran into some issues during this video but as you continue to go through the application mapping phase your burp State should look a little bit like this in the proxy history tab we should have highlighted items so that when we go and show only the highlighted items we can see a list of identified issues and endpoints that we want to follow up on later um you don't have to follow the exact same coloring scheme that I do but typically I use red for issues that I've identified or endpoints that I've identified with issues yellow as being associated with issues blue as things that I want to follow up on later and then gray as a little visual cue so that I can see what are their endpoints are reached out to as part of the scripts whenever I click on something or perform a function on the repeater tab we should see a set of labeled tabs I like to use stars to indicate findings that we've identified and then of course everything else is labeled just so that I can quickly and easily go back to it so there you have it Hands-On guide to web app pen testing using burp Suite if you're new to burp Suite it can seem a little overwhelming at first but with the right tools and methodology you too can uncover vulnerabilities on the web well that's all I have for you today if you're new to burp Suite let me know what else you'd like to learn in the comments down below and I'll make that into a future video or if you're already an expert what else are some tips that you'd like to share with people who are just getting started if you like this video leave me a thumbs up and don't forget to subscribe to see more guides and walkthroughs like this stay safe stay passionate and I'll see you next time