but unfortunately for them they showed me where that code was and i was able to see that using burp suite to intercept that information look through that information and find where the weaknesses was and then exploit it using you know just some simple tools of sending and receiving now i want you to understand what burp is kind of designed to do what it can do and what it doesn't really do [Music] hey everyone david bumble back with daniel from itpro tv really had a lot of great feedback about the series please continue to give us your ideas of tools that you'd like to see daniel demonstrate big shout out to it pro tv for sponsoring this series daniel what are you showing us today today i figured we'd go ahead and uh get neck deep into the lovely little tool known as burp suite right now uh this is uh something that a lot of people are very interested in and for good reason because it is great tools a very well-known tool uh a little bit of a a fyi right uh for your information there are two versions of burp suite one is the community edition which is free for anyone that would wish to play around and have a good time with this and you can do a lot with that but there's also a paid version i think it's running between like four or 450 a year for a license for the paid version there is some advantages to having that pay forward version which we'll discuss as we see kind of some of the limitations behind the free version which is what i'm going to use today but like i said you can still get a lot of stuff done and still really understand a lot of web application testing with using burp suite just with the community edition so don't feel like you're being shorted or slided or anything if you don't have that pay for version but if you end up becoming like a professional tester that would be a good tool to have in your toolkit so i would recommend paying for it so daniel i've had this question from a lot of people kelly or carly has a whole bunch of tools how does burp suite fit into this so burp suite is kind of the gold standard when it comes to web application testing that's that's why it finds itself inside of kali i would assume it's also in parrot and black arch and any other pen testing shoot i've got linux boxes and even my windows box as well i have burp suite on all of those things not because i necessarily want to do some sort of web app testing with it but every now and then i'll see something weird or something's not working the way i think it should and i'm dealing with some web app and it's it's just acting weird i'll throw it through burp suite so i can kind of inspect and see what's going on in there and maybe figure out oh that's what's going that's that's my problem so it's it's really good at helping you understand how web applications work and what's going on underneath the hood that you just don't see because it's not really meant for you to see that's not the way most web apps are designed so they're there that's why you have front ends right you have a front end and that's what the user is supposed to experience but there's all sorts of craziness happening underneath the hood that you typically just don't you're not aware of because it's not for you if you want to see what that stuff is burp suite is a great way to do that and that's why you find it in pen testing uh distributions like holly and and parrot and all that and also that being said as well most organizations have some web application whether it's just a straight static page of here's our company and it's you know an old angel fire kind of thing happening or geocities or something to full-blown modern very contemporary styled web applications that are very dynamic and do different things so there's a lot happening and in all that moving parts that are underneath that hood there could be a flaw and if you can't see it or manipulate it or interact with it because you don't have any way to do that other than maybe the um the tools that come with your browser if you have the wherewithal to work with that maybe you could do it that way burp suite's a great way to be able to look into those mechanisms that are happening underneath the the hood that you don't normally see and even interact with it start to change and poke and maneuver things and see what happens if i do this what happens if i change this value will the application do something different or will it just error but you don't know so that's why you see burp suite all the time that's great so i mean i i don't want to stop you we want to get to the demo as soon as we can but just before we get to that you using a local installation this is your own test lab is that right correct i have a couple of vms one of them is the kali machine that we're looking at right now and the other will be um the broken web application the b whap it's old but it's useful it has a lot of great stuff especially for demonstration purposes we we want to see how some of this stuff works now another caveat i just make sure that everybody is on the same page when it comes to the why we're doing this right what what i'm going to do with my demonstrations i'm not trying to necessarily teach you how to hack certain things we want to take a look at what burp suite can do and some of the functionality that it has so that's why i choose certain things when it comes to our demonstration purposes b app is going to be great for this because it has a lot of different like oh wasp vulnerabilities that we can kind of look at and just play around with as far as well how burp suite might help us with this so that's why we're using bwap for this demo that's great go for it i don't want to stop you okay well let's jump in here i've already got the browser up and running so it's running the bwap i have my uh ip adjust and everything put into or the url into the address bar i'm just going to move that out of the way for right now and since i'm in kali if i want to start burp suite i just hit the little icon and i start typing burp and it's usually the first one that comes back so i you might be thinking well i think i know how to start burp suite right but i have everything connected to the internet so burp is going to act normally like it would if you're actually testing a live application that would be out on the internet so you can see it's like complaining about uh the java runtime environment appears to be 11. so you might see stuff like this if this is your first rodeo i'm just kind of giving you that that real uh look into how this thing works so i'm just going to rather assume no knowledge it's better that way right i don't assume anybody's uh level of expectation and it's telling me even though i just installed kali and i ran all the updates that it still has an update rating maybe this just came out um but i i won't update but you might see this if you want to this would be a great time an easy way for you to do an update you can update now and you can update it to the latest version and it's telling that there is a persistable intruder attacks and small improvements we'll get to that later so yes i want to exit the wizard oh no no no i'll just hit close what am i doing all right this brings us to our project page so if you wanted to have multiple different uh testings going on you can kind of save them as projects it's very helpful for us to be able to go i don't want to have to reinvent the wheel and go back and get all that information that i got before in the same way that i did it i can just save it as a project and there you go right now i'm just going to use a temporary project i don't think i have project capabilities yeah you'll note disk based projects are only supported in burp suite professional that brings us to our very first uh kind of a ding against the community standard or the community version it doesn't allow you to save projects you can only do temporary projects but if i've got that pay for pro version i would be able to save this and and keep those projects if i was working on multiple projects i don't have that capability all right so i'm just going to hit next because that's all i can do then you have configuration files if you have some way to configure it though we do have that option here so if you have some configuration files that you wanted to set things just rights maybe you're migrating from one machine to another you want to load this up that would bring all your your sweet stuff that you love so much along with you along the ride for you but we're going straight out of the box just like it was standard operating procedure bring it and starts going all right so starting to build the project it's going to launch the gui here in just a moment and when it does you'll see there's a lot of stuff and it is definitely can kind of feel overwhelming we've got a bunch of tabs at the top here that have very cryptic naming conventions that probably don't mean a whole lot to anybody that's never worked with this before so we're going to kind of work a little our way through that kind of define some of the more common uh tabs that you'll be working with if you are going to play around with burp suite and have it be useful for you here is just the dashboard so it kind of gives you some information on what's going on here but really one best place to start is going to be at the target so this is where you actually choose the information that you want to log that you want to work with because otherwise it's going to do everything okay any website that your browser that is hooked into burp suites looks for reaches out to it's going to start throwing it in here and that can be a lot if you have a bunch of tabs open it's going to just start filling up with crazy data because you've got to remember a lot of dynamic websites they're constantly reaching out phoning home and doing all sorts of crazy stuff burp suite's going to be indiscriminate out of the out of the box and say i don't know that you don't want this so i'm going to start grabbing it right the other place to start also is this proxy tab and you'll notice by default you have this little lovely thing right here that says the intercept is on you'll notice it just grabbed a request that my browser is making because my browser is already hooked into burp suite it's waiting to basically filter every request that it makes through that proxy i just i have that set up now you can do that manually through your browser's proxy settings or i use a plugin called foxy proxy which makes it super easy and i can kind of show you that really quickly in just a second but yeah that'd be great i highly recommend turning that off like first thing just run over there and turn the interceptor off because otherwise it's just gonna start it's you're not gonna get very far you're gonna be like why isn't anything working so you definitely want to turn that off right out of the gate all right once that's done then you can kind of find where you want to land as far as your target goes make some requests to the target and then add the target to the scope so let's go to foxy proxy first show you how i did that i believe foxy proxy has uh it's a plug-in for both firefox and chromebased browsers so whatever browser you got do a search for foxy proxy it'll probably return uh with hey foxy proxy add-in for chrome or foxy proxy adam for firefox click it hit the install button it should be good to go once you have that installed let me uh do this here let me get my zoom feature going here so we can kind of take a look at it's a little tiny crazy thing but it's right there you can see it looks like a little fox and mine says burp right and that's because if i click on it i have all these different types of proxies that i've i've created inside of foxy proxy if i want i can go to options and that'll take me to that page and i gotta get on here there we go and you can see it right here you can this is where you can add these things to so if i want to add one i could go add you would put in okay i want it to be burp 2 or whatever it is the type of proxy that you wish to use and i'll just go http then you give it the ip address since it's running locally it'll be 127.00.1 give it the port number by default burp suite runs on port 8080 which is the default proxy port for just about any proxy so that's a that's a well-known port there you go if you have any kind of username or authentication thing going on you can add that stuff and then you just hit save and now i have burp 2 up there right so once i want to use that i go back up to my little corner office over here and i guess you should zoom back in i click it and i choose which one i want so if i choose burp 2 you'll see the check mark goes there and now it will be using those proxy settings for my browser and that makes it easy for me to turn it off when i don't want it so if it's grabbing information i don't want to grab or it's interfering with some sort of normal web requests i want to make i can just turn it off really quickly and then when i want to go back to burp suite i choose the one i want and i hit okay and i'm good all right so that's that's fantasy proxy that's great yeah so yeah definitely definitely makes your life super easy because going into the browser settings and the preferences and finding the network area and the proxy okay put that in type of stuff save those settings and going back and forth between that it's just a nightmare foxy proxy makes that process just so much more seamless so um let's see here let's get back into this lovely little device now that we understand foxy proxy and what's going on there uh now i have my web application so what do i want to do i want to start making requests so i'm just going to kind of refresh this page so that it re-requests the page now because i'm proxying it should have grabbed that information i should be able to go to burp suites and under the proxy tab you'll see an http history right and i'll see all the requests that it has been made that has that my browser has been making you can see the firefox settings are in there and anything else so you can see how that can start to get very filled up and i don't really want that so it's going to send me back over to my target and now inside of there you can see i've got my target showing up and i can choose what i want so i can click on it highlight it right click and say add to scope once i do that i'll get this little little like a warning here saying that i've added an item to the target scope do i want burp proxy to stop sending out of scope items to the history or other burp tools for our intensive purpose that's exactly what i want to do i want to stop getting traffic that i don't want so i'm going to hit yes for this once i do that i can zoom back out and now i will only intercept under my proxy history tab only stuff from that in scope item so now i'm only grabbing stuff from that ip address and everything else is going to get ignored in the history so that's going to make my workflow a whole lot nicer a whole lot easier i'm only getting information that's actually pertinent to what i'm trying to do okay i'm going to have to ask you this daniel because i always get asked these kind of questions you chose http and not https can we do both is there restriction no you can absolutely do do both and that actually brings up a really good point there is a certificate that you need to install into your browser to make sure that burp suite can work with https requests so um i guess that would be a good idea to show you how how that thing works so if i want to get that i need to make sure that my browser is connected to burp it is and what i need to do is go to http and go to burp suites like that now you'll get this weird page but over in the right hand top corner you've got this thing that says ca certificate you click on that it should give you a download let me get to zoom back out here if i can get that let me grab that you see that i'm i'm downloading out just save the file somewhere to where you know where it is once i have that i believe it's called and you can see it right there ca cert.dir is what it's called i'm going to cancel that because i already have it once i have that file i need to install it into the certificate area of my browser so because i'm in firefox i'm going to hit the little hamburger icon over here on the top right hand corner i'm going to go to preferences that's going to take me to my preferences pages once i'm here for firefox it's going to be under privacy and security all the way down to the bottom of this page is a certificates area i'm going to hit view certificates and then in here i have an import button and i will hit import and i will tell it hey this is where i get that i think mine's in downloads so yeah there's cert ca.der i would choose that and put that in there since i've already kind of done that you would have one more um thing to do let me let me find that's that ca uh really quickly that certification it's going to be labeled port swigger because port swigger is the organization that creates birch suite and maintains bird suite let's see here where are you at it's in alphabetical order so it should be able to find but it's easy to pass them there it is port swinger the one thing you're definitely going to want to do is when you see this screen right here that talks about the trust settings you want to make sure that you make that it trusts this certificate because if you don't you'll get some weird errors and things won't work right so make sure it can identify websites and and make sure it can identify mail users you'll get that when you're installing the cert it'll ask you to verify those things but if you forget you can just jump back in here just like i did and edit the settings and make sure those are checked and then hit ok i'm really glad you're showing all these you know so-called basic settings because it's often these kind of things that you know stumbling blocks when you when you start out oh man i can tell you horror stories where i'm trying to like i'm like why is this not grabbing this i do not understand i am going to set my computer on fire if it doesn't start doing it that's that's my bad right there yeah i want to go ahead with a with a error is here in the in the chair not in the computer so uh i've been down that road once or twice and it can definitely frustrate you if you forget to do this type of step so this is definitely some housekeeping stuff if this is the first time you're dealing with burp suite or maybe you've played with it before and it didn't work like you thought maybe it's because you didn't install the ca and you you're getting problems because of that so that can definitely alleviate a lot of your issues all right so now that i've got all that stuff squared away i've got it in there again if it was chrome it would be a little different you got to find the preferences area for that find where you can import certificates in chrome i don't know where that is off top of my head because i typically use firefox yeah don't worry um but your mileage may vary all right we got that in there we got it going on we know how to get the ca that's all good now let's go back to burp suite what i'm going to do here is i'm going to start kind of messing around a little bit because i want to remove all these these things that actually what i can do is just right click right clicking is going to be your best frame here on burp because there's a lot of of things that you do with the right click menu so for what i'm going to do is i just kind of right-click anywhere in the http history tab and then i'm going to just clear my history out that's going to give us a clean slate to work with and i'll hit yes i want to clear the history and now i can go back to my web application refresh the page and then switch back to burp and you can see i only have what i've done so far with something that's in scope that's the target that is in scope okay so i can see now a little bit more now we're starting to get into the nitty-gritty of burp and what it does now i want you to understand what burp is kind of designed to do what it can do and what it doesn't really do and a lot of let's start off with what it doesn't really do in a lot of ways i'm not saying perfectly there might be some ways to do this and we'll get to that in a little bit it's not kind of a point and click hack stuff tool right you might think well that's so disappointing come on that's so disappointing what do you mean i can't just install burp suite and start hacking websites not really no it doesn't it's not what it's meant to do so it's very informational what it's what it's meant to do is give you the ability to see what's happening and manipulates what's happening you have to know what's going on to be able to really use burp suite effectively so if you're unfamiliar with web applications and kind of the basics behind that http methods php and javascript and all html and css and all the normal stuff that happens with a web application that's going to be an area you're going to want to increase your knowledge on now purpose people will help you do that because you're kind of seeing that under the under the hood uh view into the application itself you're not just getting that normal user experience so those concepts that you're learning about when you are learning that stuff is going to become more real and more tangible to you as you see them happen as burp suite interacts with that right so it can be really helpful as a learning tool and really in my estimation that's what it's meant to be is kind of like an informational tool i guess is a better way to put it that it is giving you the information that you need and the ability to reach in and kind of manipulate that information to see if you're able to get the web application to do something maybe it wasn't designed to do like bypass some sort of authentication or give you access into uh some sort of secret functionality that you would never have known was there if you didn't actually get to see because burp sweet is allowing you to see that so that's that's really what's going on here right did you have any recommendations for courses to take to you know help let's say someone tries this and they totally lost is there any training that you've created or something that you can recommend i haven't done like a burp suite course per sw per se i i have full intentions to do that but i am but one man and time is limited what what i mean sorry is like you mentioned like you need to know like uh web applications is there anything that you recommend for that yeah um there's definitely um good websites out there for learning how to do html coding and building web applications so like things like w3 schools i think is probably a pretty popular stuff like that i don't know if we have any here at it pro tv um i would i would like to say we do but i'm not 100 on that i don't know off the top of my head uh no that's fine so you it's general like i mean you've mentioned them already so i won't rehash it so that's great yeah um portswigger does have the um the portswigger academy which is a soup nuts training in not only burp suite but doing web application testing as well that's right and it's free um it's it's it's really good training actually i i like it a lot that's great i'll put a link below all right so that brings us back to burp suite right uh the thing we're here to look at so the cool thing is you kind of manipulate some of this stuff like if you're not seeing things very well i can kind of like collapse the inspector and you'll notice that i'm getting this request and response over here is response over here's request so these on the left-hand side are the requests that my browser was making so when i click on something or i go to a page that's the request to the web server to deliver that page back to me and what i see in the response page was the response of the web server with the information and there's going to be a lot of great information in both of these things so you want to get comfortable with understanding what you should be seeing and how that information looks on both sides of the fence so here i have my request i have let's see here what do we got we've got the gets http method asking for the bwab forward slash login dot php file right and then we see that was requested from host 10.11.14.189. cool i also have a user agent field so these are all the http headers that went along in my request so it's telling it it's telling the web server what page i want what my user agent was so a user h is a fancy term for what's the browser that i used and then it kind of gives that information there what type of acceptable input it allows so it accepts text and html application xhtml xml and so on and so forth right acceptable language obviously this is in english uh what else do we have here we've got the different types of encoding so it's in it's accepting gzip and deflates the refer where did this request come from it's showing that they came from the app itself and then of course connection is closed because it was just a a simple static page basically grab that stuff bring it back and we're done any cookie information that might go along with that and you do we do get a php session id cookie right here if you'll remember back when we did the sql injection with sql map we needed that php session id information to hack the b whap using sql mac to dump all that information yeah i could easily use burp suite to glean that information we we went through some crazy way through the browser inspector tools to get that stuff that seemed like a whole lot easier and because it is right it's i mean that's relative but in my estimation that was a way easier thing to do right so this is that request that i made then of course if we jump over we see the response and we're seeing that i got a 200 which was that hey okay i know that page i'm sending it back to you you don't have any kind of errors you didn't hit up against any kind of authentication or authorization walls that would stop you from going to that requested page that you would like so i'm just going to go ahead and deliver it a 200 is a nice thing you might also get things like redirections so yeah i know you went here but we actually are going to send you over here because that's how the application is going to work knowing that could be a good piece of information for you as a tester looking for flaws in the application so understanding that stuff and of course when that happened what server was being used oh look there you go right there i can see that i this server is running apache 2.2.8 that's good uh that's good recon right there i can grab that information put that in a file and then maybe that's going to be a part of my exploitation ventures right maybe apache 2.2.8 has a remote execution problem and i can remote code execute through some sort of avenue in apache 2.2.8 if i didn't know that you'll notice that the web page doesn't tell me that stuff i learned that looking at the request response headers getting that information back right so maybe that would be something that the administer our administrator of this web application would want to shut off stop sending that information back they don't need to know that right i also see that it's running ubuntu and we've got this mod fast cgi thing letting me know that they're probably running cgi scripts right again knowing a bit about web applications and how they work is helpful for me because once i know that then i can start to see oh well if they run web application or cgi scripts maybe there's a flaw in that maybe i can use a tool that that exploits cgi scripting capabilities and i know that's where i need to go like i said burp suite is really great about giving me the information i need and then i have to have the skills to kind of like follow up on that so it's all about enumeration or at least for the vast majority of what you're going to do i just can't do some hacky stuff and we'll play around with that just here in a second but information is key i also see it's running php 5.2.4 again a lot of great information here powered by php 524-2 maybe there's an exploit available for that but i do know it's running php so any of my exploits that will use php might be useful here what else do we have here uh and then of course basically the document body is really where we want to go next is this is the source code if you browse to a web page let's let's do that let's see here let's go back to the web page what i'm seeing in that response in the body is basically if i just right click and said view page source and looking at this this is the exact same stuff that we're seeing in burp suite so you can see bam and there it is right over there oh i'm hitting the wrong buttons see same stuff that's right that's what's being returned now obviously i could right click and do that as well and see that same information but what i'm not seeing is are those those headers those response headers so it's just easier to kind of look back and forth between the response and the requests right here in burp suite so it's giving you a good nice workflow and you can kind of change this stuff stylistically if you want to do top bottom or just the response and then have a tap for requests so it just depends on what you want to do as the tester all right so now that we got kind of an idea of how this is working let's kind of see it do things right let's um let's jump back over here i'm going to go here and let's let's log in so i'm going to just increase the font a little bit make it a little bigger i'm gonna log in it gives me some credits right here to log in with so that makes that easy b and tab down to bug and i'll log in i don't care to save that so hit never save and now i'm logged in i can see i think if i zoom out just a bit yeah you can see it says welcome b right there that was my username that it gave me to log in with and i can now start interacting with the web application itself now back to burp suite right we can see i've got a couple of new things like right here i'm seeing that i've got a post request i'm posting data i'm actually sending data to be computed or worked with processed analyzed by the application itself using an http post method and i get to see that stuff right down here look at that there's the stuff i put in now this is really interesting information because i understand the idea of login right b was my password then it has password equals bug and security level equals zero and form equals submits that's interesting i didn't see that stuff when i typed in my username and password it just said username password submit button i did not see these things like i did have a security level button i could have changed that from um if we're looking back at it i think it was like low high medium kind of thing where's that that's oh we'd have to log out let's log back out yeah okay we can do that yeah so i've got this drop down option low high medium but that's not what we see in burp suite right we see this right here it's the security level zero so zero is equaling low can i change that can i modify that if i do what happens so this is where you start understanding how you use burp suites in real life land to start manipulating data so maybe i want to catch that before i send it along the way or maybe it's actually okay for me to actually replay this and work with it and see what it does and that's where we're going to get into the different tabs that are available to us here at the top of burp suite because i can take this request that i've already sent it's already been processed it's already been dealt with if i want to redo that well i could go back to the the application log out change my settings log back in and see how that looks or i can right click and go send to repeater you can also do control r if you like keyboard shortcuts once i do that the repeater tab highlights i can click on that and there is the request now we can start actually playing around with this i'm going to change our look so we get that side by side so now i'm getting this request and response and all i did was i went over here and you get this different layouts so vertical layout combined layout and this is the what do they call that horizontal layout so just keep that in mind if you want to do that all right so that's going to give me when i send a request it's going to allow it to show me the response immediately in the other pane just makes it's the way i like to work so if i if i send this let's see what happens i get the response i get a 302 not found here and that's probably because i've already logged in and this is like a weird form so it might not be able to work with that or maybe that cookie is expired that session cookie you'll notice that that has like you've got this five fc and then over here the session cookie that's the set cookie not the second cookie but there you go and maybe there's some some weird things happening there but i got this 302 it's saying hey i didn't find that okay that's fine we're going to play with this a little bit more but i just wanted you to see i can repeat uh requests that i've already done and kind of work with it modify it i could actually go over here and change this information so if i wanted to change my user agent okay take that out and we'll call it daniel's web or browser like that i can make that change and then i can send that along and it will it will take that in that becomes important because sometimes an attack avenue will be done through the user agent string itself right you do things like local file inclusion remote file inclusion it could be that you're using the user agent string to actually manipulate that data and work with it so it's important to know how do we how do we change what's being sent along using burp suite how can we manipulate that and manage it to do what we wanted to do instead of what is supposed to happen and sending things to repeater is the most common way in which we do that so uh be really familiar with a repeater because it's going to be super helpful for you as you start manipulating data and seeing uh what kind of now that i've made a change what's the response is it doing what i think it should be doing uh it didn't work let me try changing something else and you can have a bunch of them tabbed across the top it doesn't have to be just one you can have i like to keep like a clean copy and then i can right click this right here and send that to repeater and look i got another tab right i can go back to this one i can work with it i can start making different changes and going oh i like the way this responded i want to kind of go down that road let me right click send it to another repeater tab and kind of work with it so this is just basically figuring out your workflow on how you're going to manipulate data and what's what's right for you as far as the capabilities of burp suite all right so now that we got kind of the nuts and bolts behind what repeater does we can actually kind of work with it we can we can use it so let's see something useful right so let's go let's log back into the uh application here b and bug and get in here i'm gonna choose one of my favorites just because it's fun let's see here and it is going to be the there it is order tickets this is called insecure direct object reference or yeah and secure direct offer i'm pretty sure that's what i door stands for click hack and we we got ourselves a neat little application here where you can purchase tickets right you've got i'll increase this here it's got a very simple interface of how many movie tickets would you like to order so cool we're going to buy some movie tickets and they're 15 euros per ticket if i want to order one ticket i can hit confirm and we scroll down and we see that we ordered one movie ticket and the total amount charged for my account was 15 euros i'm off to the races really cool right everybody's happy everybody's having a good time now what happens if we go to burp and we look at what's happening there so we'll jump back into our proxy tab look into here and i'm seeing let's see here we did a get for this we did a post for that's and now i'm seeing that information i'm seeing ticket quantity equals one ticket price equals 15 and action equals order awesome let's send that over to the repeater let's see here let me get zoom down here because it's getting crazy on me all right so once we go to the repeater tab we should see there it is right there let's zoom back in so you can see that that happens now let's let's send that along let's hit the send button and take a look at the response we got a 200 okay just like what we expect to see and let's see here if it tells us the same kind of information this is all about the create user so we're looking for the tickets we did see that did it confirm and it tells us you ordered one movie ticket total amount charged from is 15 euros cool everything's fine so far right everything's working as we plan except with an insecure direct object reference i should not be able to change the ticket price or even have access to the ticket price so i could do i want 10 movie tickets and i want them for one euro is that okay i don't know let's see i'll hit send we'll jump back over the response it gave me a 200. let's see what actually happens down in the code once it comes back with its response and it says you ordered 10 movie tickets and it charged me 10 euros right so apparently one it it's taking ns10 that's fine it was still a whole lot cheaper than it was for one ticket just a second ago so you start to see like burp suite didn't do that right burp sweep wasn't like oh i clicked something and i hacked it burpsweet gave me the information allowed me to see what i needed to see to be able to go oh well you you whoever coded this thing made a really bad mistake because you're now giving the user some way if they know what they're doing which we do and they shouldn't have that to manipulate that data specifically that ticket price and ticket amount they should be able to do that all they should be able to do is set how many tickets they want and submit that other than that it shouldn't give you any kind of other capabilities but unfortunately for them they showed me where that code was and i was able to see that using burp suite to intercept that information look through that information and find where the weaknesses was and then exploit it using you know just some simple tools of sending and receiving now i've got myself 10 movie tickets for a dollar each so i guess that's what it did it did the math it didn't i was thinking it was going to give me 10 tickets for one euro but it gave me 10 tickets at 1 euro each hence the 10 euros so it did the math for me that's what it's showing so but still like i said a whole lot cheaper and of course i could put it at zero and then it would have been a zero euro so play with this as you will that would be something i would want to submit if they had something like a bug bounty program i would say hey i found an idor in your system here's how i manipulated it here's how i exploited it and here's the end result of it you might want to change that and then hopefully get a payout on that um but there you go the repeater can be super super helpful for doing tasks such as this yeah i mean it's amazing how simple it is i mean this is obviously a demo but it's um you've made it look so simple well i mean it's it's simple if you know what you're looking for obviously i have some knowledge about how a lot of these things work and these tactics and things of that nature and this is meant to be very simplistic to kind of assure you that what you think you know is what you know and you should be able to work with these so i really like bwap for that it's it it does lend itself to not necessarily holding your hand but still not being so overly complex because real web applications are typically not that simplistic so uh you're gonna get a lot of information you're gonna have to sift through a lot of data and deal with it and manipulate it and see if things work and do some testing poking and prodding so uh yeah we we're having a good time here bewap is great for making sure i do know what it is i think i know and can i actually work with that if i saw it at least in a very simple fashion and then you just got to take that and kind of okay it's going to be a job sifting through all these different web pages looking for information but i know that if i have any kind of input into the system that's going to be good for me i'm going to start looking to see okay i was able to submit input into the web app let me look and see what that looks like underneath the hood using burp suite and see if there's any flaws in that maybe find the logic flaw maybe find something as simple as this where you're just giving me access into the system that you shouldn't be giving me and then i can manipulate it and make my payday as a as you see danielle that's fantastic i mean that's a it's a great little example of of what burp suite can do is there anything else you can show us yeah there's a bunch of different tabs uh some of them that you're gonna use really commonly one is like the intruder let's jump over to the intruder tab here this is an interesting tab because this does kind of push the envelope as far as burp suite goes into that i can actually use burp suite to kind of attack things because it is an attack mechanism that is built into the burp suite program so i've got target that i want to select positions that i'm going to work with payloads and different options so let's see what that can kind of like look like in real life let's go back to our web app let us choose an application and i'm going to use a all right let's see here i want to get a like yeah there we go login form that's what i'm looking for there it is let's hack that thing all right so this is the standard sql injection against a authorization page so if we look down we see we've got enter your credentials i can log in using like b and bug because we already have that and log in and it should say okay there it is welcome b how are you today and then it kind of gives us whatever this secret thing is any bugs but does it fall prey to sql injection well i can try to manually test this right i can start popping in the single quote or one equals one and trying different things but depending on the application that might take time maybe they're doing some sort of filtering or maybe they got parameterization going on anything that might be stopping me from doing this or the application itself uses a weird version of sql or the way it's working with so a lot of times what you want to do with things like this is just fuzz that out do it programmatically let a computer do the heavy lifting for you because that's why we have computers at least we should right i know i don't like manually testing things for very long if it doesn't get paid if it's like three or four you know tries and it's not working i'm like i give up you know i just give up immediately then i'm like oh let me let the computer do this so let's just jump it into burp so let's go to burp we should see that in our proxy setting under uh the http history and i do see it there it is right there we've got that information b bug form submit and this is the sqli underscore16.php page awesome we see the response there it is everybody's happy right let's um now right click send to intruder once we get to the intruder we now have a new target area right so super fun a lot of good times it's basically what web page do you want to attack and what port is that on there you go it's got the ip address and the port but over here in positions this is where it starts to get fun so you'll notice it's got like hello oh i'm hitting the wrong button it's got these uh highlighted areas with this weird syntax like things around them it's basically trying to figure out maybe these are the things that you would like to manipulate you go oh you know you did some good jobs there anything with an equal sign on it was probably a good guess but for our intents and purposes i'm going to clear that out so i'm just going to hit clear we go back we realize all that stuff has now disappeared what i want to do is i want to choose my own sections so i'm just going to highlight the area that i want to try and then hit add so now that we have that added we'll see that it's been highlighted it's got the weird double s looking thing or whatever that is around it to let it know that's the position that i'm going to fuzz out you have these different attack types as well let me uh zoom out a little bit here and you've got sniper battering ram pitchfork and cluster bomb very cryptically named as the good folks at port swigger have done so understand that sniper is basically like i'm choosing a position one position and i'm gonna run some fuzzing at that position so i'm choosing one thing if i do cluster bomb i can choose multiple things also pitchfork does that as well but just does it in a different way a different way and battering ram is a weird thing where it takes in fuzz information but does it to multiple different areas with the same information i know it sounds weird you don't really have to worry about that at this point i think if you're new sniper is probably going to be your go-to defacto so with that chosen i've got sniper i've got the position set which is the login area and whatever i want to send so what i'm going to do is i'm going to go over to payloads and once i'm here i can actually tell it what i want you to do is request that web page under login for the login name try b but also try daniel try david try billy try sql injection i'm sorry what was that last one no big deal just try it you know that's the that's the idea here i'm going to be sending those things over to it and saying try it and see what happens and it's going to be up to me to be able to kind of discern what happens after that but right now i just want to load a list or i can add items i can say hey you know i'm going to do 1 or one equals one one equals one if i can do it right equals one um like that i could add it in singularly like that i guess i'll zoom in for you one at a time but that's not really what we're looking for here so i'm going to remove that out i'm going to clear i'm going to load from a file now in my documents i've created my own fuzzing file it's just a flat file with information in it i'll show you what that looks like you can see if i uh cd into my documents this will not be in your computer because it's something i created myself and if i do an ls for burp because i named it burp something or other i've got a few things here like uh burp sequel i fuzz or burp sequel i auth dot text so let's let's take a look at that if i cat burp sequel i underscore auth dot text it's a bunch of different types of ways to try sql injection against an authentication mechanism i'm going to throw all this at our web app and see what happens that's the idea anyway this is just your experience showing you i mean you've you've put this list together is that right yes on experience exactly anytime i come up to a web application that has authentication and i try all my like go-to sql injections to get past that and it doesn't work i start trying this list and say hey see if that see if any of those will work and if none of those work and then i start doing some research and i found out some weird funky thing that allows me to get past it like it did have a sql injection but you have to format it in just the right way i'll take that and i'll add it to this list so this list is like a living document it continues to grow how much do we have to pay you to give it to give us the list yeah you're seeing it right now so get back go crazy the good news is that like search github or just google for sql authentication fuzz lists that kind of stuff and you'll see stuff like this all day long to be able to download them this one isn't even that big there are huge ones out there so uh just download it and put them in your machine daniel just for new people because they're going to be a lot of new people watching this you keep using this term fuzz can you explain that oh yeah no problem fuzzing is the idea that i'm going to attempt to input data into a system it can be a web application a standard desktop application whatever anything that takes input via digital methods and means and i'm going to feed it anything and everything that i can make the computer do and see how it responds so it's that idea of giving it inputs programmatically like basically running through a list of inputs trying it and seeing what happens that is the basic idea behind fuzzing so i'm looking for odd behavior or different behavior basically right so that's that's what you're looking at all right so now that you see kind of what's going on here as i load this list up it will make sense of what's going on so i'm going to choose that where is it sql fuzz and then just hit open once i do that you'll see that list propagates and you can scroll through it and see there's that list great stuff now now that we have this done there are other options as well but for right now for most intents and purposes you should be good to go i would warn you i think by default yes oh my goodness it's going to drive me batty so they've started doing this by defaults payload encoding url encode these characters that may be a good thing that may be a bad thing sometimes web applications once you send data to them they will automatically url encode those which is basically saying uh i'm going to give this in a safe url format and i'm sorry i'm going to manipulate the characters and url and code them using url structures right this is doing this by default i'm going to turn it off because i don't know that it wants url encoded i didn't see any url encoding happening when we were sending data so i'm assuming that that is not necessary so you may need to toggle this offer on based off of the results that you get if you try and it doesn't work go back turn it on or off or whatever you've done and try it again so this can be a time consuming process just be forewarned on this all right let's see here whoopsie daisy what am i doing here howard you're going crazy i don't want the windows machine in collie dang it all right so now that i have that going next thing i want to do is go to back to the positions tab and you have this start attack button right over here on the right hand side click that and this is where we see the next kind of you're not as good as your pro version thing happening and this is probably my biggest complaints with the free community edition and that is this warning right here that tells you that some functionality is disabled and attacks are time throttled please visit portswigger for more details about burp suite professional which doesn't do this in the professional version so we're gonna see some intentional crippling of our capabilities as we deal with this alright so just be aware of that if you're using the free version so i've hit ok i'm going back and i'm seeing whether or not anything is happening and you can see it's kind of rifling through all this data and you can see it's trying these different payloads as they were giving me the status that was returned by the application itself um error and timeout the length of the data that was returned to us any comments that show up and then you can uh kind of play around with this now what's interesting is where this is where it kind of lends to your understanding of how web applications work right so i'm going to zoom out here and one of the things i like to do is look at status and i like to look at length if i start getting a bunch of i don't know 404 page not found or 401 unauthorized 403 unauthorized stuff 500 there was a error on the back side uh on the server side basically was what's happening i know that that's not what i'm looking for if i get a 200 that means it was successful it actually sent the request and the web application said that was okay and return something but i'm getting all two hundreds no matter what now either every one of these sql injections are working highly unlikely or that's just how the page responds i'm like ah darn i wish that was not that way so that can be one of the ways that you don't see what goes on maybe the length is going to be a little more helpful okay you returned a 200 status but what else did you return how big was that you'll notice that that information is varying we've got some pages returned uh 1 000 i'm sorry 13 575 bytes and some of them returned 2 523 bytes 2524 bytes 21 bytes what's the difference why the difference so obviously i'm seeing some difference in what the application is doing so maybe that would be a good indicator of whether or not i was successful in my attack so let's uh what you can do is you can click the the tab there and you can sort by those different lengths or sort by the statuses so here i see i've got these different requests and of course if you click on them they'll show you the actual request that was made and of course the most important thing which was the response and i want to see whether or not it tells me hello b your secret is such and such and uh says enter your credentials the password the login oh it did it it actually gave me another user it said welcome aim i didn't even know that a user existed at this point but the sql injection said this is the administrator for this system just bypass all this stuff and we fuzzed it out using the intruder to get past that so now i can see uh my secret aim or authorization is missing whatever that means so that's supposed to be some hint to what your password is great um again that's not normal that's just specific to this application but the fact that we got past that and it said aim how are you today that lets me know that that sql injection worked and i should be able to use that single quote or single quote single whatever this was we have all sorts of other ones like this is a much more standard looking response also gave me the same thing so i can use that so let me grab that request and just highlight it like so i'm going to right click copy that's let's get back out of here let's go over to the web app and see what happens if we put that and i'm just going to paste it in put anything i want in the password because it doesn't matter and then log in scroll down so that gave us some valid credentials so maybe that was the application itself coming back saying hey the administrator's saying that didn't work right so actually i think i know what the problem is let me paste that in let me sometimes with these comments on the back side here this can get a little janky so let me take that out try this i don't know exactly what it's doing we could get invalid credentials oh i'm getting a sql error oh well that lets me know that maybe i can manipulate sql at all right because i didn't do something right so maybe that was the correct thing and i need to just continue to look through the different sql injections that i have available until i find the right one and looking and see now typically this is built to do sql injection so is you're probably only going to hit on a few a handful that would actually work and this is a very weird it's not an actual authentication mechanism it's kind of simulating that experience so we're getting some odd output from that but that's the basic idea is still there that i can fuzz things out and that's what we're trying to look at not necessarily to break the machine but how does intruder work and you can see it's still going it's a little slow and if i had more than it looks like i have 119 different requests that i'm making there's 96 and wait for it 97. so it's it's really slow like i said one of my pet peeves when it comes to using burp suite specifically the intruder but it does do this and if you've got the time to set it and forget it and come back later and see was i successful well there you go that's how you fuzz out whether or not an attack would work i could also use a password list i could say oh i know the user account is b but i don't know what the password is so i can grab something like rock you throw it in there and let it fuzz out and see what kind of results i get with that so it doesn't have to be sql injection it could be just about anything anything that you want to try to manipulate uh that input and try multiple different things that could be possible but would take you a hot minute to do manually intruder's going to be your best friend because it's going to do that programmatically and you just set it and forget it walk away come back when it's done and see if you got anywhere so really like intruder especially on the pro version because it goes fast but on the on the community version you can still do it it's going to take you a bit of time anything else you can show us yeah just a couple other things we're not going to get deep in the weeds on these i'm just going to kind of explain them because you need to be aware of them one is the decoder love the decoder i love and hate the decoder again kind of some weird things here if you see things that are coming back in any kind of oh let me see here let's say we wanted to we'll just take this string and i'm going to right click on it and url encode it as i type so if i'm starting to type this that you'll start to see that if i start using characters um like a space is showing up as a plus you might not be able to see that let's see here you see how the anytime i hit the space bar yeah there you go it's showing up as a plus that's a url encoded thing right or let me get back out of here let me do uh an easy way to kind of manipulate that actually i can show you with decoder it's funny it decodes and encodes it's called decoder but it encodes and decodes so let's say we popped in some i needed to base64 and code a string of information let's say um get over here this this is a super secret thing right and i wanted to encode that using base64 while i'm in the decoder which has encode encode as base64 and then when i look down here at the lower half i see that base64 encoded string of text and of course i can go the other way if i have a base64 encoded string of text like i do here i can rock over here and decode it as base64 right and as we rock over we see it decodes that string for us and as we saw it's got a laundry list of stuff that you can decode or encode as so html base 64 url encoding hex octal binary gzip all sorts of great stuff so if you find yourself an encoded string that you want to look at or manipulate that data you can decode it and encode it using the decoder option the last thing we're going to take a look at is the extender and this is where you can take this free version and really ramp up its capabilities oh and if you've got the pro version you can really really ramp up its capabilities because basically this is kind of the app store because it's called the b app store right here this is going to be one of your favorite things so if you go to the extender and you hit the b app store you now have a list of extra functionality that you can add to your burp suite installation now they will tell you whether or not you have to have the pro version because some of them do require that let's take a look at that and let's see over here in the so if you select one so it's like if i choose this active scan plus plus it gives me the information over on this side of the screen the right side of the screen and you can see right there this one requires burp suite professional so i won't be able to use that because i'm burp professional loaded here but i can siphon through and even search there it does have a search functionality i can kind of look up in here and let's say i wanted to look for something related to json boom i'll look for something to with json go back over here and we should start to see it's filtering by applications that work with json or those different things so i've got a json decoder i've got a web token attacker and again like i go like i said before burp suite not really meant to be an attack mechanism per se even though it has that intruder function i guess you could call that an attack mechanism but that says that's an attacker and let's see do i need anything nope so i can just hit install once it's done i should get another tab that's called it looks like it's going to be called joseph or maybe json there you go it is called joseph you can see it showed up right there now i can click on that and start to work with the attack method against json web tokens so going through that that bwap the app store the b app store i guess it is uh and looking for good plugins or extensions other capabilities in there can really increase the capabilities of your burp suite installation so definitely check that out as well that's great and also i mean you mentioned um on the way where can we get some free training again and do you have any kind of extra training that you'd recommend someone take at it pro tv so i definitely work with burp suite in my it pro tv training so you kind of pick that stuff up by proximity kind of thing so if you're watching ceh or you're watching pentest plus or any of the other penetration testing types of shows that i do our series courses that we have available in the it part tv catalog you're going to see me use burp suite because a lot of these things are done through web applications a lot of hacking techniques are done specifically towards web applications and burp suite is a great way to manipulate with that as you've seen uh portswigger itself the people that make burp suite they have uh their burp suite account or the ports wigger academy i believe it's called free to sign up walks you through all the different stuff gives you a lot of great information and it's all free we'll show you a lot of the techniques with playing with sql injections and different injection techniques cross-site scripting all that good stuff completely free so you can go check that out it's definitely a good supplement to what you're doing if you're going for something like certifications so definitely sign up and and play around with stuff and it'll give you all the information you need they are the definitive source on what does what and how and why inside of burp suite because they make the thing so if you want to know how this thing works and why it works going to portswigger looking at their documentation is going to be a really good idea daniel that's fantastic i really appreciate you you know taking the time i mean you make this look so easy but you know i train and i do demos i know demos can be really tough so thanks so much for you know putting the effort in and you know doing these great demos hey man i'm just happy to be able to help people that are trying to get started and get going with this stuff because i remember the first time somebody told me oh you just uh do that in burp suite i'm like yeah exactly that's easier said than done for you but not for me so i had that learning cover i had nobody showing me i just had to figure it out so i i always want to give kind of give back to the people that are just getting started that we can't assume that they know how to do stuff we gotta show that's brilliant daniel thanks so much really appreciate it no problem man thanks for having me [Music] oh