This webcast was originally published on October 3, 2024.
In this video, a senior security consultant discusses the basics of using Burp Suite Community Edition for web application testing. The speaker highlights common issues faced by beginners and shares tips for troubleshooting and utilizing Burp’s features effectively. Viewers will learn about interception, proxy settings, and the differences between the free and professional versions, along with practical demonstrations of using Burp for cybersecurity purposes.
- The webinar focuses on introducing the Burp Suite Community Edition and its functionalities, aiming to help participants self-recover from common issues encountered when using the tool.
- The presenter, a senior security consultant with 8-10 years of cybersecurity experience, discusses the differences between the Burp Suite Professional and Community editions, emphasizing that the free version can accomplish many tasks with more effort.
- The presentation covers the use of Burp Suite as an interception proxy, explaining how it helps in understanding web application interactions by capturing and analyzing web traffic.
Highlights
Full Video
Transcript
Jennifer Shannon
I really just kind of want to give this very basic introduction into Burp so that you can learn how to use it. And there are some common issues that I see that pop up very frequently for people that are just getting into using Burp Suite.
And I kind of want to cover some of those today as well. So that way, hopefully, whenever you start doing labs on your own and you run into an issue, you’ll be able to hopefully self recover a little bit easier.
And I do believe last time I did anything on Burp, it was kind, of like a tips and tricks. So I shared all of my favorite things that used Burp Suite professional because it has, it’s what I use in my day to day job.
But today we’re going to be focusing on Burp Suite Community edition because it’s free. I don’t think people have to, you shouldn’t have to pay to be able to do, a lot of what I do.
The paid tools just kind of make certain parts of it easier, but a lot of it can still just be done just as well. Maybe, a little bit more time consuming from the free versions of software.
So quick background on me. For those of you who don’t know, I am a senior security consultant at secure ideas. I am based out of Jacksonville, Florida, which is where secure ideas is headquartered.
But the majority of our workforce is remote. I just happen to be one of the lucky people that gets to go make fun of Kevin every day. I’ve been doing. I’ve been in security for somewhere between eight to ten years time.
As ephemeral, I never remember exactly. I have to go look at my resume to figure out the exact date I started. But I did start in cybersecurity as a Soc analyst. I moved into a, like I said earlier, reverse engineering malware and doing threat intelligence.
And at that job, I was doing all of that and then also pen testing web applications and APIs. And eventually I decided to make the move and only do half of my job.
So, that’s how I just became a full time pen tester. Some other fun facts about me. All around geek. I’m sure you guys can see my background. I have a lot of fallout, and anime memorabilia.
So obviously I collect things. I do run the Jacksonville chapter of Tool, which is the organization of open locks. So for anybody who’s interested in lock picking, I do recommend checking to see if you have a local tool chapter and joining in on those, because that’s a great place to kind of meet people and learn how to do some of those things.
And finally, I’m a Costco member. I saw somebody use that once, and it just made me laugh. So.
And as always, I give this on almost every, talk or webcast or anything I do. Anytime I do a presentation that talks about how to use hacking tools or how to hack something, I always have to include this.
Our tagline is professionally evil. And what does that mean? We think like the bad guys so we can help companies protect themselves. But it’s really important to understand that the majority of what I do is illegal if I don’t have a binding contract saying that I can test this environment.
So everything I do is done with permission. So please do not take any of the information I share and go randomly start attacking, Facebook or something like that that you don’t have permission for.
There are quite a few labs out there that will allow you to test these skills in a safe and legal, manner.
So, please do not, do not attack something you do not explicitly have permission for. I am a huge stickler for that.
for anybody who has never used Bert before, I’m going to real quick explain what it is, and at its core, it is an interception proxy.
We are essentially performing a man in the middle on our own traffic whenever I am going to a website. yes, somebody said that there are hundreds of vulnerable vms you can run for testing.
That is true. If you are looking for a recommendation for one, I will always recommend samurai WTF? It is an open source tool that comes, with a bunch of goodies ready to go on it.
and I will actually be using that for some of today’s demonstrations, so. But the, the important reason why we want to intercept our traffic, or proxy, all of our traffic whenever we’re testing a web application is because it gives us much better insight into what is happening.
There’s a lot of things that will happen behind the browser, for lack of, a better way to phrase it. We know whenever I go to a website in the browser, I know what the website is showing me.
I know what the browser is showing me. But there’s a lot of requests that are going to happen in the back that I won’t necessarily have vision or, visibility into if I’m not intercepting that traffic.
And a lot of times, the really interesting parts of the application interact with, take place kind of behind the scenes. Plus, it also acts as a historical log, so that way, if I’m like, hey, what was the token that I used to do that one thing, I can kind of go back through all my history and find this.
Or if a client asked me if I did a specific attack, I can very quickly go verify if that is something that I have done or not. but also it adds in a bunch more functionality than you get from just the browser.
and so, like I said earlier, I use the professional version. The community edition is free. and if you are looking to get into pen testing or learning how to even just like get a better idea for your own security posture, for your own applications, it is worth interacting with it.
Just using Burp. the community edition still gives you that proxy and that history and you get the basic tools like we were discussing earlier. It has decoder, it has the repeater, sequencer and compare.
And I’ll be honest, the majority of the stuff I use is just available in the free version. I think repeater, if I’m being completely honest, is the thing I use the most during a test.
There are extensions that are available for the free version of Burp. Some of the more interesting ones are the ones that are a little bit better are only available for the professional version.
But realistically speaking you can get by just fine without those paid ones. it has a limited version of Intruder, I think they call it the intruder demo.
This means is you’ll still be able to do some of the intruder attacks. You won’t have access to the built in word list that Burp has. They have a built in exploit list and username and password list that you can use as part of those automated attacks.
If you want to use it in the community edition, you’ll have to load in your own list, which is very easy to do, but it is also rate limited, whereas the professional version, I have to specifically tell it to slow down attacks so I don’t overwhelm a client.
The free version, it significantly slows down. it significantly rate limits how many requests it can send per minute. But again, in most cases that’s completely fine.
The biggest thing, that is the kind of the driving factor behind me using the professional version over the free version though is that you do not have the ability to save a project to file using the community edition.
You can only open temporary projects in memory. So on an actual pintest engagement where I need to, it’s not realistic for me to keep my computer on and connected for a week at a time.
So I need to have that ability to save those projects and then also share them. Maybe if I get sick. And I need to give what I’ve already done to another consultant the ability to save. That’s the big factor for the free versus paid.
Somebody, did mention that there is zap. That is also a very good alternative. And I want to go on the record and say zap is fan fantastic. It has all of the functionality of the paid version of Burp, including very robust, extensions, and plugin support, which again, because you don’t have to pay for it, you get access to a lot of plugins that will do the same functions as the exclusive extensions in Burp.
I will say most people kind of tend to prefer whichever one they learned on. I learned on Bert. I can use zap. It takes me a lot longer to do the same things.
but something that I learned in my malware days. It’s really good to have an idea of at least two tools that do the same thing. Because sometimes when I’m interacting with a sample, one tool won’t work for some reason or another.
But if I use a different tool that does the same thing, it’ll work because technology is weird and crazy and mostly magic, maybe. so it’s the same whenever it comes to interceptors or, proxying your traffic.
There have been times where I was trying to test an application using Burp and for some reason they had something in place that was just not working well with Burp. So I had to switch to zap. And yes, I completed the test.
It just took me longer than it should have. So I am actually going to. There are slides that have been shared. Most of the slide information I’ve included has kind of been troubleshooting information, for you to reference later.
So I will be walking through a lot of those, live and I just wanted to go ahead and give everybody that heads up.
Now give me 1 second. I just have to switch my screen share because zoom, is cursed.
I have lost where zoom went. There we go. So I’m using right now.
Samri wtf? You can get this on GitHub whenever you install it for the first time. It is just samurai, samurai.
I’m going to go ahead and close out of some things real quick. Now. Whenever you use samurai, there is, a katana package manager that you can use to download and install and configure vulnerable labs.
Today I’m going to be using DvwA. we’re not necessarily going to be doing a ton of real fun exploit attempts. We’re just going to be learning how to use the tooling inside of Burp. So for that purposes I’m just going to use Dvwa because I think a lot of people are probably familiar with it.
normally you wouldn’t start Burp this way, but I broke it like 20 minutes ago, so I had to fix that real quick. Normally you can just go and start Burp from here, but I broke the java versioning.
Fun, fact about Burp, it is Java based, so it will run in just about any operating system you can throw it at. Works on Linux, works on Windows, works on Mac. some of my co workers use Mac, some of them exclusively run it out of a Linux VM.
I usually run it off of my Windows desktop, but that’s the great thing about it is because it’s the Java application, it’ll work on such a wide variety of things. It’s also the downside in that if you accidentally update Java when you don’t mean to, or downgrade Java when you don’t mean to, and the Java versions don’t match, you’re going to have to find a workaround real quick.
Somebody said downside, but you need Java. This is absolutely true, because we all know that the universe started in 1970 and then a lot of things went wrong and now we have Java and JavaScript.
So whenever we first start Burt suite professional, you can see there’s a note up here. Disk based projects are only supported with Burp Suite professional.
We can only open a temporary project. That’s completely fine. Again, if what we’re aiming to do is learn how to use Burp, learn how web applications work, how to test them, and just how to interact with labs in general.
So I’m going to go ahead and hit next. I usually just use the Burp defaults, especially for a lab. So I’m going to go ahead and hit start and it’s going to go ahead and it’s going to start the project, it’s going to take a little bit of time for it to spin up.
So let’s give it just a second. Hopefully it will actually load. There we go. So real quick, whenever you first load into Burp, it’s going to drop you onto what’s known as the dashboard.
Now the dashboard honestly isn’t nearly as impressive as it is, and it is not nearly as impressive in the community edition as it is in the paid version of Burp.
But I will be completely honest, even with the paid version, I don’t use it that often. This is really just kind of a place for me to save a handful of things.
I don’t look at the dashboard very often. usually, I’m looking for something historical, like an alert that was generated or something like that. This will keep a log of any of the automated scans.
So anything that it detects during live passive scanning or active scans, it’ll kind of get saved here. So I can go easily reference it, but I can also go reference that just by moving to different parts of the application and looking at them directly.
Or looking at them directly. And for the record, Burp has two ways that it kind of categorizes thing we saw here, that there’s the live passive.
Passive are things that it picks up just by looking at the web traffic. It’ll notice that hey, I noticed these headers aren’t applied. Or maybe it mentioned that this JavaScript is over here.
It’s not actually doing anything to the application itself, it’s just looking at it and saying hey, here are some issues that you should probably be aware of. Active, on the other hand, either active scans or intruder or something like that.
That is when Burp is actually submitting something tampered to the application itself that would possibly affect how the application is loaded versus just looking at it.
somebody said, where did you get my disc brake rotor from? I don’t know why that caught me off guard because I was just, maybe because I have accidentally become a car person recently. By the way, it’s not an accident, I’ve always been a car person.
It’s just become a problem lately. so next up we have the target tab. Whenever you first go into this, there’s not going to be anything here.
That’s because we haven’t added anything yet. until we start actually interacting with traffic or anything like that, there really won’t be anything here.
So I usually scale skipped this for the very first step. It’s usually probably the second thing that I really look at. The first thing that I look at whenever I first get into Burp is the proxy tab.
This is the really important one. This is how Burp will intercept all of our traffic on first startup. The first thing that I do is open up the proxy settings and look at the proxy listeners and we can see that by default it’s one two seven dot zero dot zero dot one.
On port 8080, that is the default configuration. Whenever you start Burp with the defaults, this is completely fine. the only reason I have ever had to change this is if perhaps I’m testing a mobile application and I am chain, I’m chaining some weird ports together to get an actual feed from my Android phone that I have physically in my hands.
90% of the time, though, that 8080 is exactly what I need it to be. You want to make sure that it says running. If this is unchecked, it means that that proxy listener isn’t active.
It won’t be able to intercept traffic. It’s not going to work. So we want to make sure it says running. Sometimes if something is taking over port 8080, like let’s say that for some reason you have M.
Nessus or something configured to run on port 8080, you might need to change this port. And if you try to start this proxy listener, it’s going to give you errors saying that that port’s already in use.
So that is good. And for most engagements, most of this completely fine. So I’m going to go ahead and I’m going to close out of this and the next thing I’m going to do is open the browser.
Burp comes with a built in browser. I like it. It’s chromium already. I’m very familiar with a lot of the functionality because my default browser is chrome.
I usually use Firefox more for the administrative side of things. I’m not sure the best way to explain it in this case. You’ll see I have Firefox and this is where I have katana open.
This is where I manage the labs that I’m interacting with. And I try to keep my testing browser and my actual browser separate just so I’m not muddying those waters at all.
And it’s easier for me to kind of locate things that I’m looking for. Yes. Somebody made, somebody’s posted some gifts about how Google is, a ram hog.
It really is. Trust me, I know. It is not uncommon for me to have. My dog has decided to join this, webcast today.
Everybody say hello, marna. So, I’ve already installed dvwa this once.
it’s running. I can see down here it’s running. And if I click on open dvwa, it’ll go ahead and open this. All I need is this URL. I’m going to copy and paste this and I’m going to bring it over into my chromium browser for Burp and we’ll go to it.
Awesome. Fantastic. It loaded. I know that I can get to it while I’m proxied through Burp. If I go to my HTTP history, I can see that it’s there. That’s great. The next thing I’m going to do is move back over to the target tab real quick and I can see that it has already started to kind of populate a little bit.
Burp has seen this traffic. It started keeping a log of it for me and within the sitemap the next thing I want to do is click on scope.
And there’s a reason why I do this. It is really easy to accidentally end up outside of scope on an actual engagement.
Dvwa.com could be the application that I’m asked to test, but API dot dvwa.com is a completely different URL that is not listed as being in scope.
So I have to make sure that I do a best effort to only test when I’m allowed to test. And if for some reason, let’s say that the login M process goes through auth dot dvwa.com dot that is an instance where I would reach out to the client and say, hey, we noticed that the authentication process uses this or that the application talks to that.
Should that be included in scope? And a lot of times they’ll say, oh yes, that was excluded on accident. Go ahead and add it. And once I had that verbal confirmation, I can attack it. Sometimes they’ll come back and say oh no, that’s a third party managed by somebody else entirely.
You don’t have permission to attack that. In which case I need to make sure that I’m not attacking it at all because I don’t have permission to. And the reason why I add my targets into scope is because if I try to run an automated scan like, let’s say intruder or something like that, Burp will say, hey, that’s not listed as being in scope.
Are you sure you want to do that? so it’s just kind of a little bit of a fail safe. Somebody said they lost sound for a second.
I wonder if it’s because my dog was barking. So I don’t need, oh, let me go ahead and remove.
So right now all I’m doing is adding DVWA test. Burp is going to pop up with this window and it’s going to say you’ve added something, to scope.
Do you want Bert proxy to stop sending out of scope items to history or other Burp tools? Yes. Will avoid accumulating project data for out of scope items.
I say no. And this is going to be a personal preference for everyone. One of the reasons why I say no is because if the login process does for instance go through auth dot dvwa.com comma?
That’s not going to get logged here. but I like seeing all of the other applications or other host that my target application interacts with because it will give me more insight into how data flows through the application and how it interacts with the other parts of its environment.
And very frequently I’ll find something like API keys are being sent to these other hosts that I wouldn’t have seen if I’d excluded it. Usually I only really keep it this way during the mapping phase.
Once I’ve completed mapping and I feel like I’ve developed a really good understanding of the application, then I’ll go ahead and stop, stop including out of scope items just to avoid that, excessive amount of data.
Because remember, Burp runs in your memory and it is a Java based application. And right here, if we look in this bottom right corner, it currently is only taking up 155 megabytes.
But I have in the past had applications, that during testing or during certain engagements, Burp has taken up up to nine gigs of my memory at a time.
so something I learned the hard way. If you’re on an engagement and you have 20 different applications instead of three or four, break it into different Burp project folders.
Because if you have to open up something that takes up nine gigs of your memory, it’s going to take them, a, a hot minute for it to open. If you have to close it for some reason or another and it’s really going to start lagging your computer.
So break it up into smaller scope sections and use that to focus.
yep. Somebody said that’s a given with chromium. That is true. So now that I’ve got this, I’ve got it added, automatically it’s going to nothing.
Show us things that it hasn’t found or hidden for xx responses or empty folders, that’s fine because I really don’t need to see things that I can’t actually do anything with.
And once we have this set up, if I click on it’ll be by default. Just here’s my application that I’m testing and I can expand it and I can already get an idea for some of the stuff that is happening on this application.
I can see that there is this randomstorm png and Burp is really nice. It’ll show you a response. And in this case, because I haven’t gone to it yet, it’s not going to load.
But for ones that I have gone to the dark links versus the light gray links. And I hope that that shows up for everybody’s computers.
somebody said that’s why you don’t use old hardware with low ram and HTTP storage for engagements. That is absolutely true. I will say that I believe my computer has 32gb of ram, so the nine gigs wasn’t terrible.
It’s just not ideal. so the light links are ones that we haven’t actually visited yet. Bert doesn’t have that record of the actual response.
It just knows that this link exists and we could try to go to it. The darker ones we’ve been to it. I can see here is the request. This is the initial request of me looking for it in my browser.
It’s just that normal gitlogin PhP. And then here’s the response. I can see already the HTML. And I always recommend looking through the, actual HTML because, sometimes you find interesting things here.
You’d be surprised at how often I find hard coded credentials. And Burp also has this handy render function. so it’ll actually show you what the page looks like.
And now that I know one traffic’s being proxy and it’s being actually tracked in my target, I can come back over to proxy.
Remember, I’m on HTTP history right now and it’s only got one thing. And this is just that historical log of all of the links that I’ve gone to or all of the ways that I’ve navigated to the website.
Intercept is kind of where I think people will hit their first potential issue with Burp. Right now we can see that intercept is off and it has a green traffic light.
An important thing to know about Burp is that again, we are, like I said earlier, doing that man in the middle on our own traffic. So whenever I have my browser configured to work with Burp and I use chromium because it comes automatically configured to work with Burpental.
When I go to DVWA in my browser, my browser does not send that request straight to DVWA. Instead it says, okay, you want to go to DVWA?
Let me give this information to Burp. And if intercept is not on, Burp will say, I see this information, I’m passing it straight to DVWA. However, if I turn on intercept, we see that this traffic light becomes green or, red.
Wow, am I colorblind? This traffic light becomes red. That means no traffic is going. If I try to go to dvwA now, my browser will hand it to Burp and Burp will say, okay, I’m holding this and hold it it will.
So real quick, I’m just going to try signing in. And it’s loading and it’s loading.
And we can see hopefully the little spinning wheel up here. It will stay here forever until Burp tells it what to do.
Somebody says that they would highly recommend vm per customer. That is completely, also something that I would highly recommend, all of my vms and everything that’s kind of per customer wise or anything that might potentially have client data.
There is a specific section of my disk that is encrypted and password protected. So after every restart you can’t even get to it unless you unlock it.
And that is where I store all the vms because I’m very, very, one of my worst nightmares is sending client data to the wrong client. And that keeps me up at night and I will do everything I can to prevent that from happening.
Okay, somebody said they lost sound again. Can you hear me now?
Okay, people are here. Okay, okay, sorry, I was just looking at, people talking about losing sound and it coming back.
So, right now Burp is holding this request. Remember I went to it a good minute ago before I went on a tangent about encrypted drives still just loading.
We can see this is the request right here. It is an attempt to log in. It can see that it’s a post request to login PhP and that it’s to this host.
And I can see a lot of the other information. There’s a lot of headers, a lot of interesting bits. And then here is the body of that post request. And I can see here, it’s got the username, it’s got the password login.
And then this is my user token. This is fine that you see a username and password here. because this is the body of a post request. And the only reason I can see it is because I’m intercepting my own traffic.
That’s completely expected. Conversely, if you see the username and password being sent and the URL of a get request, that’s a problem. Body of a post request is fine.
So if I want to actually be able to see if this login request will succeed, I need to hit forward. And what this will do is Burp will say, okay, I have held onto this request, I have looked at it, I will now send it to DVWA to get a response back.
And once DVWA is going to do the initial setup, once DVWA has received that request, it will say, okay, cool, I see that you are trying to go here.
Here is the information and it will give that back to my browser. So I come over to my browser. I can see here the initial setup is done or not done, but it’s ready to do the initial setup for it.
If at any point during an engagement you try to do something and it’s just not loading at all, it’s just spinning and you’re like, what am I doing wrong? Is my Internet down? What’s wrong?
I recommend checking proxy to see if intercept is on. And I’m not going to say that I do this on a weekly basis, but it is probably at least a monthly basis where I will try to go an application.
I’m like, why isn’t this loading? It’s because I left proxy on. So if you ever can’t get to it for some reason, go make sure intercepts off once green.
Once this traffic light is green, it means everything’s going to pass through. And so then I can just interact with this completely free. I can go ahead and hit create reset database.
It’ll do its thing and then we have to log in and I can just keep interacting with it. Oh, no, I never remember the credentials unless I have my notes in front of me.
But that’s okay. We’re just learning how to use Burp. Yep. Somebody said sometimes you forget intercept and start blaming your router. There have been times where more than one consultant has been like, why is this not working?
And then we, there is a moment of, okay, now I have to call the client because the application is down. And then, wait, no, check your intercept before you call the client real quick. Oh, intercept is on.
Okay, I don’t have to make a phone call today because let’s be honest, phone calls are terrifying. Try another browser.
That is also true. And I promise I’ll show you how to try a different browser using Burp later because, sometimes applications will only work in specific browsers, sometimes chromium won’t work.
so you have to use Firefox sometimes and let’s see if I can get it to do it real quick. Sometimes you get an error when you try to open the browser. This error in this case happened because I already have the Burp browser open.
Sometimes it happens because Java is stupid and wants to ruin your day, so it just won’t open. And if you run into that issue, we can set up Firefox to work with Burp very easily and I promise I will show you how to do that.
before we go into that, though, I can come back over to my HTTP history and remember we saw all those requests earlier, but the HTTP history works just the same. I can see the right here.
This one is one of the more recent ones and it has parameters, which is something for me to try and interact with. Great. And go look at it. We’ve already seen this, that’s fine.
But sometimes some of that interesting information kind of gets caught here and there. Somebody says Firefox multi account containers is a better option. Yes.
also, if you’re dealing with an application that has websockets, so that will open a websocket, you can also see that data here as well. It’s not the most important tool, but it’s good to have.
Next up, we have intruder. now remember, the intruder version in Bert, suite community is very limited, so we can send stuff here.
Mara, why I knew she was going to join m this, webcast today. I made a comment about it during the equipment checks, and of course I have cursed myself.
Anyways, so we have the limited version of intruder, but that doesn’t mean that it’s not useful to us. If I come back over to my proxy and I go to my HTTP history right here, we have this post request.
If I right click in the body of this request, I can send it to some other tools inside of Burp. In this case, I’m going to send it to intruder and it’ll generate here, important thing to note, you’ll notice the little squiggly lines that I just forgot the name of.
they are only in legal documents. That’s why Burp uses them, because they really won’t be encountered naturally on a website. but this is what Burp will use to assign its injection point.
So let’s say that, I want to try doing a brute force for the username admin and I want to try different passwords.
So I’m going to go ahead and hit the little squiggly lines around it, which I swear I know the name of, but every time I talk about them, it’s gone. We really only have access to very simple functionality from this, though.
Remember, the professional version has list that we can access. It has a list already of passwords that are very likely to be it. I don’t have that option, but I can go ahead and load in from, a text file of a list of passwords that I think might be valid in this case.
I don’t really want to try that because it’ll take a while. I’m just going to try different versions of the word administrator or test or password or hello.
And we just want to try five attempts right now. That’s really all. and this is just a showcase so it doesn’t have to be anything fancy. We can see already payload count. We can hit start a tag and it’ll run and m.
It’ll give you the warning. This is a demo version. It’s not going to be very good. That’s fine. It has run. Looks like it didn’t really pull back anything and who knows where it went.
There we go. It’ll open a new window. Sometimes you lose those new windows and this very easily. I can see that the response for all of these was just a 302.
And if I go look at all these, it’ll probably just tell me it’s found. It looks like there’s probably a redirect in there. That’s fine. We just want to learn how to use intruder and for the paid version you can save the attack history.
I almost never have to do that because most of them die miserably. the cool thing about the list though, it has some of the fuzzing functionality.
It could try a wide range of encoding and a whole bunch of other things. You don’t need it though. There’s a lot of word lists out there. There’s a lot of different tools that will do the same thing. You don’t have to have, you don’t have to spend like, I think it’s $500 a year or something like that.
Up. next is repeater. Now, repeater, like I said earlier, is my favorite tool, is my favorite tab in all of Burp. I use it a lot. It is not uncommon that you will look at one of my Burp projects and I will easily have 60 different repeater tabs open.
How do you keep track of that many tabs? That’s a good question. Let me show you. I want to take this request. This is again just the regular login request and I’m going to send it to repeater.
I can see this is the initial request and this is where the response will be received from. Repeater does exactly as the name implies. It allows you to repeat the same payload over and over and over again.
And I can make small, small modifications here because a lot of times I really want to see what happens if I interact with something in a much more granular way.
I use repeater a lot and let’s say I want to see how it will react if I take out this user token, cool.
Not really a big difference there. You’ll notice here that because we’re getting this 302 pound, there is a redirection. So I can go ahead and click that, it’ll follow the redirect for me and then it’ll start sending this next, I can then take this, I can send this to repeater.
I’m going to come back over to the first tab because this is the first one I went to and if I just hit back, this is my very first request that I submitted.
Boom. And right now it’s easy. Okay, here’s the first thing I did. Here’s the second thing I did. That’ll be fine up to maybe three or four things.
Fun fact about repeater, you can name these tabs. So if I double click in it first, login, the second one, I’ll be redirect.
if I have like for example, I’m testing APIs, this is just going to be an example, but I might name it something like API, get user info and I’ll give it names like that.
So that way, I can very easily go back and reference different parts of whatever I have done during testing to kind of interact with it. And a lot of times, yes, learning that you could rename tabs, by the way, changed my life for the better.
one of the big reasons though why I like repeater, most of my testing is manual. A lot of that automated things that come with Bert professional or even if you use nessus or nikto or anything like that, a lot of those automated things look more for indicators or something along those lines.
It doesn’t necessarily give me a picture into, okay, yeah, this vulnerability is here, but what happens if I actually exploit it? What information is here? How far can I take this?
What is the real problem here? And there’s be a lot of times that Burp will be like, oh yes, there’s a cross site scripting. If you inject into the cookie this tag and it’s only on the about us page that has no input fields at all.
Yes, technically that’s a problem. In, practice. It’s not nearly as bad as having a cross state script in say the URL or in the search bar or something like that.
so manually interacting with it, learning how the application responds to these minor differences makes a huge difference for me. I can see here, here are some cookies that are set and once I’m already signed in, something that I will start doing is one by one I’ll start removing cookies and I want to see how is the application going to respond to that.
And I like having that visibility into it to develop that understanding. A lot of my very early interactions with any application are not actual exploit attempts.
They’re just me looking at it and learning how it works. So, repeater, my favorite thing.
I use it a lot, especially when I think there might be an exploit there. But I just need a little bit more digging into it. There is. Collaborator. This is Burke suite professional only.
And to be honest I don’t use it super often because I work with client information. I’m very careful about where I send client information to. I don’t have control over the collaborator. Instead I have my own evil attack server that I’ll send information to that is a securitized asset.
Sequencer, is great. we saw earlier that some of these had like these set cookies.
you can send tokens or CSRF tokens, you can send all of those to sequencer or sequencer. And what it will do is it will look for it and try to figure out how strong is the randomization behind this.
Because sometimes it might just be kind of cycling through the same like five things over and over again. Sometimes it only increments in sections of like maybe 200 or something weird like that.
Sequencer is really good for finding things like that. I’ll be honest, don’t use it a ton because nine times out of ten if there’s an issue with any of the cookies or headers or anything like that, it is immediately noticeable to me.
But it’s good to have anyways because if I’m looking at something and I think, okay, yeah, that’s not, I can’t find anything wrong with this right off the get go. Let me go ahead and use sequencer anyways just for that double check.
The most common issue I find, by the way, are things that are not encrypted very well. which is where decoder comes in. Something that we see entirely too frequently, especially with APIs, is something called basic authentication.
And this is where decoder helps. I swear. Basic authentication might look like it’s secure from the outside or to somebody who doesn’t know what they’re doing, let me tell you.
It is just base 64 encoding, let’s say if our username and password is admin, admin. I just want to easily generate what the header would be so I can just start putting it in random places.
All I have to do is type it in into decoder, I can encode it as base 64 and it’ll give it to me, easy peasy. decoder works both ways though, because let’s say that I just have the base 64 value and I want to know what it is decoded to.
I can decode as base 64 admin. Admin. And it also has the smart m decode option. It’s not very accurate sometimes.
But another thing that I like to use decoder for, let’s say that I want to use this payload, but the application will filter out these types of symbols.
So what I can do instead is let’s try URL encoding, just these and I can go through and just URL encode the things that I want to try and slip past the filters.
And so instead of submitting this to the application itself, I would try submitting this. And a lot of times what we’ll see is that the browser will automatically decode this. So it’ll get past some of the filters, but the browser still reads it, it still gets executed.
And so that’s one of the ways that we kind of get around some things. yes, I spelt script.
Good catch.
finally we have compare. Now compare is really good whenever we are trying to find, let’s say problems with the sign in this.
is where I use it a lot. Let me come over here. So let’s say I have admin and then I get the password miss.
And this one, I can send this one to compare.
And then let’s try admin. By the way, I sent that backwards. We’d want to send the end result. So response, I can send this to compare.
Let me come back over here. send this, follow the redirect, and then I’m going to send the response to compare.
And you’ll notice, by the way, whenever I send something to a specific tool inside of Burp, it highlights orange. So I know where I just sent it. And what I want to do is look at these two requests and I can compare by words or bytes.
And what it will do is it will give me a, it will highlight the differences between the two. And sometimes what you’ll have is very minor differences such as, and we have seen this before in the wild that if I try to sign in with a valid username, it’ll say that password is incorrect or that username and password combination does not exist.
And then if I try to sign in without, with an invalid username, it’ll say that username and password combination does not exist with a period at the end of it and those minor differences in the responses.
Let me, figure out what are valid usernames or not. And so responding or investigating how the application responds to valid and invalid requests and kind of comparing them to each other gives you a lot of information.
And I usually sync the views just so I can see kind of what’s going on here. And we can see that the user token is being, is different each time. So I could try sending this information to sequencer if I wanted to.
But it looks like the big difference here is that my CSRF token is incorrect. with more information on this one.
Interesting. I probably broke something somewhere. Who would have guessed? And then there are extensions now something to keep in mind, I don’t keep all of my extensions active all the time.
These are just enabled right now because they are things that I have used recently in this vm for testing purposes. And by testing purposes I mean lab for class testing.
you can go to the Bap store and you can look, there are some of these that have the detail. These are either it needs a later version of Burp or you need the professional version.
That’s fine. my favorite ones, I do believe retired J’s is a professional, one.
And then I think J’s minor is a professional one. important thing about these, all those do really is let me know where Java links are and the version, JavaScript versions.
You can do that without these. It’s just nice for me to get screenshots easier. But let’s say I have an API that I want to work with that is soap based, Wizlr free, and what it’ll do if I hand it the request, to initially get the information about the API, it’ll build out all the requests for me.
It’s great. yeah, somebody says scans for credentials use a Shannon entropy. Yes, that is, when I first heard that it did make me laugh a little bit.
And I can see here, by the way, now that I’ve interacted with this application a little bit more, this target mapping has filled out a little bit more and given me a little bit more information.
it thinks this is here. So if I send this one to repeater real quick, by the way, it’s not found. Darn, it probably picked that up from a link that’s mentioned somewhere.
Oh well, and we’ve got just a few more minutes left, so real quick. that’s just the quick and dirty on berp, the very basic functions you need to start doing labs.
hopefully I have taught you at least a few new tricks and helped you learn how to use it and reasons why you might use these tools for different reasons. But let’s say for some reason you have those, dreaded, how do I say this, dreaded chromium issues where it just won’t load for some reason.
Well, Firefox exists. And what I will do in Firefox now you can, there’s a couple of different ways you can get here. You can go to the about preferences, it’ll take you to the page or you can come up here in the right and let me zoom in to make it a little bit easier for everybody to see.
Or you can come here, go to settings, it’ll take you to the same place. What we want to do is scroll all the way down from this. On the first page we get to and about preferences there’s going to be a section called network settings.
right now it’s just using the system proxy that’s default for Firefox. But if I want to run everything through Burp, I need to do a manual proxy configuration and then I need to make sure it matches what I have set up for my proxy listener in ber.
Now it used to be you would kind of need foxy proxy to do some of this. You don’t necessarily anymore. Firefox is really good at handling on its own.
Doesn’t mean you don’t need, you won’t, there’s no benefit to foxy proxy. It’s just I don’t usually mess with it. So I know that this will be 127 dot zero dot zero dot one import 80, 80.
and I do want to do this and I want to make sure that I think sucks. You do want to make sure that you’re doing DNS by the way, otherwise it won’t be able to resolve host names.
so next thing we want to try, first of all, is what happens if I go to it? Well, I get a scary warning. That’s fine. if you look at it, basically what this is going to tell me is that it’s detected a potential threat.
usually this is a certificate issue and because we’re proxying through Burp, we are breaking Tl’s because it is a man in the middle attack. We’re going to get this a lot with Firefox. You can just hit advanced and accept the risk and continue.
And we are there. Now what I want to do next is come back over to Burp real quick. And make sure that it is actually intercepting that traffic. And I can see already, I know it is working because Firefox is noisy.
We got a bunch of detect portal stuff here a lot. And if I come over here to my target page, suddenly we can see there’s more stuff here because Firefox itself just generates a lot of noise.
black Hill security does have a blog on how to make Firefox quieter for using with Burp. I do highly recommend checking it out. But let’s say you’re testing things and you don’t want to see that big scary error page every time you go to something.
What do you do? Well, that’s easy. It is HTTP. We’ll just go to HTTP Burp in our browser and we’ll see something here.
welcome to Burp Suite community edition, whatever. Right. there’s a button right here that says ca certificate and if you click on it, it’ll download the cacert der.
That’s what we want. The next thing I’m going to do is back over my settings page for Firefox. I’m just going to search for certificate because it’s the fastest way for me to find it.
And if I go to view certificates I can import and I can choose to import this, I’ll go ahead and open it and I’ll trust it to identify websites.
I don’t need Burp to be sending emails on my behalf, so I’m just not going to and then hit, ok, so what happens now is previously Firefox would hand over the request to Burp and Burp would say, okay, this is me, I’ve got this before.
It would send it to DVWA. But Firefox is really good at detecting potential security issues, or it tries to be. And it would say, hey, at some point along the line that SSL or that TL’s security chain that proves nothing happened to this traffic in transit was broken.
That’s a risk to you. You shouldn’t go there. I Burp breaks TL’s because its whole job function is for me to intercept that traffic and tamper with it.
So if I add in Burp’s, certificate, it will say, hey, okay, I trust this. Now, and I know we’re at questions, so while I open up one more thing real quick, if we want to go ahead and start doing questions to show that it should hopefully just let us through.
Now.
Zach Hill
You actually did a pretty good job of answering a lot of the questions as the webcast went on, so you crushed it.
Jennifer Shannon
Now I no longer get that big scary warning once I’ve added in that certificate. Oh no, somebody’s PC just crashed. if it’s any consolation to the person whose PC just crashed, if you get to watch this recording later.
My very first anticast, the VM crashed, immediately, and came back up in a pre lab state.
Had nothing on it at all for me to work with. so panic had to change the topic very last minute. Somebody said, how about certificate pinning?
if you’re testing a mobile application or something that uses certificate pinning, I highly recommend asking your client for a version of it that does not have certificate pinning because it is a nightmare to get around, especially with Burp.
It is a lot harder to get around than it used to be. we usually just ask for something that’s not cert pinned. conversely, interestingly enough, if you have a mobile application, that is on iOS, it is so easy to set it up to intercept that traffic.
No problems. I’ve never had an issue intercepting iOS devices with Burp. Sometimes I really have to fight with Android devices to get it to work.
Yeah, somebody said, or use the rooted system and add the cert to the system. That is also another option. the problem with Android is that it tends to have, there’s so many different flavors and versioning.
it’s not easy to have, like that one physical rooted device that will work for every Android application you might come across.
so instead, for those, a lot of my Android testing actually takes place from VMS because it’s a lot easier for me to get that versioning information correct.
Yes, I do create the pen test reports. not every company does it this way, but I at secure ideas, and I say not everybody, not every company, every company has a little bit of their different policies, and procedures around report writing.
At secure ideas, whoever is on the test, one of those consultants will be the one writing the report. So usually during all of this process, I’ll be taking screenshots and making notes of what I’ve done.
but that’s also why it’s important for me to have that historical data in Burp, because it’s easier for me to go back and reference it. Or maybe I’ll be like, man, this screenshot I grabbed originally wasn’t great. Let me just go find where I did it real quick and get a new one.
Zach Hill
Awesome, Jennifer, and thank you for, for joining us today and sharing your, your knowledge with everybody. It was fantastic.
Jennifer Shannon
Thank you, everyone.
Zach Hill
Yeah, a lot of great comments, a lot of great feedback. there are a lot of questions but as you were going through, you were keeping track of that. So I think you actually answered pretty much all the questions that we have.
So I’m not sure if anybody has any other questions they have for Jennifer. Go ahead and throw them in the chat. Now. today we are going to be doing our breakout, session, our amae. So if you have the zoom application installed on your device, in just a few m minutes here, we’ll be doing our breakout room.
So in this ama, everybody is more than welcome to join. You can come and ask any questions you have about anti siphon training, cybersecurity and certifications and resume help.
All that fun stuff. Anything you get, we’re there to help you. but again, thank you Jennifer for being here and sharing, sharing with us today.
Jennifer Shannon
Thank you for sure. It took me like five minutes to figure out where that stop share went.
Zach Hill
Oh yeah. It hides on you.
Jennifer Shannon
It does.
Zach Hill
It’s fantastic.
Jennifer Shannon
If I played fallout London, I’ve not yet. I want to but I’m trying not to fall down that rabbit hole just yet. I’m trying to wait for probably the Christmas holiday because I’ll have about a week off.
And.
Zach Hill
we had so many new people join us today. So one of the things that we do in discord when people participate and engage with us, we add them to a specific role for anti cast live.
and I’ve added over 30 people so far today. So I want to just give a shout out to all the new people who have joined us. We really do appreciate you being here and you sharing your time with us.
and if you are open for it, I would love to hear from you guys what brought you here today. so if you don’t mind, throw, throw a message in the chat or you could reach out to me directly. I would love to hear what brought you here.
that’s always something we’re interested and excited to hear about and there’s, I just keep adding more and more people to this role. It’s crazy. I love to see it. It’s fantastic today, Jennifer.
Thank you.
Jennifer Shannon
Yay. Thank you. And I saw somebody posted about how do you intercept iOS traffic, with Burp. I just shared a link to the Burps, Burp Suites documentation.
honestly it’s pretty spot on for how to get that all set up.
Zach Hill
And if anybody has any other questions for you, is there a good way to get a hold of you.
Jennifer Shannon
Oh, yes. what? I completely, didn’t even share my ending slide because most of it was demos today. Let me put that up real quick.
Oh, it just went away forever. Of course that would happen.
And by went away forever, I mean it also has just gone to the entirely wrong screen. I’m so glad that zoom, exists.
Zach Hill
Seem wonderful. Makes everything so easy. Just kidding. Sorry. I’m going through and adding more people to that role.
So. Yeah, again, thank you, everybody, for being here. you’ll be putting some info in the chat then for getting a hold. There you go. Now it’s on the screen. Now we see it. So if you all have any other questions for Jennifer, there’s her contact info.
I’ll be seeing you next week at Wild West Hack invest, and everybody.
Jennifer Shannon
That’S at wild wealth talking fest, absolutely, come chat with me.
Zach Hill
Yeah, for sure. I can’t wait to meet you in person. And, to those of you out there in the audience, I know that I’ve seen a few of you, who I know are going to be at Wild west hacking fest with us next week as well.
I look forward to seeing each and every one of you there as well. Please be sure to come by the anti siphon training booth, say hi to us. Be sure to check by the, secure ideas booth as well, and say hi to them.
but, yeah, we won’t be here next week. We won’t be here the week after that, because we’ll be taking a, week off. So we won’t see you again for another two weeks. But if you do want to stay up to date with, with Black hills information security anti siphon training, we will be doing a live stream from wild west, next week, so be sure to stay tuned for that.
And you guys can always go to powered by bhis.com, to see everything that we have going on every week. So if you guys are interested in our breakout room, we’re going to get that started right now.
so if you have that zoom application, go ahead and, go to that breakout room. And if you aren’t interested in that, I guess we’ll see you in a couple weeks. Thank you, everybody, for joining us. Thank you again, Jennifer.
See y’all soon. Take care, everybody.
Jennifer Shannon
Am I needed for the breakout?
Zach Hill
You can join us if you’d like. It’s up to you.
Jennifer Shannon
Go eat lunch real quick, if that’s okay. I think I’m a meeting like, 30 minutes?
Zach Hill
Yeah, absolutely. Thank you.
Jennifer Shannon
See you later.