Shopping Cart

No products in the cart.

Getting Started with Burp Suite & Webapp Pentesting

This webcast was originally published on December 4th, 2020.

In this video, BB King discusses the essentials of setting up and using Burp Suite for web application penetration testing. He covers initial setup, including configuring browsers and managing certificates, and explores various features such as the intercept function, repeater, intruder, and the extender with its wealth of extensions. BB also provides tips on using Burp Suite effectively, such as understanding scope and utilizing the tool for thorough testing and finding vulnerabilities.

  • Burp Suite is used to intercept and manipulate HTTP requests and responses, making it a valuable tool for web application testing.
  • The importance of setting up Burp Suite correctly with the browser, including importing the CA certificate to avoid issues with HTTPS traffic.
  • Extensions in Burp Suite can significantly enhance functionality, offering tools for specific tasks like scanning, fuzzing, or managing web tokens.

Highlights

Full Video

Transcript

Serena DiPenti

Jason Blanchard

Bb’s here. Oh, thank God.

BB King

We don’t have to teach this. Hi. How’s everybody? Yeah, I got it. I got it, Deb. You can just play guitar instead. sure. I’ll learn how real quick. You got them all there, right?

Deb Wigley

I do.

BB King

You just have to want it, Deb. and then it’ll work, I guess.

Deb Wigley

I don’t want it, BB. I got other things I want.

BB King

Maybe Fletch can play guitars for us then. Fletch can play guitar.

Deb Wigley

He’s not a poser like me.

Jason Blanchard

I was just about to say, BB, with your lighting and the color of your shirt, it looks like you’re not wearing a shirt when it gets bleached out.

BB King

I’m on it. That’s a weird tattoo you’ve got. Big dragonfly. It’s my, dragonfly tattoo. It’s my darknet diaries shirt.

I don’t know why Dragonfly says darknet diaries, but it does.

Deb Wigley

It is strange.

BB King

I was going to wear mine today. I got a button one here.

Jason Blanchard

Okay.

BB King

How about that flannel?

Jason Blanchard

This is going to end up in the pre show video, isn’t it, Ryan?

BB King

It might, Ryan. It might.

Deb Wigley

Oh, with great power comes great responsibility.

BB King

Was it? Yes, Uncle Ben.

Deb Wigley

All right.

BB King

Thank you, bb. I am in.

Deb Wigley

I am. I have received, your slides or your. Your burp outline text.

BB King

It’s like, one slide. That’s just a pd. It’s a slide that says there are no slides. Right.

Deb Wigley

There are no slides, but if you must read something, read this.

Jason Blanchard

Yes, please add that note. And, Samantha, can you give us a real quick synopsis about it so everyone’s on the same page before you start talking?

Samantha

Yeah, absolutely. So we are a, nonprofit, private predator hunting organization. Now, what I mean by that is, we are a register 501.

That is comprised of intelligence, community, the tech community, hackers, ex law enforcement. It’s, really a bunch of us getting together and working to fight CSAM, or child sexual abuse material.

So we unmask predators that think that they can hide behind a username online.

Jason Blanchard

One of the things I picked up on, and I’ll ask you about today, is that you’re not a vigilante organization. What’s the difference between a vigilante organization or a vigilante and the work that you’re doing?

Deb Wigley

Absolutely. So, great question. vigilantes are those who actually take law into their own hands. So we see it, pedo hunting on Instagram or YouTube, live streams.

More kids are getting involved. or it’s private groups. That are actually hacking or going out and trying to meet and bait these people. So vigilantes, they think that they’re doing better by doing things like this.

However, it’s actually incredibly damaging to a case. So we work well within the scope of law enforcement. We want to be sure that people are being prosecuted, not just either sitting on a desk or, oh, because of how you handle this, we can’t use it.

And now a predator walks free. So we work, above reproach and very closely with all shades of law enforcement.

Jason Blanchard

And we’ll probably ask you, like, how people can get involved if they want to. And I heard during the presentation, like, there’s a long vetting process. If somebody wants to be a part of your team.

Deb Wigley

There is, yes. So initially, if you, apply to volunteer, we have, we’re built in a few different ways, so we have our pit or predator identification team now.

That’s what I help lead. And then we have our education and outreach, our board of directors, and then our developers. So the pit is where everyone feels this most strongly to help.

This is definitely the most hard to get into. However, whichever department that you decide that you want to try to apply for, you will have to go.

A technical interview, a, prerequisites interview, a mental health check, a financial and medical background check. So it’s just lots of checks to ensure that we’re not only protecting our organization from an outside predator, but we’re also not damaging you in the process.

Jordan Drysdale

I have a question for you. At some point, I’m not sure if it’s good to start with or not. I saw something and I immediately thought of you guys. When I saw operation, Arcstone, and I think it was New South Wales.

Did you see this?

Deb Wigley

Was, that the big ring bust that happened yesterday or a few days ago? No, I’m not familiar with them.

Jordan Drysdale

Yeah, a couple days back. Just curious.

Samantha

Give us the highlights, Jordan.

Deb Wigley

Yeah, tell us about it, Jordan.

Jordan Drysdale

So they, I guess the new South Wales Children’s protective task force had found a single individual they were interested in and ended up breaking up a gigantic ring through his mobile device and all the forums he spent time in and they just reversed that operation.

Deb Wigley

It’s m actually pretty common for cases to start like that as well.

Samantha

They run in packs.

BB King

Like, you find one person and that leads to more.

Deb Wigley

Well, they, depending on the type of predator. Yeah, they’re looking for a sense of community, whether it’s to trade content or financial gain or just to click with somebody, because that’s when you think about it.

A basic human need is for us to feel like we’re part of a community and have a sense of identity. And unfortunately, they’re no different. They look for this as well.

And so they’ll actually seek each other out to trade and become friends.

Deb Wigley

Well, but that’s a good thing, right, Samantha? Cause it allows us to find them.

Samantha

Precisely. And not even just that. They’re not real monsters. They’re humans. And because they’re human, we’re able to predict their behavior and better protect ourselves against them and our kids.

Jordan Drysdale

M. Yeah.

Jason Blanchard

Just want to let everyone know that we have Samantha, one from the Innocent Lives foundation, during the first part here today. So thanks for being here for the pre show banter.

Samantha

Yeah, thank you for having me.

Jason Blanchard

Yeah. And we’re hoping to bring more, people on who are doing amazing community work and things that our audience can get involved with. So we’re going to ask Samantha about some of the things that she’s doing here today during the pre show banter.

And I think it’s awesome that you take the skills. someone already has these skills. They have the skills for Osint. They have the skills for, being attracted attackers.

and then you just, I guess, readjust it or use the same stuff. Right.

Samantha

For the people who volunteer the mindset in general, especially with hackers, you guys already think of different ways to solve problems, and you’ll be sure that you can do it within the scope that you’re given.

And that’s one thing that we are very certain to do. So we do not go and bait and pretend we’re like 13 year old girls and try to get these people.

No, we are looking for people who are directly posting or trading content already and doxxing the living crap out of them.

This is more of the hacker style group anyway. Yeah, that’s what we do.

BB King

And then you take what you’ve gathered there, and then you’re done. Right? Then you hand it off to law enforcement and they run from there.

Samantha

Exactly. Great question. We do something called parallel reconstruction, where we’re actually building out. Imagine a pen test report. You’re building out the steps that you’ve taken to be sure that your client can follow it as well.

Well, that’s the same for us. So we want to be sure they can follow the exact steps. And that protects us as an organization because we don’t want our name attached to stuff.

We don’t want a, thank you or a pat on the back. We really just want these guys off the streets and kids to be better protected.

BB King

Mhm.

Jason Blanchard

So David asked a really good question, and I’ve had friends that work in this type of work. And so the question that David has said, how do you protect yourself from the mental and emotional strain that comes from that line of work?

Deb Wigley

Yeah. So obviously, people are going to process it a bit differently. So we took a step to try to help bridge that a bit by hiring, a full time therapist.

Now she’s called our wellness director because she’s just called our wellness director. Legally, therapy, I think, has to be done in person or through very specific comms.

But the point is, you’re still protected under the same rights of therapy. So if you’re in the pit, you have to meet with her once a month, minimum.

You’re welcome to meet with her more as needed. And we want to be sure she’s there for the team to help process difficult times. Devs and every other part of the organization has to meet with her once per quarter.

Even if you’re not being directly exposed to this content, you’re still hearing stuff and working on pretty difficult research and content for us to put on social media. So that’s just one step we take.

Now. The other step we take is we have something called a blur tool, and it protects our agents from seeing this material directly and it’s also our intent to view.

So we’re showing law enforcement we’re not going here for any nefarious purposes. We’re going here even if it’s blurred, just to gather information and see what we can find.

So it’s kind of a pair of therapy and a blur tool so you’re not directly exposed. And then I really encourage our team to all communicate with each other because we all work through things differently and we all process things differently.

I’m a very dissociative person, so the way that I work may not be the same that someone else processes things. Yeah.

Jason Blanchard

And so we posted a link inside discord and in the gotowebinar. And so you mentioned the pit. What does the pit stand for? It’s pit, right?

What’s that?

Deb Wigley

Yeah, it’s the predator identification team. So my role with ILF is I’m the pit, coordinator. Predator identification team coordinator.

So it’s a group of volunteer investigators. And the number fluctuates, but they are all donating their time to actually work on these cases. And it can take anywhere from an hour to months.

It really depends on the case and.

Jason Blanchard

Go ahead, CJ.

Jordan Drysdale

No, no, that was me. I have a question, if you don’t mind. One of the most disturbing things that came out of Chris Hansen’s effort was that it didn’t matter what town he went to, there was always a huge volume in every single community.

Do you feel like you can get in front of this problem or is it like the doom and gloom scenario.

Samantha

Where theres so much so thats very tough question. The way that ive kind of looked at that is I dont get overwhelmed trying to change the world.

I really am looking just to change someones world. And I have the power to do that. And weve seen it take effect and we cant publicly talk about our cases, but as soon as we’re seeing it actually take a ripple effect, that’s really what matters to me is that, now this kid doesn’t have to experience this or let’s say he’s a serial predator and we got him off the streets.

There’s a chance that serial predators can affect up to 400 children. So it is a really dark and kind, of scary and overwhelming issue to face.

But part of the issue is it’s so uncomfortable two face that no one’s really taking it head on. So I really like that we could work as a community and all have the general consensus of let’s end this as much as possible.

So to answer your question, I don’t think we’re ever going to eradicate it, but we can definitely change someone’s life. And that is incredibly powerful.

Jason Blanchard

we’re getting to the point now where 3000, 4000 people register for a webcast and we’re looking for ways to that, bring the community together. So we are supporting the Innocent Lives Foundation.

A, couple ways. One, if you buy one of the new black hills t shirts from the spearfish general store, all the net proceeds from the fall 2020 election. And it is called the fall 2020.

What’s that? What’s that? Exclamation point?

BB King

Bang.

Jason Blanchard

Yeah, bang. So, we named them after the password spray seasons. there will be the spring 2021 bang collection.

Anyway, so all the net proceeds from the t shirt sales will go to the Innocent Lives foundation. But if you’re like, I don’t want a t shirt, Jason, or I just want to give money to the innocent Lives foundation.

Samantha, we’re going to have you bring up your slides so you can show the people here.

Deb Wigley

Yes, let me make you presenter.

Deb Wigley

And then the inner geek in us all wants to know how the blur tool works. Is it by hashes?

Samantha

So I can’t actually publicly talk about how the blur tool functions. However it does, it blurs all images.

So, as soon as you’re opening your browser, it’s blurred. You can unblur necessary portions. So if you need to read text and stuff like that.

And I know a lot of people get curious about the tech that we do use. one of our founding principles is that we will never educate a predator. And that’s not, that’s not a judgment of anyone asking the question.

It’s, Oh, gosh. When I think it was Jared Fogle got caught, the dog sniffed out the silicone and USB keys and it was posted online everywhere.

Guess where else it was posted.

Samantha

On the predator sites.

Samantha

On the predator sites. And that gives some tips for evasion or to. Well, yeah, just evasion overall in general. So we will never disclose anything of operational or tool wise that will give a predator an advantage.

BB King

Awesome.

Jason Blanchard

Seeing the questions from the audience.

Deb Wigley

This is the question I was asking earlier when I was muted, you talked about the pit. But are there other roles and things like that for people to be involved?

Samantha

There are, yes. So you can, work in the dev team, so you can actually look to build us new tools and procedures and see if you can make our jobs easier, whether it’s automating or network stuff or just tools in general.

We also have something called the education and outreach team. Now there who you’ll see post on social media and really pump our, like our previous fundraisers, we’ve done like ILF Fest and twitch streams and that stuff.

And they’re. They’re trying to create content that we can educate people without educating predators and without vicariously scarring people.

So that’s a big role in it as well. And then lastly, if you’re not wanting to go through, or maybe you can’t at the time, go through all the steps to officially join our organization, you can join the fight by donating to us.

We’re trying to come up with new, fun ways to, again, bring light to a very dark situation and see how we can, really get everyone involved and feel good about donating and.

Yeah.

BB King

Very cool.

Samantha

And now here’s some more of the technicality which they might have missed. The earlier part where you’re talking about how it was very much like a pen test, but see, what difficulties do you run into making sure that you can tie a human to the machine they’re using?

Samantha

Oh, gosh, so a lot. We will look for the unique identifiers to properly connect the two, whether it’s things like usernames or speech patterns or geolocation, whatever it may be.

we’re looking for unique identifiers that attach to the original alias that we’re looking into. And it’s not always that. There’s various pivot points that, of course, I can’t go into.

Obviously, there’s moral issues that we personally come up to if we’re having struggles identifying a person is we don’t want to identify the wrong person, for starters.

And how much time is too much? Like, when do we know to stop? So, to answer your question, yeah,

BB King

Well, I think the thing was, though.

Deb Wigley

So to me, you’re looking for a bunch of evidence, as much evidence as you guys can collect. And then you said you handed over to law enforcement, you’re not the jury, you’re not the judge, right?

Samantha

So that’s one thing we have to keep in mind as well. We’re just gathering information. Like, I’m not a cop, I’m not a lawyer. Like, I am here to gather data. And you can decide what best to do with it.

They have the capabilities to do it correctly and keep it within the right, chain of custody.

BB King

Yeah.

Deb Wigley

For the questioner, Samantha talked earlier about how they put it together very much like a pen test. They’re trying to show the entire chain of not just evidence, but how did we get here?

BB King

Right.

Samantha

So the authorities have information that’s just arming them. So it’s very much a pen test style activity, it seems to me.

BB King

Yeah.

Deb Wigley

Which is why this community is so great for that mindset. You’re problem solvers, Samantha.

Jason Blanchard

So tell, us how people can get involved.

Samantha

Yeah. So, as I talked a bit about earlier, you can apply to volunteer, and then we’ll go through the proper checks and balances to see if you’re qualified or able to volunteer.

However, there are also other ways to support us so you can fuel the mission by directly donating. you can see if your employer will match.

the other way is we actually just started something called our Heroes program. Now, the financial goal of the heroes programs is to generate $100,000 over the next twelve months.

So Covid has really knocked the overall nonprofit world. so we’re asking for those who have means to commit a monthly donation of either 25, 50, or 100 plus dollars.

You’re going to help us not only continue as an organization, but be sure that our cases are being pursued. So just a little bit to go into this.

So when you are a defender and get a, dollar, 25 monthly, you will get physical impact reports, stickers, a badge from badger, and a challenge coin.

It will be our very first ever ILF challenge coin. Now, if you donate $50 or more a month, you will get all of that that’s included with defenders, but you’ll also get a pin, a t shirt, and the right for first refusal of ILF events.

So you can actually be invited to, like, the back end of our twitch streams or things like that, and decide whether or not you want to join us. Now, our legends.

These are our monthly $100 or more. You get everything that’s included with the previous two, as well as premium swag and exclusive legend only events, which I can’t quite go into as much on that.

You will just have to wait and find out. So this is for the defender. I kind of already zoomed through a bit on that without scrolling and so forth, so this is what it will actually look like.

These are our champions as of now. So you can actually donate under a champion if you were referred by a specific person. As some of we’re very, we like to have fun in our tech community and bring light to a very, very grim area.

And we’re competitive as a community. So we have some of our very first ever ILF champions, including Edward Miro from the pseudo social club, Philip Wiley, who is an, incredible supporter of the ILF and a pen tester within the community.

Some of you may know him from the tribe of hackers. Then there is Aleith Dennis. many of you may know her already in the community. She’s an incredible social engineer and friend of the ILF.

And then there’s Levi, who mind blowing talents and donates so much of her time. So you may see them post on social media and have some fun, little quirky ways to try to raise money, whether it’s a twitch event or just putting something out, but you can actually go and donate under them.

Now, if you weren’t referred by somebody, you can donate under the ILF. Pineapple pizza. If you’re not familiar with us and the fun that we have. Our founder, Chris Hadnagi, despises pineapple pizza.

It is the literal bane of his existence. And we were able to raise $25,000 for our organization and to watch him suffer on camera.

So it is for the kids. That’s what we kept telling him. But you can donate under that, and it’ll be a little poke at Chris, but also it’ll be a way to support our organization.

if you weren’t referred by a specific person, if the pizza wins.

BB King

Does Chris have to eat it on camera? Is that the deal?

Deb Wigley

I’m going to say yes.

Deb Wigley

I wanted to challenge Floyd anyway.

Samantha

Yeah, see, so we’re really looking for ways to. I know it’s hard. We, we ask for you guys to donate, and then we can’t always give stories or successes because it can damage our cases or our agents or, our safety.

So this is a way that we can try to give back to you guys. And thank you for being here to support us so much.

Deb Wigley

Hey, Samantha, Dale has an international question. He says, hey, how does a canadian join a.

Samantha

So, unfortunately, as of right now, we don’t have the means to take international context. The background checks and stuff just get a little bit iffy.

However, we would still love to talk to you and maybe be a friend of ILF. So if you’d like, you can reach out to me at samantha [email protected].

dot. So, yeah, this is another shout out for the Spearfish general store. If you can’t donate and you just want to still help, there is Amazon smile.

So we are on Amazon smile as a charity of choice. You don’t have to do anything extra. You just have to select us as our charity of choice. And, a small portion of all your purchases that you make under your smile account will go towards us.

Jason Blanchard

who just bought shirts? Thank you.

Deb Wigley

Yes, thank you.

Jason Blanchard

And to all the people who are current at the instant lies foundation website, what I was hoping is that we’d give them the black hills hug of death. not necessarily bring it down, but.

Deb Wigley

like the wall of death.

Jason Blanchard

In monstrosity, it’s more of the ddos.

Deb Wigley

The ddos of love.

BB King

Yeah.

Deb Wigley

okay. I am sorry in advance to our devs and what, folks, thank you for your compliment. Yeah, it’s really a weird compliment.

Jason Blanchard

Yeah. So if the site goes down, thank you, everyone. If the site goes down, you’re doing your job.

Samantha

So this is a just summary of our links and social media. One thing that’s not on here that is a bit newer is we’re now on twitch as a charity of choice. We’re trying to get more into the streaming realm, so you can just run your normal stream, select this as a charity of choice.

and yeah, we have lots of ways to get involved.

Jason Blanchard

Twitch is my favorite.

Deb Wigley

Samantha

Jason Blanchard

To the hundreds of you that are here right now, this is not the webcast. The webcast will begin in five minutes with BB. It’s getting started in Bert. But we invited Samantha here from the Instant Lives foundation. If you just showed up and you missed a lot of what we just talked about at the very end of the webcast today.

When it ends at 02:00 and we’re done with all the q and A for the webcast, Samantha is going to stick around for about ten minutes, from two to two eastern time, to talk more about the IoF.

If you’re interested in getting involved, either volunteering or supporting or whatever. We like this foundation so much that it was the very first one that we chose for our spearfist general store to donate to just the amount of work that they’re doing and the fact that they just said, hey, we have these skills.

We have these skills that we have on a daily basis that we use all the time to either hunt attackers or to pen test organizations. How can we use this to make the world a safer place for one person?

And that one person’s turned into two people and three people and four people?

BB King

So.

Jason Blanchard

All right. And someone’s just said they’re happy to see the Joy division shirt. Yes, it is back. The Joy division shirt. And I’m just going to plug this for a second. It’s done with a bleach process instead of an ink process.

So it removes the dye from the shirt instead of adding ink to the shirt, which is so cool.

CJ Cox

It’s like the opposite. Is that an exact replication of the first one, or is this one slightly modified?

Jason Blanchard

It’s, modified a little bit. We cleaned it up a whole lot.

CJ Cox

This has always been John’s very favorite shirt. That is one of John’s very favorite album covers.

Jason Blanchard

Yes. So when we were talking about doing shirts again, John’s like, the first shirt’s the Joy division shirt. I was like, yeah, but this first shirt is the joy division shirt.

Got it. Samantha, if I could have you go off camera and audio for now. And we’re going to turn the presenter back over to BB.

BB’s are going to give our webcast today on burp suite. Everybody else, if you go ahead and kill your cameras, kill your audio. So it’s just me and BB at this point and the hundreds and hundreds of people that are here.

No stress.

Deb Wigley

No stress.

BB King

So look, Jason, I made a slide. I don’t have slides for this because it’s like a walkthrough. And I know people like to have slides.

So I made this for all of you just while we were doing the pre show banter. The interesting thing here is that burp suite is two words, but it’s from Port Swigger, which is one word.

So if you want to run things together, do it with Portswigger, not with burp suite. That’s my first tip.

Jason Blanchard

Thank you, BB. All right, everybody. M, we’re two minutes out from today’s webcast at, the end. Today we’re going to talk about the innocent lies foundation at the very end. If you want to stick around for that.

For those of you that are here, we have been wanting to launch Black Hills t shirts for a long time. We’ve got a lot of requests. We used to give them away at conferences all the time, and we can’t do that. So we’re selling them for dollar 20 apiece.

And I know this goes against everything here at Black Hills to talk about stuff that we’re selling, so we just want you to know, if you want a shirt, you can get one.

All net proceeds, because we didn’t want to make money off of this because that’s not, we probably suck at capitalism. So all net proceeds go to the Innocent Lives foundation. Or you could just give money directly to the incident Lies foundation if you don’t want a shirt or keep your own money, it’s up to you if you want a shirt.

But backdoors and breaches is available, again for international sales, which is exciting for a lot of people who are international, but not exciting for the person at Black Hills who has to ship everything to the postal service and stuff.

BB King

So.

Jason Blanchard

Yeah, and someone’s like, we ship the t shirts internationally. Absolutely. Because we know that you’re all over the world. And thank you for being here. All right, BB, we got 1 minute.

BB King

All right.

Jason Blanchard

See, there, your mic’s off.

BB King

Two cameras off.

CJ Cox

Stupid double safety probation. Phoebe, are you going to have a wild west hack invest course soon?

BB King

yeah, I have a class called modern web app pen testing, and we use burp in that class. We just had the last run. We did that with the, secure west Virginia last week, and we’re looking to get it up and running again sometime in the first quarter of next year.

We don’t have dates for sure yet, but, we’re like this close. I’m tempted to say what the candidate dates are, but they’re not final, so stay tuned.

CJ Cox

Stay tuned.

Jason Blanchard

All right, everybody, it is 01:00 here on the east coast, and it is time for today’s black hills information security webcast. If this is your very first time on a black hills infosec webcast, we, have a team of people in the back end that are going to do the best we can to answer your questions that you write in, either in good webinar or discord.

We like to use Discord for conversation and commentary on the content. Today, BB is going to be nonstop demoing burst week today. there are no slides.

There’s no slides.

BB King

Just talking and click it.

Jason Blanchard

So he’s just going to show you all the things that BB knows. And BB is an amazing web app. Pen tester, I’ve seen some of the stuff, and when we wanted to launch something, we’re like, BB, could you pen test, like, our own internal websites?

And, so we hope you enjoy today’s webcast. If you ever need pen test or infosec services, you always know where to find us. And with that BB, it’s all yours.

BB King

Thank you, Jason. Yeah, I’ve been pen testing for, web apps for a long time. Like 2008, I think is when I started. And that’s around the time that burp suite first came out as a thing.

I think the first time I bought a copy of Burp suite, I think it was like $100 or $75 or something. So I’ve been using it for a while. it’s a fun tool.

And the reason I wanted to talk about burpsuite getting started with burp suite is because every single time I watch somebody else do something in burp suite, I learned something new. Everyone uses it differently, but pen testing can be a very individual task sometimes if it’s just, it’s just, you’re the only tester.

It’s just you in that web app, and it’s just the two of you for the whole week or two weeks or however long your test is. And so people really develop their own ways of using it. And what’s obvious to one person is like, mind blowing to somebody else.

So I found that quite a lot, and I thought it would be useful to, do that to give kind of an overview of the things that seem kind of obvious to me now after, geez, ten years of using it.

So this is getting started with burp suite, and that is the end of the slides. From here, I have a little outline, and I think, I think Deb put it in the place where the slides usually go.

So if you want to follow along or if you want to remember, what was that plugin or extension he talked about? It’s in there, and I’m going to keep it here to try to keep myself on track a bit. But please ask questions, CJ or whoever, pop up and let me know if you have questions.

And I’ll, be happy to derail and answer those because we’re just kind of going through and looking at stuff. So when you first install burp, well, what is burp?

So, burp is it’s an intercepting HTTP proxy. So intercepting means that it can catch traffic from your browser before it hits the network or from the network before it hits your browser and let you make changes to it.

Or you can just look at it if that’s what you want to do. That makes it different from a regular proxy, like a squid proxy or any other kind of proxy where that just forwards stuff through. So the ability to intercept is what makes it useful.

And it’s useful for web apps that way because, it sits in between your web browser and the network stack on your computer. So anything that leaves your browser pits burp before it goes to the network.

Anything that comes back from the network hits burp before it hits your browser. So you’re in that ideal in the middle place where you want to be to see the traffic and mess with the traffic.

So a couple things to get started. When you first install burp, there’s a few things that you’re going to want to do, and the first thing you’re going to want to do, and maybe the most important thing you ever do in burp suite is come over to user options and change the look and feel from nimbus to metal.

Nimbus is all cloudy and bubbly and it looks like a toy. It looks like you’re writing your report in comic sans and it’s bad. What you want is metal. This is metal. Doesn’t this look like more serious and more?

I’m here to get the work done. This is the first thing you want to do, change it to metal. Then you have to restart Bert because it’s Java and it doesn’t notice when you change that thing, next thing you’re going to want to do is under project options, you want to look at the, miscellaneous, the Burp collaborators server.

When Burp Pro is doing scanning, Burp community doesn’t have a scanner in it. So when Burp Pro is doing scanning, one of the ways it looks for vulnerabilities is it sends requests that contain URL’s and it makes up those URL’s and it has a server out there on the Internet that is listening for somebody to make a request for one of the URL’s that Burp just made up during the scanning phase.

And that will help you find it’ll help you find blind type of attacks. So if you send in something and the server does like a DNS lookup or maybe it tries to make a connection to that system from the browser side, you’re probably not going to see that the collaborator server listens for those things and it reports back to you what it finds.

It keeps track of your stuff versus everybody else’s stuff. There’s a public one that you can use, but you may have some privacy reasons, you may have some rules with your clients that you can’t use that one.

So set one up for yourself and this is where you point at it. We do have one that we use at Bhis, but I’m not going to show you what that is.

So you want to set that make sure that what that is. The other option is don’t use collaborator. So if you’ve got strict rules and you can’t set one up yourself or whatever, turn it off by default, it’s on and I think it’s okay in my opinion is that using the default burp collaborator server isn’t a real exposure because of the way they’ve architected it.

They have a bug bounty program out against it and so they’re constantly testing it and it’s used by web app pen testers. So it gets beaten up quite a bit.

I think it’s fairly reliable for that purpose, but you should know about it under extender. We’re going to talk about some of the app store items a little bit later on.

You want to install this Jython standalone guy. This allows you to use some of the extensions that are written in python rather than in Java because if you look at the API that burp exposes you’ll notice that it’s Java.

And you have to write your extensions in Java unless you have that jython thing, you can write them in Python or actually anything that falls to Java bytecode. I think there’s a ruby, you can use ruby environment as well, but you want to set this up so that you have a greater range of options to install from the extender.

that’s kind of it for burp. then you need to set up the browser that you’re going to use with BB.

Jason Blanchard

Yes Jason, quick question from the audience and just to establish context, is this for the community or professional version or both?

BB King

Good question. This is for, well some of the stuff is not available in the community version. So I use the pro version when I’m actually testing.

everything that’s not pro functionality applies to both. The pro functionality is basically the scanner and some of the intruder things. I’m not going to cover much today that is different in community versus pro.

Pretty much everything should work. the next thing is the browser that you’re using. You need to set this up so that it will accept the certificate that burp suite creates.

So under proxy options, here is one place where you can get that, you can export the certificate and then you can import that into your browser. Now there has to be a certificate here because remember, this intercepting proxy is in the middle between your browser and the web server that you’re testing.

Most systems these days are using HTTPs. The whole point of HTTPs is that, nobody on that path between the client and the server can see what the traffic is.

They just get encrypted gibberish. So if you want to be able to modify that stuff, you have to be able to break that SSL connection. So the connection, the SSL connection becomes established between your browser and burp and then a separate one between Burp and the target web server.

So Burp makes a normal connection to the target to target web server. You don’t have to do anything about that. But for your browser to accept the certificate that burp uses, you have to convince that that’s okay. If you don’t do this, you’ll get certificate warnings.

And in, today’s day of HSTs, you can’t bypass those warnings. You can’t say, what, accept that certificate, I’m okay with it. The HSTs, which most public web servers have now, big, business type things, have now won’t let you do that.

Used to be able to click through and accept that certificate. I initially used to use burp that way. I did it that way on purpose because I was young and naive and I used my web browser for pen testing.

I used the same one for my personal browsing. And I wanted to make sure that I got a warning when I was going through burp so that if I was doing personal browsing and accidentally going through burp, it would warn me.

And I liked that. It was a bad idea then and it’s a bad idea now because you only get those warnings from the top, from the top level thing you’re connecting to. So if you go to like google.com and you have the certificate set up wrong, your browser’s going to warn you and say, hey, I can’t connect to google.com dot.

And Google has hsts, so you can’t even override it. But if it did not have hsts, you could override it and then it would try to render the rest of that page. And if anything about web pages, that they contain references to other stuff.

It’s not just that HTML page. It pulls in content from content delivery networks, it pulls in images from other places, it talks to a lot of different servers in order to render that page.

Those other connections that are not the top level connection, they just silently fail. The browser doesn’t give you an opportunity to accept a certificate that it doesn’t like in those cases. So if you don’t import this certificate into your browser, you won’t get the full content of what you’re scanning.

The easiest way to do that is in a browser that is configured to use burp. You type in the browser burp and then you click here to get your CA certificate and you download it.

And then you go into Firefox, the preferences security, you import it into the, to be trusted as a signing certificate for, web servers.

Once you have done that, look, intercept is on. I’m going to come back to this. Once you have done that, I’m going to come back to it right now. In fact, now you’re set up.

This is the initial setup that you have to do for every installation. Every installation of burp creates a new signing certificate. So the one that’s on my system is not the same as the one that’s on your system. And that’s also by design, because if it was, then I could take my certificate and use it, to intercept things from your browser.

If your browser was configured to use burp at any time. So they’re always different. The next thing to worry about every single time you start up burp is it’s going to start in this mode.

Unless you tell it otherwise, it will have intercept turned on. What that means is, remember, it’s intercepting, it’s catching that request, it’s stopping it from going out onto the network, and it means that nothing’s going to happen.

So if I’m in, Wikipedia here, and if I click, oh, the english version, it’s just going to spin, nothing’s going to happen. And this happens to everyone who uses Burp, and it happens throughout your career.

You always forget that intercept is on. So you have to turn that off with burp two, which is now called Burp 2020 with numbers after it.

The dashboard has tasks that shows you running tasks, and this is an architectural difference between the old version of Burp and the current one. These tasks get paused when you start out burp again for the first time.

The tasks are paused, so it’s not doing a lot of the things you expect burp to do for you. So in addition to turning off intercept, you want to resume the live tasks.

It tries to warn you, this big orange bar, but it’s easy to miss. And this one won’t interfere with your traffic, so you won’t notice this unless you come here to see it.

So now we’re set up. We’re set up. We’ve got everything set the way we want it, and we’re ready to start looking at web applications, doing testing or doing whatever we’re doing in our web application.

So my general advice, I have general advice and all of this kind of follows from that. These are things I learned by following a lot of this general advice. The first is right click on everything. Burp suite has a lot of functionality in the context menus and the context menus.

That right click menu differs by context, right? So for different tools, you’ll get a different menu. Each one of these tabs in Burp is a tool. There’s the target tool, the proxy tool, the intruder tool, so that right click menu is different in different places.

Right click everywhere. You’ll be surprised sometimes at what you’ll find. The other thing, I’m going to plug a project of my own here, this quieter, Firefox project.

Firefox sends a lot of traffic all on its own for telemetry, for finding out if you’re behind a captive portal for lots of stuff and it can pollute your history. It makes it harder to pull out your interesting requests and harder to do the testing.

So I have this project called Quieter Firefox, which is a user js file that turns off everything. I could find out how to turn off all the requests that burp sends. That, burp that Firefox sends automatically.

It helps in pen testing. It’s a horrible thing for security. Don’t use it on your browser or the profile that you use for actual browsing because it disables automatic updates and all kinds of things like that. The whole point of that is to make your traffic cleaner.

It’s not security, don’t install it on your real browser. The third, the last general advice is to use browser profiles for different things.

The obvious one is for different privilege levels at the same time. So in Firefox and in Chrome, you can have a browser profile, and each profile is a separate instance of the browser.

In a given instance of the browser, if you look at, if you have three tabs open, if you log in to the website in tab one, and then you go visit that same site in tab three, it’s going to use the same session.

You can’t log in again because it’s all one thing. That whole browser instance is essentially one cookie jar. It’s one thing. So if you want to log in as an admin user and a regular user, or you want to log in and you want to also have anonymous traffic going on at the same time, different browser profiles will, let you do that.

And this isn’t burp, but if you do about profiles, you can create new profiles and you can get to them all here and you can just create a new one.

Just click a button and you create a new one and you can change among them as much as you want. You can have as many of these things as you want. CJ popped up.

CJ Cox

Hi, BB. People are complaining. They’d like you to maximize that within the window. I guess they’re having trouble seeing.

BB King

Oh, it’s, yeah, this one is too small. Sorry.

Jason Blanchard

yeah, I think it’s the actual window itself. If you could fill your screen with your window, instead of it being 40% of your screen or 50% of your screen.

BB King

Yeah, I’m trying to keep track of my stuff here. there’s not much. I will. Let me. All right. We can make it bigger.

Jason Blanchard

Isn’t that like from the bionic band?

BB King

We can make a bigger and big and everything. We can rebuild him, right? There you go.

There. How’s that? We’ll go with that.

CJ Cox

Well, on my screen, it’s like the size of a drive in.

BB King

That’s what I’m going for is the drive in. All right, noted. I will make them bigger like this as I go. Thank you. I did it in burp.

I made burp bigger before we started a quick run through burp suite in, the proxy tab. This is where I spend most of my time when I’m testing.

We talked about intercept being on or off. You can intercept certain things and not other things by changing some of the rules. there are predefined rules in here and you can create rules however, you want.

So the default rule, when you click that button that turns on master interception, this is what happens. The requests get accepted, get intercepted if their file extension doesn’t match all these things.

So have you ever noticed using burp that it never intercepts requests for images? This is why, because GiF Jpeg ping, we don’t intercept those. If you’d like to, then you can change this.

You can also intercept only requests that have parameters, or you can intercept only get requests or whatever you want to do. You have all these different rules, match type, domain name, IP address protocol, all these different things.

You can set rules to intercept only what’s interesting to you and not intercept the rest once you’ve done that with requests, if you change those. So, that you’re all intercepting types of requests that you’re interested in.

A really good, really good response rule to enable is this one is if the content type is text or if the request was intercepted so it keeps track.

If you’re intercepting requests, you’re probably interested in those responses too. So telling it to automatically intercept the response for interesting requests is an interesting and useful thing, I think in the intercept tab itself, if I turn this back on again and I just reload the Wikipedia page, you can see the request.

So it’s sitting here, my browser, we just call this the throbber. I don’t know if it’s called the throbber anymore, but this little guy that says I’m waiting for an answer is sitting there. So I can change this request all I want and then release it and let it go.

I can also, and this is the thing I want to show you here, you can add comments. I’m just going to call it base requests and I’m going to make this one green and then I’m going to click, intercept is off.

And now in my proxy history I can see that request. And if I scroll over here a bit, you can see there’s my comment.

I rarely intercept requests on the fly like that, but every time I do, I always flag it like this so I can find it in, in the history, in the proxy options, proxy listeners.

So this is my proxy listener. I have, I have, I use foxy proxy here to set the, set the proxy to use the one on port 8080, which is the default.

But why? You can have more than one listener. Yes, you can have more than one listener. So if I set this up to be port 8081 and then if I go to about profiles and I load a different report, a different report, a different profile, and I set this one to use 8081 and I go to some random website, I didn’t import the certificate into this profile.

The certificate is, is tied to a given profile. So if we go to options, privacy and security. Scroll down. New certificates, import.

Sorry, I’m going fast because I didn’t intend to waste your time on this one. it’s this one. Trust this to identify websites. Okay. Okay.

And reload. Now you can see it’s loading. And what’s interesting is not what’s on the bhis website, but what’s in burp suite.

Now if I go back to the proxy history, which is where I spend all of my time, I don’t spend much time anywhere else. This is where I’m spending all of my time. If you scroll way over to the right, look, listener report, 8081 versus 8080.

So. Okay, interesting. But it’s way over to the right there. Why do I care about that? The reason you care about that is because you can say, I only want to see stuff on 8081.

And now all that other stuff just drops out. It’s still there, it’s just hidden, so it’s not getting in your way. So what’s a practical use for this?

Not for Wikipedia and Vhis. This is a great way to do multiple privilege levels at the same time. So in one browser profile I’m going to log in as the administrator and that’s going to be on one port.

In another browser profile, I’m going to log in as a regular user and that’s on a different port. Now I can tell which requests are coming from where. I can filter it here and it makes it easier to find differences in the way the application behaves based on who you’re logged in as.

There’s an attack called SSL stripping and this is where you don’t actually break the ssL, but you have the browser connect to a proxy or some malicious in the middle system, over clear text HTTP.

And then that proxy forwards everything to the target system target server with normal SSL. So the target server only sees encrypted traffic, which is what it wants to see.

But you as the attacker have a place in the middle where you can see what’s going on and you shouldn’t be allowed to do that. There is not a button in here to enable that.

But if you change the settings here, if we edit this one, and if we say request handling, I’m going to force the use of TL’s. So no matter how it comes into the browse into the proxy, it goes out over TL’s.

Then if I come down here and I do modifications, response modifications, if I convert HTTPs links to HTTP. And if I remove the secure flag from cookies now I’ve got the whole attack going on.

so any browser that comes through this instance of burp right now is going to have SSL stripped. And if the server allows it, that is to say, if the server accepts a connection on HTTP, then redirects to HTTPs.

Now I have a man in the middle position where I can see in plain text what’s going on. And the user, if they don’t look and see that little padlock there, they’ll be none the wiser. So we’ve got that in here.

It’s not one button, it’s three buttons. But it’s a helpful attack to prove the risk of that web server configuration. Like I said, I spend all my time in the proxy history and I spend all my time here scrolled up to the top with this sorted in reverse by request, numbers.

So the most recent stuff is always at the top. YouTube. I didn’t go to YouTube. What’s going on? This tells me what’s going on. This keeps me oriented here. This is where I spend all of my time.

Jason Blanchard

Bibi, since this is a getting started in burp suite and web app pen testing, what you’re looking for right now is misconfigurations from the people who built the website.

And these misconfigurations can cause it to be attacked, right?

BB King

That’s a way to discover that misconfiguration. Just using standard burp settings. It’s a difficult thing to do if you have to write tools to do it, but you don’t have to because Burp will take care of it for you.

There’s websockets history for applications that use websockets and you can use that just like the HTTP history. You can send those to repeater, which I’ll get to in a minute. And it’s all in this place. This is where live things are going on target.

A lot of folks when they first use burp suite, this is where they spend most of their time and it’s a good place to stop and visit. But I wouldn’t spend a lot of time here. I wouldn’t. It’s not a good place to live. There’s a bunch of stuff here that’s not interesting, that’s unrelated to the application you’re testing.

It has the collection of every time I requested the slash resource at Wikipedia. It’s going to add a new row here. It’s hard to tell what’s the most recent one and what’s the interesting one? What was going on? What was the context when that request was sent?

This is great for a sitemap, but it’s not a great place to do your testing from. Now, if my test is for, if I’m testing Wikipedia, I can right click, I can just click add to scope.

I’m not going to do that. I’m going to copy the URL and then in scope, if I just paste the URL, this is the same as if I had just said add to scope before and it’s going to warn me, it’s going to say you have added an item to the target scope.

Do you want burp proxy to stop sending out of scope items to the history or other burp tools? And then it says maybe you want to do that? Answering yes avoids accumulating project data for out of scope items.

And this sounds like something you want to do, but it is not something you want to do, not now, because what this means is it’s going to, anything that doesn’t match that URL, will be hidden from you.

And we don’t know enough yet about the application we’re testing to know if that’s what we want to do. So I’m going to say no. And I’m also going to do this, use advanced scope control. It sounds scary, but, and I’m going to paste the URL again and it’s going to ask me again and I’m going to say no again.

The reason I’m using advanced scope control is because I’m going to edit this and I’m going to say I don’t care what protocol you’re using, I don’t care what port you’re using, I don’t care what file you’re requesting.

I want anything that ends with wikipedia.org because that’s who hired me to do this pen test. I’m not actually going to send any malicious traffic to Wikipedia, don’t worry. So the difference was by default, if I just accept the defaults, it’s going to restrict me only to www.wikipedia.org if I go to wikipedia and now I start clicking through on things and I’m just doing this to send some traffic and see what shows up in my proxy.

Now look, I’m going to en dot wikipedia.org comma and upload dot wikimedia.org. these are all different things. These are not the same domain. So if I had told Burp earlier not to send this stuff, I wouldn’t even see it.

I wouldn’t even know that it’s here. So when I’m first exploring the application, I want the scope to be as wide as I can. I want the the proxy history to show me everything so that I can talk to the customer. I can say, hey, do you want me to test the stuff that’s on Em, Wikipedia or just www.

And then they’ll go oh gosh, yeah, not just www because so much interesting information is somewhere else. Once for sure what the scope is, then you can go ahead and do this.

But don’t do it early. Doing it early is the biggest, the easiest mistake to make here. Last thing about this, anything that’s in gray here is a link that burp has seen in the traffic.

But you haven’t sent that request yet. So if you’re looking at your sitemap, if we’re testing Wikipedia now, look at all these other things that end with Wikipedia. There are so many of them that we haven’t even touched yet.

So if this is your test, you have a question about scope right now, you should call the customer and say, hey, look at all these other things. Some of them are languages, some of them are, not. How do you want me to handle this?

This shows you what all is going on in the traffic that you’re seeing. Now if I go back to the proxy history now, what I can do is come back to this filter. This little line up here is a filter.

It doesn’t look like a filter, but it’s a filter. Now I can say show only in scope items. And now look, now it’s just things that end with wikipedia.org dot. So if it turns out that’s what my scope was, everything else is gone.

It’s still there taking up space. But your bird files are going to be enormous no matter what you do. So this is what I do. Instead of setting the scope narrowly and filtering it, and telling burp not to send stuff, I will set the scope to what I think it ought to be and use filters.

So remember I said I’m going to turn that back off so I see more things to look at. I’m going to kill this because it keeps. So if I wanted to do something with this request, just picking a random request, what am I going to do with it?

Well, let’s right click on it and see what happens. What are our choices? We can remove it from scope. We can do a passive scan, which is by default it’s already doing passive scanning. We can do an active scan which is going to send malicious traffic to it.

We can send it to other tools, but it’s this engagement tools thing that I want to show you. This is part of the pro version that’s not in the community version. Everything’s grayed out in the community version.

Find references, tells you which other resources point to this one. Where was the link to this? I need to find out how to get to this. How do I find that you can generate a CSRF proof of concept?

This is really cool right here. Poof. This is if I want to test this for crossword request forgery, this is the HTML I can use to do it. It’s just built in.

Then you copy that into a text file, save it, make some changes if you need to, and you have a perfect proof of concept for cross site request forgery. Remember I said right click everywhere.

1234 if I go back to the target and if I go to let’s stick with wikipedia something, it was en right en, wikipedia.

So now if I right click on this just to pick something else, I have a bunch more options. So search is a generic search. I can search for things in the target, in the sitemap based on anything.

Find comments, find comments is interesting. If I go to the root here and if I say find comments, it’s going to go through everything in that tree and it’s going to look in the responses for anything that’s a comment based on what the syntax is for that thing.

So it’ll find HTML comments, it’ll find JavaScript comments, it’ll find any kind of comments. And even though there’s nothing in the search field here, these arrows go through the interesting things. So maybe not just right click on things, but click on anything in burp because this is kind of hidden feature, right?

Then once you’ve done all that you can export the comments. What I do with these is I remove duplicate comments, I include the URL’s, I’ll copy it to the clipboard, paste it into a text file, and then I see what all the comments were on everything that’s under that page.

So you can see notes that the developers leave for each other. And this is great for ctfs because ctfs always have things hidden, in HTML comments. And sometimes you find actual good stuff for pentests in those as well.

Another interesting thing to do here under engagement tools is analyze target. You’re not going to find vulnerabilities this way, but you’ll get an understanding of how the thing is built. You get a list of all the dynamic URL’s, which ones have lots of parameters and which ones have few parameters.

List of the static URL’s in the same thing, and then a list of all the parameters and how often they’re used. So this is an interesting place to come to look for stuff I would look for.

Is there a parameter called admin or is admin or something that’s maybe significant to the type of application you’re testing? Great, great summary information here.

Stuff just gives you leads, gives you something to look at. And that is only in the pro version because it’s under engagement tools. Discover content is a spider. So it’s going to click all the. No, no, this is not the spider.

The spider is the spider. Discover content is looking for things that have not been linked yet. So it’s going to take information about the site and it’s going to say, oh, you have a directory called en.

I wonder if inside that directory there’s another one called en. So it uses content that it’s discovered so far to try to find additional content. By default it’s, it will run forever.

By default it will run just, just forever. And it uses built in lists, but you can use custom lists also. So if you have a favorite list of resources that exist on web servers, this is a great place to drop that in and see if those things exist on the server you’re testing just by using burp suite.

This is similar to, Durbuster or Durban, but it’s built into burp suite and it’s also context aware in a way that those other ones aren’t.

You can compare sitemaps. This is one way to find privilege escalations. If you browse the site once as an administrator and then you log out and then you browse it again as a lower privileged user.

You can compare the sitemaps from those two experiences and see what the differences are. I learned this from, Tim Tomes. He’s got a great burp training course. Landmaster 53 dot training is where his courses are listed.

He’s got two courses that focus just on burp. So not getting started, but building a career on burp. I learned a lot from him there and this was one of those things. Comparing sitemaps is a great way to find privilege escalation issues.

So it requests all the admin URL’s, everything you got when you were administered request, all those again when you’re not admin. And if you get a good response, the same response.

Well, maybe that’s an exposure. You can also copy URL’s and links from each tree here.

So if I do, copy URL’s in this branch, I get all the URL’s there. Copy links in this branch, I get every link that exists in any URL in that branch. And maybe there’s something interesting you can do with those in another tool.

I saw CJ for a second there and I feel like I’m going very fast, so.

CJ Cox

You are going very fast, man. I have like ten questions queued up. I don’t know if you want to hold them. M, are you on a roll? How you doing on time?

BB King

I’m probably not going to get through everything actually, but if you got questions, go ahead. Questions are good.

CJ Cox

Bunch of questions on certificates. And what’s the benefit between using the external browser versus the burps embedded browser?

BB King

the benefits are that you have more control over the browser, I think. I have not used the embedded browser on a real test yet. I’ve played with it. It’s a chromium based browser and I prefer firefox because I’m more familiar with how to tweak that one.

But I think the main benefit to using the embedded browser is that you don’t have to set up your other browser, then you don’t have to import the certificate. It all just works.

Samantha

There’s an associated question for the browser. Is Firefox the best one to use?

BB King

Absolutely. It’s great. I love Firefox. I use it because it’s familiar to me and I know where all the settings are and all the corners and how to make it do what I want it to do.

Chrome, I think that’s the only reason I use Firefox. Chrome, I don’t see any weaknesses in Chrome. I don’t see anything that Firefox does that Chrome can’t do.

I just prefer it. So Firefox or Chrome, you want a browser that you can manipulate, you want a browser where you can change the settings, where you can import that certificate, where you can set the proxy.

The foxy proxy plugin is available for both Chrome and Firefox, so you don’t have to set your system proxy like you would if you’re using Internet Explorer. It’s preference. Whichever one you like best is the best one.

CJ Cox

There’s a couple of different questions on advice. Well, this one specifically, any advice on running burp suite from a docker container?

BB King

I think we usually do a vm. no, I don’t have advice on that, that’d be more advanced burp stuff. I know Docker is cool and fun, but I don’t have any trouble running it locally in the real machine.

CJ Cox

Do you have an example of, you talked about misconfigurations to keep an eye out for some examples of those types of things?

BB King

we could get into that, but that’s not into, that’s not burp stuff, that’s more pen testing stuff.

CJ Cox

All right, and then how can you run fuzzing on a website? You have to pick a particular file or directory to fuzz.

BB King

yes, you have to start somewhere. So you can fuzz individual files, individual resources, or you can fuzz the whole site, which is part of what the scanner does. It does basically fuzzing and also more targeted injections.

that’s in the scanner.

CJ Cox

And then any general advice around reducing the scanning time in Bert pro?

BB King

Yes, and I will get to that under intruder.

CJ Cox

Excellent. what, I’ve only got a couple left. I’m going to hold them for a while here.

BB King

So repeater, if, I don’t spend all my time in the proxy history, I spend the rest of it in repeater. So right click on any request and do send to repeater.

And now repeater just lets you replay that request over and over. You can type stuff over here, you can make it different, and you can send it over and over to see how it behaves differently if you send a different request.

So now think back to science class if you want to know if when I do something this way, is it different than when I do it that way, or does this reagent cause a different response than that reagent.

You need at least two runs, right? You need the control where nothing’s supposed to change, and then you need the experiment where something is supposed to change. When you send something to repeater, always send it again, always click send.

This is your control. Because if I’m going to say, well, what happens if I change proto to HTTP and send that, well, if I don’t know for sure that HTTPs works again, then I don’t know for sure that my change was the cause of any difference here.

Some requests don’t work twice in a row. Some requests are only good for one send. The only way you can be sure that the change you made caused the result you got is to send it again unmodified.

So I always do that. That’s a trick that has saved me lots of time, lots of time tracing down. Why did it behave differently? Why isn’t it working anymore? Oh, it was only good for one request, or oh, I accidentally logged out, or oh, the cookie got changed and it didn’t update.

Here the other big burp repeater. And this works in all the tabs where things just have numbers. Even in repeater I can send to repeater, they all get numbers.

Numbers are hard to remember what they are. You can just double click on it and type a new name and you can have names for all your tabs. That way then you can remember what’s where.

The only danger in doing that is the number and the x are really close to each other, so it’s really easy to try to rename the tab and accidentally close it.

Deb Wigley

Then.

BB King

Lastly, I’m going to make this back to HTTPs because I’m not actually attacking wikimedia, so I’m only going to send requests that it was already sending. So if I send it again now the back button lights up.

Now I can go back to the previous request and see how it was different. And you can do this all day. It keeps track of any number of requests. you can always go back in time to see what your previous requests were.

So again, click on stuff. Pay attention to things lighting up and not lighting up. Lots of usefulness here. Also, websockets are supported in repeater.

I don’t have a websocket request to show you. It is there. Now about making your scans go better, I’m going to send this to intruder. And remember, I’m not sending any of this to Wikipedia because I don’t have permission to test Wikipedia.

I’m just using it because they give me good examples, good sample requests in intruder M. Intruder is a way, this is where you can, do a targeted fuzzing of one particular resource.

We’ve got, the parameter values automatically get highlighted and this is what it’s going to work on, to begin with if you don’t make any changes.

Now here’s the cool thing. If you right click on this scan defined insertion points. So this is a targeted scan, a vulnerability scan that goes through all the payloads that Burp has, and it only sends them on this URL, in these three locations.

So maybe some of those would have gone in the user agent string, or maybe they would have gone somewhere else. I’m telling it not to test those, only test these. So this gets me quicker results. It lets me tailor it to focus on the things that I, as a pen tester, think might be more likely to be vulnerable.

These are the tasks that we talked about before in burp two, setting these things up, I’m going to create a new task and under scan configuration I’m going to select from library and I’m going to say audit checks, all except JavaScript analysis.

That’s the easiest way to get a scan going. And I’m not going to continue from here because I don’t want to accidentally start testing somebody without permission. So that’s, that was the first thing that I noticed that really stuck with me, that, wow, I didn’t know that was there.

And that’s such a huge time saver. You can also selectively clear these. If you highlight just a couple of them and click clear, it only clears the ones that you had highlighted. You can put them back in anywhere you want.

If I wanted to make this, for example, I just double click that and click add. If nothing is selected and I click clear, they all go away. Yes. Scan defined insertion points is only for the Pro version because it uses the scanner which is only available in the Pro version.

The attack types, I always have to look these up to see what these are. So the help that’s in burp is fantastic. There’s a question mark on every tab and it opens up the help from your local system, so you don’t even have to be online to do this.

If you’re testing something internally from a system that doesn’t have Internet access, the help is available. A lot of applications the help isn’t very useful. I think in burp the help is fantastic. You should read it.

And down here are the different attack types so that if you can’t remember them like I can’t, they’re available for you down there.

There’s a ton of different payloads you can send in here. And this is, this is fuzzing the different payloads to send in all of those different places. There’s a simple list, which is a simple list.

You can read things from files. There are some built in files that it uses for these. What I wanted to show you here though is there is a null payload.

So why would you want a null payload? Sometimes sessions expire with inactivity. So maybe there’s a request that you can send that will keep your session alive while you’re doing other things.

Send that request to intruder. Don’t set any payload values. Tell it to continue indefinitely and under options, have it send one thread and have it pause, oh, I don’t know, 10 seconds between requests or whatever that number has to be.

Now this request is going in the background while you’re doing other things, keeping your session alive for you. Super handy for things that time out quickly. After you run intruder, it gives you a table of the results.

So every request it shows a row in the table and it tells you what it found in the results, the things that get highlighted. And I’m sorry I don’t have an example of this, but if you’re familiar with that view, it shows you what the payload was and it flags certain things.

So if by default, if the response had the word error in it, that gets flagged. If it had the word illegal in it, that gets flagged. If it turns out after you’ve run the whole intruder thing, there’s some other word that you wanted to have looked for and you didn’t know about that ahead of time.

You can come back here after the intruder thing is done and it live updates the results so you don’t have to rerun it. You can tell it to look for new things as you learn, without having to rerun all of that stuff, which can be really handy and a time saver when it’s taken a long time to work.

You can also have it extract things from the results, with pattern matching rules. So if I’m going to add something, maybe I want it to extract, oh, I don’t know, maybe this.

I want to extract the first part from the x cache header. I don’t know why that would be useful, but it’s a good example. Just click on it and it tells you how it’s going to find that. And then if I refetch the response, it’ll make sure it sends it again, sends me a new thing.

So you can pull those things out and have them show up in the in that results table.

This is a good place for pulling out, usernames. If you’re looking like an employee directory and you’re iterating over, user names, like first name, last name, you can look somebody up and their phone number shows up in the results.

This is what you could use that for. You could extract their phone number, for example, from the responses. The last thing here that gets overlooked in intruder is these redirections. By default it doesn’t follow a redirect.

So redirect is an M. HTTP 301 or a 302 are the most common ones. And you see these a lot during login. If you log in and the login is successful, the response is a 302 redirect, maybe to your profile page.

That’s a common pattern that you see in web applications. So if you’re using this for password sprays, you’re trying to log in as 200 different users, all with fall 2020 bang as their password.

If you don’t follow redirects, you might not get all the information you need to tell if that was successful or not. So I always come down here and if I haven’t set a scope, I’ll always have it follow redirects on site.

So the same URL, the same domain name, or if I have set the scope, I’ll tell it to follow redirects that are in scope. And then I also have it process cookies in the redirections because sometimes those are important.

So be aware that if you’re sending something to intruder and the response contains redirects by default, it’s not going to even ask for those. So this is an easy way to miss valuable information if you’re not following through the whole process.

You can use a socks proxy as kind of an upstream proxy for this. So I have a socks proxy running on this box right now, and if I set this using the socks proxy, everything now will go through that proxy instead of coming straight out of my system.

So the value in this is if you have like an SSH connection, if you’re testing, most of your testing from a cloud droplet, that or a digital ocean droplet or some cloud server where your information is supposed to exit from, maybe, the customer you’re testing knows you’re testing from that ip, so they ignore alerts from that IP in their logs for that day.

This is a way to use that system as the origin for your traffic. Instead of coming out from your own system, you ssh with a dynamic port, forward to that system, identify that here, in the proxy settings, and now all your traffic goes from your system to that cloud server and then out to the Internet.

This can help you get into environments you couldn’t otherwise get into. This can help you get into if you’re doing an internal test, a test of an internal web application and you don’t have full access to the computers inside that system, like maybe they give you a default standard desktop on their system and that doesn’t let you install software, but you want to install software and you want to be able to use Burp, for example.

You can proxy through those, if you can ssh to it, you can proxy through those so that your traffic comes out in the correct place, giving you access outside of where you are right now, giving you a route into other environments.

We also have the, where is this? The hosts project that’s under project options, miscellaneous no connections connections.

This is a little tiny hosts file that lives inside burp suite. So if you need, if you’re, again, if you’re testing an internal system and so maybe your DNS doesn’t work, you can’t find the DNS system because it’s not a public DNA public name.

You can just define it here, put in whatever host you name.

And now if I go to, it’s going to fail because there’s no web server there. But it will try, it didn’t, the lookup didn’t fail.

The, there’s no server running there. That’s why it failed. Bbking. The actual bbking. The last thing I want to cover is extender.

Anytime we talk about burp, there’s lots of talk about extender. And this is maybe the best value out of this, this PDF that Deb put out in the discord for you as a list of some of the extender tools that I use or that some of the other testers here at black Hills infosec use.

Now, we talked about installing Jython. We talked about how it’s a java API. Here’s a good way to find the good extensions. I counted them this morning. There’s 250 extensions in here.

So how are you going to find all of those 250? How are you going to go through this and make any sense of them? Extensions add features to burp suite and the way that Portswigger handles this, I think just based on how I’ve seen it working, I don’t have inside information, is that if there is an extension that does some task reasonably well, that task is not going to get added to burp suite natively.

They’re just going to rely on the extension to do it for you. So if you’re not looking at extensions, you are missing a lot of the functionality that Burp offers. They’re not like fun little add ons, they’re not little tweaks.

They’re some fundamental functionality is in these extensions. Here are the ways I suggest to find good extensions.

There’s a GitHub, project called awesome burp extensions there. You can find awesome burp extensions. There’s some descriptions there about why they’re awesome, and you can disagree and say that one’s not awesome, so I’m not going to use it.

And then you can move on to the next one and see if that one is awesome. Another way to find awesome burp extensions is to look for anything written by, James Kettle by Albino X. He is a fantastic researcher and releases a lot of good information.

A lot of great blogs on the Portsburger blog. If he’s written it, it probably solves a real problem and it probably does it in a really kind of cool, elegant way. So if he’s written it, it’s worth a look.

In my opinion, the last way is to sort this guy by, by rating how many stars. So look at the top rated things and maybe the last updated.

And then also look at the popularity. So least popular, most popular. You can’t sort by both. We have limits, but look for things that are popular.

Look for things that other people think are awesome and try those out. Some of the good ones that the bhis testers a lot of us use. These retire js is one that I think everybody on the team uses.

It’s passive, it doesn’t add a new traffic. What it does is it watches the traffic that is already going through Burp and it looks for third party files that are outdated or have known vulnerabilities, and it reports them for you, so you don’t have to find them.

Turbo Intruder is it’s like intruder, but it’s turbo. This one is written by Albino Axe, and it gives you some ability to do things that you can’t do in intruder.

It’s harder to use. It’s not as obvious how to use it, but for the things it does, nothing else in Burp does it as well. Python scripter is, it uses that Jython runtime, excuse me, that dry runtime guy.

And it lets you write on the fly short Python scripts that will operate on the traffic that burp suite is seeing. So you don’t have to write a whole extension. If you just want to do something kind of one off.

This is your foothold into writing extensions. It takes away a ton of the complexity that exists in using the API with Java, and also when using the API, even with Python, to write an entire application or an entire extension, this is a great place, to get quick features and to figure out how maybe you might write it into an extension if you actually want an extension.

Upload scanner. If the application you’re using has file uploads, take a look at upload scanner. It automates a lot of the testing that you would do by hand for those.

param miner is another one from albinox that can find, there’s a great blog on finding, caching problems finding parameters that aren’t obviously parameters.

And then logger is a good one to log traffic in more detail and in text files that you can go through later if you need to know exactly what Burp is doing in situations where you can’t always see it directly.

And then the last thing is a list of, passive extensions, active extensions, and kind of some other extensions.

So these are things that some of us on the team use organized by where you might want to, apply them. So these are all suggestions for things. If you’re looking for extensions to use in burp, you could do worse than starting with these.

So I think I’ll wrap it up there. If we have some questions. We got a little bit of time left for some questions.

CJ Cox

Well done, BB. I got some, actually, some pretty cool questions.

BB King

Oh, good.

CJ Cox

Here’s the last one that came in. You have burpees dash setup, text open. Can people get a copy of that?

BB King

Yes, that is, that is what, it’s already been shared in the discord. It’s a PDF there, though. It’s not text, it’s PDF. Beautiful.

CJ Cox

Two questions on that. BB, what headphones are you using?

BB King

Oh, these are, these are, Sony whatever that says. They’re old Sony studio monitors. I had to buy new pad thingies because they went bad because I love these things.

CJ Cox

You live in them. How about your chair?

BB King

BB?

CJ Cox

I had a, there’s a couple of questions about your darn chair.

BB King

My chair.

CJ Cox

I know people asked about some chair thing.

BB King

I don’t know. I’m standing on the floor, there’s a chair behind me. I’m not using it right now, so.

CJ Cox

It’S not that good.

BB King

That’s my final answer.

CJ Cox

Can you use intruder with an app that is using a recapchat?

BB King

I love questions like that. Yes, you can, and it won’t work. You can use it. But if the recaptcha is done correctly, it’s going to notice that you’re automating and it’s going to notice that thing.

Are you a computer? Are you a robot? The recaptcha is going to go, hey, you’re a robot. Stop talking to you. If you can find a bypass, go for it. But, there’s nothing stopping you from trying.

But if the recaptcha worked, well, the Google recaptcha does work. An intruder won’t bypass that for you.

CJ Cox

But how to get dos is try to do a recaptcha on your phone.

BB King

Oh, we had,

CJ Cox

It’s so hard to see, we had.

BB King

A tester once who was testing a web app and there was some Google property protecting it and he wasn’t using the socks proxy and he accidentally got his home IP address blocked from Google for I think days.

So be careful, your family won’t like you. If you get your home IP address.

CJ Cox

Blocked, you will not be popular.

BB King

Yeah.

CJ Cox

What would be a reason to use more than one proxy port profile and possibly browser?

BB King

More than one proxy port would be, the way I use them is to separate different privilege levels. So I’ll use one profile and one proxy port as the administrator, another browser profile and a different proxy port as the regular user.

That way I can tell in the history which requests came from which user. Then I can immediately, I can log in as the admin and I can say, oh look, there’s an add user function. I’m going to add a user and then as soon as I’ve done that, I send it to repeater, I send it again, make sure that it works, and then I change the cookies in repeater to correspond to my lower privileged user, try to add another user again.

It shouldn’t work because they should be checking my privileges. But now I know I have a valid request that would work if they’re not enforcing the rules correctly without having to shut my browser down and log in again as a different user.

Mhm.

CJ Cox

Man, the questions just float in here. Are you going to kill me here, Jason?

BB King

It’s only, it’s top of the hour right now.

Jason Blanchard

All right, everybody.

BB King

Oh, no, you got it. I said he was going to show up if he said his name.

CJ Cox

Well, I just felt it. I just felt it just like pressing on me.

Jason Blanchard

All right, let’s do one more question and then we’ll, we’ll wrap up. And then for everyone that can stick around, we have Samantha from the Incident Lives foundation. That’s going to come on, talk about the amazing work that they’re doing. And we would love for who can stick around for ten minutes to do so.

So what’s your last question, CJ?

CJ Cox

Oh, my God, why you put so much pressure on me?

BB King

Make it count.

CJ Cox

I know the answer to this one. What’s your favorite burp suite extension? Or do you use all of these extensions at Black Hills information security?

BB King

I don’t use all of them. No, I use the ones that help me achieve my goals. And I talk to other testers to find out what they use because there are 250 of them.

I can’t test them all. So, retire js is probably the easiest quick answer for that one. But JSON, web token attacker is also a favorite of mine.

If I’ve talked about JSON web tokens before, they’re kind of a hobby and that helps me automate some of the tests. Helps you get started with JSON web token attacking stuff.

So.

CJ Cox

So like all tools, people know how to use different tools and what tool you need is depending on the problem you’re trying to solve.

Jason Blanchard

Mhm.

BB King

Right, right. I heard, I heard a great phrase just yesterday from a friend. He said it’s not the wand, it’s the wizard. So it’s not the tools you’re using, it’s your ability and skill in using those tools.

So play with the try new stuff. Get good at it.

Jason Blanchard

Bibi. Any final words before we end today?

BB King

Thank you for coming. I hope I didn’t talk too fast and I’m happy to answer any questions in the discord later. I hang around there so, you can tag me in discord if I left you puzzled about something, but I hope you got something useful.

CJ Cox

Oh, and I was not yelling. I am typing fast. That’s a distinct difference. Yelling is all caps. Okay.

Jason Blanchard

All right, all right everybody, thank you for joining us today for our Black Hills information security webcast. If you ever need a pen test or information security services, where to find us. And that is the official end of today’s webcast.