 Hello, everybody. My name is John Hammond. I've had a few requests for this video, so I really wanted to bring it to you. I'm excited about this. In this video, we're going to dive into some Burp Suite basics. But before we dive in, I want to give a quick shout out and thank you to Hostinger for helping sponsor this video. If you haven't heard of Hostinger before, they are one of the best companies for web hosting and spinning up an online server. Hostinger offers a ton of plans to quickly build out a whole website, and they are honestly really affordable. It's super easy to set up and use a whole new server that works right out of the box, and the prices can't be beat. You can go to hostinger.com slash John Hammond to get up to seriously 91% off yearly web hosting plans. That's awesome. This is one of the best ways for you to get yourself out there, whether or not you want to be starting your own blog with WordPress or you just want a custom web page where you can share your own content and ideas. So thank you, Hostinger, for helping sponsor this video. And please, I really hope you guys go check them out, hostinger.com slash John Hammond, 91% off. That's awesome. Okay, now let's dive into some Burp Suite. If you're running Cali Linux, you probably already have Burp Suite installed. If you aren't, or if you're on another distribution of Linux like me, I'm going to assume you're on Linux. If you aren't, you should ask yourself why you aren't. I don't know what my grammar did there. All right, if you just simply Google Burp Suite, you can go ahead and download it. It's from portswigger.net. You can find the community edition you can download totally for free. The other professional editions are much more powerful with some of the tools that they'll let you use. But in our case, we don't really need them. Let's go ahead and download this. It takes a little bit of time to download it. So I already have I sort of in my op directory, and that's where I tend to put a lot of my files or other tools. So we'll hop into there and I have a Burp Suite community file. What you want to do to install it, if you are doing that, is to market executable, then you can go ahead and just run that. It's a simple .sh bash script. It'll go ahead and create some Java runtime stuff that you need to be able to work with, unpack it, run the installer, etc. I've already got that set up. So once it's installed, you can go ahead and fire up Burp Suite. And we have the community edition. I've tweaked the font size just a little bit so you can actually see it. Originally, you'll pop up with a screen that says, Hey, do you want to open up a project you're already working with? Or do you want to create just a symbol on the fly temporary project? If you're doing this for some capture the flag oriented stuff or for a pen test, maybe for a pen test, you might save a project that you can keep track of your stuff. But if you're trying to tackle a capture the flag challenge or just some simple, hey, picking and poking at a website usage, a temporary project works just fine for us. And then with that, we can use our burp defaults. Or if you end up saving some of your configuration from a later use, you can load that or have it kind of included in your project. Again, I'll just do this. And I'll actually set that default the above in the future. So we can make that real easy. Okay, now burp suite will go ahead and get started for us. This is a later rendition. I'm using version 2.1.0 7. It has a lot of cool, fancy things in the dashboard, except most of them are kind of just a pro version only. So I'll go ahead and ignore that for the time being. Really, what I want to showcase is the burp suite proxy. So the burp suite proxy will allow us to do some other great things. And they'll actually allow us to kind of get in the middle of a web request, as we're accessing a web page. The way that we need to actually set that up, though, is telling our web browser to use burp suite as the proxy. So we can actually intercept and grab the requests and kind of manipulate them however we would like to while we're browsing through our web pages. So I'm going to actually do that in Firefox. There is an awesome utility, a little add on or extension you can add called Foxy proxy that offers a nice little icon you could add to the side and actually just hop and switch between proxies you might have set. If you need to add this to Firefox, you can. I think it hit foxy proxy basic. Yeah, that's totally fine. Hit add to Firefox if you need to. And I actually do already have it set up. And once you have foxy proxy set up and installed in Firefox or your web browser of choice, you might need to go down a different route if you're using Chrome. Go ahead and check out the options. And you can go ahead and add a new proxy. You see already have burp suite set up here, but I'll go through these steps to show you just this add button up here with a big plus sign. You can call it burp suite or whatever you'd like to the proxy type of HTTP is totally fine. And the proxy IP address is going to end up being your own machine or your local interface because that's where burp is running. I'm going to say one two seven zero zero one, you can change the color if you want to, I think that our fault is totally fine. And then you'll want to set the port to whatever port you have told burp suite to run on by default, it will use port 8080. So I will stick with that. Okay, now that that's set up, we will go ahead and set up burp suite, but we need to actually have a target to work against the vessel that I'm going to use for this video to kind of showcase and teach some of the features of burp suite is actually going to be DVWA or the damn vulnerable web app. If you haven't seen that or heard of that, it is a super cool application that is intentionally broken and misconfigured and has pre planted vulnerabilities for you to help learn and kind of educate yourself on how you can exploit these and take advantage of these when you see them in the wild, maybe in a bug bounty or pentest or capture the flag. We can go ahead and download it'll give you a zip archive and you have to set up really what you want to use for Apache or a web server to run those PHP, it's written in PHP, right, and my sequel is it back in database. So you'll have to set up those servers and really get that software up and running to do that really quickly. I'm just going to actually run it as a Docker container. So I'm just going to Google hey Docker DVWA, you can see I've clicked on this before, and we'll actually just go ahead and grab the image for running the damn vulnerable web app. You can have Lee simply run that command. If you have Docker installed, if you don't, you can usually just sudo apt install Docker IO, and then you might need to change your user to go into the Docker group, and then kind of log out and log back in so that change mitt takes effect. Then you can run Docker commands and you work with it. So in our case, I pulled this image already. So I can quickly spin up that Docker container and we'll be ready to rock. You can see I'm actually running this interactive, and it's going to use a specific ports mapping, let's say 80 on my machine will map to 80 on the Docker container. And that's going to end up being our web application. So it is running. And let's go see if we can access it now on my web page, I'll just go to local host. And I don't need to supply a port because it's just running on port 80 by default, you could change that if you want to do in the Docker command, but we don't have to in our case. So by default, DVWA the login is admin and password. Go ahead and log in with that, and you'll immediately brought to a page the database setup. This is just kind of initially kind of configuring everything and getting the DVWA application up and running. I'm just going to breeze through this stuff because this isn't the real burp suite instruction that you came for. But just trying to show you everything that I did to get us up and running. Let's just go ahead and hit the create and reset database here. Scroll down, it says database is created, we created the user's table, put data in there, etc, etc, etc. Now we can go ahead and log in. So I'll go to admin and password again as our credentials. Now we have the damn vulnerable web application ready for us to work with and tinker with. At this point, I haven't turned on our burp suite proxy. You can actually check out burp suite it's running proxy over here intercept is on that proxy tab is going to be where you spend most of your time when you're working with burp suite. Maybe we'll see. What we could do is go ahead and actually turn on our burp suite proxy by using foxy proxy now. But before I do that, I want to actually specify a target scope. Because if we just turned on this proxy, all of a sudden all of our communication that's going through the web page is going to be funneled through burp suite. And if it's going to stop every single request and let you kind of manipulate it, sometimes that gets a little annoying. I'll show you that. Let's say I were to go to turn on burp suite, I'll try and go to Google, maybe I'm doing some other research, or Mozilla is going to send some stuff back and forth. I got to move those and okay, there it comes again, I haven't even able to get to Google just yet. Let's go to Google. And now I've got to click through all of these and every single request that those pages are going to make will either forward or drop let those packets go through. But you can see them, they were displayed to you right on the screen. And burp suite will allow you to kind of manipulate the HTTP or the hypertext transfer protocol that's going through. So let's turn off intercept right now. And let's kind of minimize really what we're looking at. The way we can do this is actually just grabbing the URL of our target. In our case, I'm going to use local host, because that's just where this is running. And we'll go ahead and we'll say, in the target tab, all the stuff, we can go ahead and select them, right click them and delete those because we don't care all that much. That site map will gradually build as you explore different pages that are in your scope. If you go ahead and specify that in the filter here, you can see that tab. And you can just click on that and you could have it show only in scope items or only requested items or maybe filter by mime type is it an HTML page that you're looking at, are you trying to gather some JavaScript that you want to pull down or XML for xx e attacks, etc, etc, or status code, file extension, etc. We could tweet those and play with that. But for right now, I just want to showcase the scope that we can set. So hopping over to that sub tab within the target tab, let's go ahead and add a new scope. And we'll just specify a prefix for the URLs that we want to match. So I know that everything I'm going to be testing right now because I'm working with that damn vulnerable web app is all within local host. So let's just paste that in. Okay, now that that is enabled, we should be good to go, right? Be careful. If I were to go ahead and turn proxy right back on again, if I try to go to another page, oh, okay, Firefox is going to do its thing, I'll go to Google make a mess. And then again, all of these things are coming through. And that's just nonsense. So what you need to do is if you are wanting to turn on that target scope, and you don't want to get all those other annoying notifications from other web pages that might be trying to interact with you, or maybe YouTube is over in the corner, you're listening to some music jamming out. If you want that to be ignored by burp suite, and just have that communication happen in place, go over to the options tab of the proxy, you can see have a you can actually see appear that proxy listener, you can specify here's the interface you're going to listen on again, local host, you can specify the port 8080 is what we have just now, you can edit that if you wanted to. But really what I want to showcase is how you can intercept client requests. Really, what we can use now is actually with our target scope, we can specify, and our URL is going to be in the target scope that we've already specified. That's often a box that's already ready and available for you, you just have to make sure to click it and turn it on. Now, if I were to turn on in our proxy intercept tab, intercept on, so burp seats going to grab and copy and actually allow us to manipulate all of those requests, copy is not the right word. My bad, if I were to refresh on our index dot PHP, or a homepage of our damn vulnerable web app, now it'll prevent those requests from going through without us being able to see them first, we need to be actually able to catch that and manipulate those requests. If I were to open up a new tab and go to Google or any other web page or have YouTube running in the background, you can see burps we wouldn't prop up and annoy us for some of the requests that we don't really care about. Really, this is good for us to kind of keep our target really within the scope of our rules of engagement, right? Or all we really care about attacking and beating up and abusing is this web app. Well, then that's our target. That's what we want to be looking at. So now with intercept on all I'm looking at is our damn vulnerable web application. And if I already go through all these different pages, you can see them actually grow within the site map, I'll have to forward some of these different pages that we go to. But if I look at my target now, that site map, you can see local host is kind of something that we're looking at, and everything that's already been requested, everything that's been pulled down, or things that we could just see are now automatically things that burps it will keep track of for us. And that's super cool. You can actually explore each of those pages and even see what we could potentially retrieve from them. If you've already retrieved them, maybe you'll get some of the response information here. And you can see some of the headers etc that are being pulled back and forth. That's what proxy will allow us to do. Because when we requested a page, you can see the raw HTTP communication, we're running a get method on a specific URL, and the version of HTTP we're using the host that we're working with what our user agent is. And these headers we can manipulate, because it's a request that we are sending the web server. Or you could view that and kind of a table view, check out those parameters are cookies that are being passed. And the headers, everything that we just saw in that raw format, now just kind of being in a nice gooey representation, we could go ahead and edit, or move up and down. So we could do interesting things with that. Hex display, you could look at I don't know how much you might particularly use that for. But if there are some interesting bytes or encodings or hashes or salts or things that you're maybe trying to abuse or tweak at that low level, you can certainly see that with that hex view. Or we could just drop these connections. And then, well, now our proxy won't allow that to pass through. Maybe there were some packets or some HTTP communications, we didn't want to actually send the server. I just refresh that page. Okay, now let's get into some of the other functionality that our proxy is up and running. Let's go ahead and that SQL injection tab. It'll get the vulnerabilities SQL I as that you are I or the path that we're going to was reaching that page. And now you can see on the web page, we have a simple form where we're showcasing a SQL injection vulnerability. We can search for a user ID. And we could actually explore some of this, let's enter one. And you can see just exactly how that request is being sent to the web server, because burps we're just going to show that to you as it's grabbing these requests in the proxy. You can see these are get variables that are being supplied, we can use an ID equals one. That's the value that we just applied in that form. And the submit button is kind of being carried along with something we could do if we wanted to is just forward that request, see what it does, we get our result, just on the web page, and that works just fine for us. If I were to do that again with number two, what we could do is we can right click anywhere inside of this raw section, and we can send it to different tabs within burpsuite, or we could change the request method, or copy the URL or get a curl command out of this or bring it to a file, save it, etc, etc. A lot of different options we can do inside of that proxy tab. What I'd like to see is how changing the request method will actually have that web page interact with us. So I'm going to post two vulnerabilities, SQL injection. And now rather than seeing the HTTP variables or parameters that are being passed, included in the URL, post requests have them kind of included as data, as the body of the request. So now we can see our variables ID is equal to two, and submit is included. ID is that parameter or that variable that we've included in our form submission. If I were to send this, that works just as well for us. So it looks like our page is kind of worthwhile in getting some of these responses here. Let's see that just one more time. I want to make sure that did what I thought it did. I'll change that to a post request change request method. I'll send it along. And that also did it just as well. So good enough. It's interesting the URL appears actually converting that right to a get variable. I digress. Let's go check out really what more we can do with this. If you're using dwa or dvwa, by the way, make sure to test some of these vulnerabilities or injections or techniques that were might be exploiting. Maybe you want to change the security level of how the vulnerable web app is running with. By default, when I spun up this Docker container, I saw that it was actually at impossible. And that made some of my testing a little bit difficult when I wanted to like get a quick example to show you guys. So set that to whatever you're interested in. Maybe you can try and avoid some filters or evade some kind of techniques that might mitigate your attacks. Now you can see we post to that security page. And again, we could modify any of these header fields. We could become suddenly a Google bot or change our user agent to be maybe something with Internet Explorer or Google Chrome, you could actually right click on this and actually have some of those options in there. I've seen that where you can automate some of those if you check out the options here. Some of these match and replace options you could use will automatically set your user agent or any header that you want to use to a new value. So if we wanted to go ahead and emulate something else, emulate IE or an Android device, we could go ahead and match and replace on the fly automatically what requests are going to end up being sent to our web server. So let's turn one of those on. Let's set our request and user agent to now be an Android device so we can emulate Android. If I go back to intercept, I'm going to stick with that Google bot one for now. If I forward that, now you can see the responses in the quest that we make are using that new match and replaced on the fly burps, we will automatically replace some information for you and they just did that with the regular expression. You can change that or tweak that or add as many of those as you would like. Pretty cool. Let's forward that. Okay, I'm going to go ahead and turn off that option now. Just kind of want to demonstrate that. But something that we could do in that sequel injection tab. If I were to take the user ID of one, get that information. That works just fine for us. Maybe you're going to do some manual testing though and you're doing this over and over and over again. Maybe you're kind of fuzzing just piece by piece what data or what input can you supply to the web page and what will it do. So let's make another request. I'll just say to here. And now what we could do is we could actually send this to the repeater tab. That's over here in burps suite just a little bit above or past that proxy tab. And we could send some of the requests that we're working with just kind of copy and paste it in there. That would work for us. Or you could actually hit control R. And you can see that repeater tab just lit up because we've sent that request over to repeater control shift R will bring me there. And now you can see that request is already there for us. What we could do is modify this as much as we'd like to and then send it with that send button. And over on the right hand side, you'll see the response pain kind of being populated with the raw response that the web page might give us. Now we're not looking at the rendered HTML that our web browser would show for us. But we're looking at the raw response that we could get with HTML all included and the HTTP headers. So that's kind of handy for us. That might allow us to see some of the information. You could scroll through it and get some raw maybe HTML comments or see it accessing other CSS files or JavaScript files that the page might request. If we wanted to, we could copy all of this. Maybe that's requesting user ID to and just in the case where maybe we're looking at other options or routes for our web application server to go down and how it executes its code, you might get different results and there might be a lot of changes or maybe a minute detail that you didn't notice had changed. So what we could do is we can actually use that with the compare tab over here. If you wanted to, you could right click to send to compare and any pain and that will go ahead and populate one entry in the compare tab with those raw bytes or data or values that we just saw. If I were to do that exact same thing go back to repeater and change it with an ID of one. Let's send that if you don't want to hit that send button over and over again. The hot key for that is control space. And now we could copy and paste all that bring it over to the compare and paste or as we saw just a moment ago right click and hit send to compare. Now the compare has a couple options that it can compare against and it can compare byte by byte. If you wanted to use that fine tune kind of granular differentiation that you're looking at that might work for us. You can see that window just pops up or you can compare by words. You can see okay the timestamp is different. The content length is just slightly different. If I were to scroll down either of those pains you can see okay ID number two here are the values versus ID number one and those are the values that included there. You can see that keys are modified deleted and added just kind of a color code for what you're looking at in this compare tab and that will work really really well for us. We could use that. That's one option. If you didn't like right clicking over and over again if you're kind of a keyboard junkie like me to send to compare or whatever again in the user options you can actually go ahead and specify how you want for one thing burp sweet to look like and that's how I tweak some of these font changes so you can see it and in the miscellaneous tab you can actually add more hotkeys. So you can see I talked about send to repeater or send to compare we can go ahead and one we can edit something maybe add a new hotkey for that maybe a alt C or something. There you go. Control shift alt C. I just put a bunch of stuff in there. I don't really need to do that but I wanted to show you that that is where you can add hotkeys in the user options tab in the MISC tab. Cool. Okay now let's actually do some worthwhile stuff. Let's go back to our repeater and let's try some sequel injection right. We know so far that all we can manipulate is an ID value that's everything that our form is allowing us to send. We could fuzz that we could send it some interesting stuff. Let's try and send it if we're doing sequel injection add a simple single quote in there. If I send that now I have a new response and I didn't have to go back to the web page to see that or have it refresh every time burpsuit will allow me to do that just right here in the repeater tab. It says you have an error in your sequel syntax. Go ahead and check the manual that corresponds to your sequel server and for what a one with an extra single quote might mean. Okay so because we have a sequel error maybe we are in fact doing some sequel injection let's try and use the classic sequel injection technique or one equals one and I'm going to use a hashtag here or that pound symbol of the octo thorp. Good good word guys science. That will allow us to actually comment out the rest of that sequel query. So all we have is our injected or one equals one evaluates to true and maybe we could return every single query or every single row inside that database if they were trying to limit us with a where clause or something with the filter I'll try and send that but I get a 400 bad request. We send a request that the server could not understand and that might be interesting to us because well this totally looks like valid sequel injection the way we think of it but don't forget now within burp suite we're using raw HTTP or that hypertext transfer protocol what we might need to do is actually URL encode the data or the changes that we're making so you can do that with a cool hotkey or you could right click is a convert selection URL URL encode URL decode control you as a hotkey for that decode control shift you or you could convert it from HTML or base 64 etc etc if you didn't want to do that as you're working with the hotkey or maybe turning on that option URL encode as you type let's see that real quick I'm just going to remove that and I'll right click and turn on URL encode as I type here is a single quote here is a space let's type in or space one is equal to one and then a hashtag or that octothorpe pound symbol now you can see it automatically URL encoded all of those for me and I didn't have to I could control shift you but my unity version I think does weird things with that it just creates a small window for me so I'm going to go ahead and right click in on URL encode that let's URL decode that cool so that would work for us or there is the decoder tab which will allow you to do that as much as you want so let's say I had or one equals one with our hashtag there and you can see it will create kind of a pain for me and how it's going to be manipulated or transform that data let's go ahead and encode that as a URL now that's done all of the different values as URL encoded which might be cool it might be handy for us and maybe some techniques you might end up doing will allow you to try and inject some double encoded values let's go ahead and encode it again with URL encoding now you have double encoded stuff which might help evade some filters or some other techniques to mitigate your attack or your exploit etc or we could encode this as base 64 right you could add as many of these layers as you particularly wanted to and that's kind of neat kind of cool if you wanted to remove any of those just go ahead and delete them and slowly you will lose those options there as needed but you could do that just as you're working as you're typing with those hotkeys and again you could add as many of them as you want with that hotkeys tab so now in the repeater let's go ahead and URL encode this or one equals one i'll send that along URL encoded hit control space to send that and now we have a valid response back from the web server and we can see we have successfully done some sequel injection we got our first name admin surname admin first name gordon hack is the next entry poblos the next entry etc etc so now we've got some sequel injection leaking all of the database out really that's how we can use burp suite to manipulate some values and variables and information the post request versus the get request the user agent the headers that we send or anything that might be present inside of the raw HTTP communications that are going back and forth from a website so that's that that's a quick run through on the proxy tab the repeater tab the compare and the decoder tab there's some other really cool stuff between the intruder and other options that burps we can do but we'll get into that maybe in a later video i got a lot of videos that i want to do i want to cover uh some dvwa stuff i think that'd be cool to showcase some of these techniques for you guys and maybe level up that uh security tab the level here or the difficulty of the vulnerabilities now thank you guys so much for watching i hope you enjoyed this video if you did please do like comment and subscribe please go check out hostinger use that code john hammond 91 off hosting services very very cool thank you guys so much i'd love to see you on discord loves you on patreon paypal facebook linkedin twitter instagram social media youtube thanks again guys i'll see you in the next video take care