4.1 Scan Review and Conclusion

00:00

welcome to module four of the burbs Weaves, Primer Hopefully, your scan completed

00:06

and everything looks good. Mind seemed Thio to perform well and complete it. So let's just get out of here and take it. I'll take a look at it,

00:14

Okay?

00:16

All right. Just break this out.

00:21

There we go. Uh, went down to the bottom.

00:25

Yep.

00:26

All right, client, our audit finished. Okay,

00:30

11 highs. No mediums, seven lows and 23 informational. Let's take a look at the audit items.

00:37

Okay. Done. Done. A couple of errors there

00:41

in the status column. We can see pretty much common errors. Were there,

00:47

Everything seemed to plead complete. Okay, in another item, I'd like to point out,

00:52

it says start time and time. Just pretty much gives an idea how long this can took to run. 10 minutes. Pretty much 10 minutes. Which is which is fantastic for the type of skin that that we kicked off again. This is gonna vary based on the options that you choose the policy to speed of the network.

01:11

But in General, Webb scans to take a long time. This is this is a demo scan. So?

01:15

So don't be food and thinking it all my skin's gonna be done like 10 minutes and in particular, your use of doing a lot of ah ah, West level scans. Web scans take considerably longer, so but 10 minutes for a demo scan. I think it's pretty good.

01:27

Okay, let's go to our issues.

01:30

All right, look over here. Will,

01:33

can we can do everything by severity, or we can just go to the filter.

01:37

And it shows us all all the highs that we see,

01:41

so yeah.

01:42

Yep.

01:42

Cross site scripting SQL injection,

01:46

cross site scripting reflected. And you see you consult. It also shows the path which is rich is really good. So you'll know you'll know what a vulnerability occurred and occurred in application.

01:57

Clear text, mission of passwords. Okay. And we we talked about earlier. Ah, you know, the burbs classifications for certain firm and in tentative. Uh, it's pretty certain that these particular hi vulnerabilities doesn't that are appearing,

02:14

actually, are there? Of course. That's because burp says that there doesn't mean that there you still got to go back and do a lot of checking and make sure, but yeah, this is pretty much this is pretty much what I expect to see now to generate an actual report. You could generate a report from here.

02:30

You know, just dis elect everything. If you like.

02:32

You could You could generate the report from here

02:36

and just elect everything. I'm on a Mac. So for me, it's his command. A and you do right click, And pretty much you can see reports elected report, selected issues. You could do that from here.

02:49

And also,

02:53

you could go back to the actual target itself

02:58

and generate to report

03:00

go down the issues

03:01

and you can report issues for this host from here.

03:06

Okay, so we can go html

03:08

all the background wanted. You want pretty much include as much as much as you possibly can. If you're seeing this report out to someone else,

03:17

you won't include all the relevant extracts and some that maybe instance where you won't include everything

03:23

but that that that could be ah, very large reports. So that's disco. It relevant here

03:29

and also relevant for the actual responses.

03:31

Okay,

03:32

there's all the issues that you want to include,

03:38

and you can select a filed and where you actually want to say to report

03:42

okay.

03:43

So you could save it pretty much. Pretty much wherever you want.

03:47

Uh, let's go with the desktop here.

03:51

Okay? We'll call it

03:53

Demo Scan,

03:55

and we'll use today's date

03:58

June 15th.

04:00

Okay.

04:02

Okay.

04:05

And

04:06

well, group everything by severity.

04:11

Two loaves of table Conscience is fine. And we want all issues.

04:14

Okay?

04:16

And that's our report. Now this goto our desktop and see,

04:20

See if we can.

04:25

Okay, there it is. Over there. If you know this, it's not associate with anything.

04:30

What? So what you may want to do?

04:32

You could rename it if you like.

04:35

Thio html file We could just open it

04:39

with

04:41

with Far Fox.

04:43

Okay. And as you see, this is you know, it's a pretty nice report. You know, all your highs. You have your confidence level

04:49

and everything is listed here,

04:53

So if you scroll down

04:56

SQL injection, used your background remediation,

04:59

Uh, everything that you expect to see the requests were necessary

05:03

here.

05:06

I think there's things that are highlighted. Those are pretty important. Those things that the Berg Berg wants you to see to verify that the vulnerability actually exists. Okay,

05:16

so I think all in all mean we got a pretty good report here.

05:19

And I've always liked the way the tool

05:23

reports out and in particular for management types. And things like that didn't like the colors and things like that. You may want to export things in an XML if you have a lot of vulnerabilities and you can parse that out yourself and in a spreadsheet. So that's also an option. Okay,

05:40

so that's pretty much it for It's for that. So we can

05:45

you can pretty much wrapped everything that will burn. We have a report.

05:47

Okay.

05:48

We can go here upon the project. Options always upon the project.

05:55

I always want to save a copy. Okay.

05:58

Okay. I always want to save a copy of the actual project and always save, save, save in scope items on Lee. So you can name the project if you want to.

06:08

And I called it, um

06:11

Oh, Well, tha row

06:15

lt

06:17

demo.

06:18

All right.

06:19

So

06:23

All right.

06:25

Thanks.

06:26

And I'm gonna include collaborator Jennifer, a file. Everything I possibly conclude just in case you got to go back to this. Okay.

06:42

Okay.

06:43

Well, save it to the desktop also.

06:46

So that's the whole project. Just the whole project everything. If you ever had to go back. And anybody want to see the skin without the report or anything like that for some unknown reason.

06:57

So back that concludes. That concludes our skin was saved up. We're saved of the actual project itself. We have our reports so we can actually cause Burke down now.

07:05

Okay.

07:10

All right.

07:13

Viewed. I scan. We saved our session. Saving our session is is pretty much where we were when we saved the price. Save the project itself. So if you need to bring their backup or for historical historical significance or investigations, when things like that you have not only report, but you have the entire file, that's good that you can import back in show. Hey, this is what I did

07:31

to get the results that I got.

07:34

Okay? Our objectives, assessments.

07:36

Um, today we covered burps. We professional how to configure it also, how to scam with it pretty quickly without you having to go to post worker site and in re dollar documentation, their documentation is good.

07:47

But sometimes you you're in a hurry. And maybe you have to get a skin kicked off pretty quick for a different reason is gonna be investigations. That could be a number of reasons that you want to do it quickly and and you want to try to tool out. And I leave it up to you guys that kind of kind of

08:03

ask yourselves, It's burps. Basically 400 bucks. Ah, you know, a consideration versus a nap scan or or HP Weapon's spec, which can cause anywhere from 50 to $75,000. So I'll let you guys, you know, pretty much make the decision,

08:20

Does it? Does it work for you? Some people want more reporting options, prettier report options and in Burt may not actually give you that.

08:28

Okay, Some of the resource is, of course,

08:31

poor swingers is great.

08:33

Also going to support website also and particularly for disappearing. For the actual certificate issue, you have to import death certificate

08:39

in various files, are sure you don't get SSL areas and also take a look at a wasp. Oh, lost. It's fantastic for explaining pretty much, though, what's top 10 and other type of application that will level vulnerabilities. So hopefully you guys have enjoyed this and it has been a great knowledge transfer from you.

08:58

We all learn from each other, so I mean, please send me any