Time
50 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
welcome to module four of the burbs Weaves, Primer Hopefully, your scan completed
00:06
and everything looks good. Mind seemed Thio to perform well and complete it. So let's just get out of here and take it. I'll take a look at it,
00:14
Okay?
00:16
All right. Just break this out.
00:21
There we go. Uh, went down to the bottom.
00:25
Yep.
00:26
All right, client, our audit finished. Okay,
00:30
11 highs. No mediums, seven lows and 23 informational. Let's take a look at the audit items.
00:37
Okay. Done. Done. A couple of errors there
00:41
in the status column. We can see pretty much common errors. Were there,
00:47
Everything seemed to plead complete. Okay, in another item, I'd like to point out,
00:52
it says start time and time. Just pretty much gives an idea how long this can took to run. 10 minutes. Pretty much 10 minutes. Which is which is fantastic for the type of skin that that we kicked off again. This is gonna vary based on the options that you choose the policy to speed of the network.
01:11
But in General, Webb scans to take a long time. This is this is a demo scan. So?
01:15
So don't be food and thinking it all my skin's gonna be done like 10 minutes and in particular, your use of doing a lot of ah ah, West level scans. Web scans take considerably longer, so but 10 minutes for a demo scan. I think it's pretty good.
01:27
Okay, let's go to our issues.
01:30
All right, look over here. Will,
01:33
can we can do everything by severity, or we can just go to the filter.
01:37
And it shows us all all the highs that we see,
01:41
so yeah.
01:42
Yep.
01:42
Cross site scripting SQL injection,
01:46
cross site scripting reflected. And you see you consult. It also shows the path which is rich is really good. So you'll know you'll know what a vulnerability occurred and occurred in application.
01:57
Clear text, mission of passwords. Okay. And we we talked about earlier. Ah, you know, the burbs classifications for certain firm and in tentative. Uh, it's pretty certain that these particular hi vulnerabilities doesn't that are appearing,
02:14
actually, are there? Of course. That's because burp says that there doesn't mean that there you still got to go back and do a lot of checking and make sure, but yeah, this is pretty much this is pretty much what I expect to see now to generate an actual report. You could generate a report from here.
02:30
You know, just dis elect everything. If you like.
02:32
You could You could generate the report from here
02:36
and just elect everything. I'm on a Mac. So for me, it's his command. A and you do right click, And pretty much you can see reports elected report, selected issues. You could do that from here.
02:49
And also,
02:53
you could go back to the actual target itself
02:58
and generate to report
03:00
go down the issues
03:01
and you can report issues for this host from here.
03:06
Okay, so we can go html
03:08
all the background wanted. You want pretty much include as much as much as you possibly can. If you're seeing this report out to someone else,
03:17
you won't include all the relevant extracts and some that maybe instance where you won't include everything
03:23
but that that that could be ah, very large reports. So that's disco. It relevant here
03:29
and also relevant for the actual responses.
03:31
Okay,
03:32
there's all the issues that you want to include,
03:38
and you can select a filed and where you actually want to say to report
03:42
okay.
03:43
So you could save it pretty much. Pretty much wherever you want.
03:47
Uh, let's go with the desktop here.
03:51
Okay? We'll call it
03:53
Demo Scan,
03:55
and we'll use today's date
03:58
June 15th.
04:00
Okay.
04:02
Okay.
04:05
And
04:06
well, group everything by severity.
04:11
Two loaves of table Conscience is fine. And we want all issues.
04:14
Okay?
04:16
And that's our report. Now this goto our desktop and see,
04:20
See if we can.
04:25
Okay, there it is. Over there. If you know this, it's not associate with anything.
04:30
What? So what you may want to do?
04:32
You could rename it if you like.
04:35
Thio html file We could just open it
04:39
with
04:41
with Far Fox.
04:43
Okay. And as you see, this is you know, it's a pretty nice report. You know, all your highs. You have your confidence level
04:49
and everything is listed here,
04:53
So if you scroll down
04:56
SQL injection, used your background remediation,
04:59
Uh, everything that you expect to see the requests were necessary
05:03
here.
05:06
I think there's things that are highlighted. Those are pretty important. Those things that the Berg Berg wants you to see to verify that the vulnerability actually exists. Okay,
05:16
so I think all in all mean we got a pretty good report here.
05:19
And I've always liked the way the tool
05:23
reports out and in particular for management types. And things like that didn't like the colors and things like that. You may want to export things in an XML if you have a lot of vulnerabilities and you can parse that out yourself and in a spreadsheet. So that's also an option. Okay,
05:40
so that's pretty much it for It's for that. So we can
05:45
you can pretty much wrapped everything that will burn. We have a report.
05:47
Okay.
05:48
We can go here upon the project. Options always upon the project.
05:55
I always want to save a copy. Okay.
05:58
Okay. I always want to save a copy of the actual project and always save, save, save in scope items on Lee. So you can name the project if you want to.
06:08
And I called it, um
06:11
Oh, Well, tha row
06:15
lt
06:17
demo.
06:18
All right.
06:19
So
06:23
All right.
06:25
Thanks.
06:26
And I'm gonna include collaborator Jennifer, a file. Everything I possibly conclude just in case you got to go back to this. Okay.
06:42
Okay.
06:43
Well, save it to the desktop also.
06:46
So that's the whole project. Just the whole project everything. If you ever had to go back. And anybody want to see the skin without the report or anything like that for some unknown reason.
06:57
So back that concludes. That concludes our skin was saved up. We're saved of the actual project itself. We have our reports so we can actually cause Burke down now.
07:05
Okay.
07:10
All right.
07:13
Viewed. I scan. We saved our session. Saving our session is is pretty much where we were when we saved the price. Save the project itself. So if you need to bring their backup or for historical historical significance or investigations, when things like that you have not only report, but you have the entire file, that's good that you can import back in show. Hey, this is what I did
07:31
to get the results that I got.
07:34
Okay? Our objectives, assessments.
07:36
Um, today we covered burps. We professional how to configure it also, how to scam with it pretty quickly without you having to go to post worker site and in re dollar documentation, their documentation is good.
07:47
But sometimes you you're in a hurry. And maybe you have to get a skin kicked off pretty quick for a different reason is gonna be investigations. That could be a number of reasons that you want to do it quickly and and you want to try to tool out. And I leave it up to you guys that kind of kind of
08:03
ask yourselves, It's burps. Basically 400 bucks. Ah, you know, a consideration versus a nap scan or or HP Weapon's spec, which can cause anywhere from 50 to $75,000. So I'll let you guys, you know, pretty much make the decision,
08:20
Does it? Does it work for you? Some people want more reporting options, prettier report options and in Burt may not actually give you that.
08:28
Okay, Some of the resource is, of course,
08:31
poor swingers is great.
08:33
Also going to support website also and particularly for disappearing. For the actual certificate issue, you have to import death certificate
08:39
in various files, are sure you don't get SSL areas and also take a look at a wasp. Oh, lost. It's fantastic for explaining pretty much, though, what's top 10 and other type of application that will level vulnerabilities. So hopefully you guys have enjoyed this and it has been a great knowledge transfer from you.
08:58
We all learn from each other, so I mean, please send me any
09:03
Any comments, suggestion that you have that will make the presentation a whole lot better again. Thanks for joining me.

Up Next

Intro to Burp Suite Pro

This short, online training course provides students with an introduction to scanning web applications using the Burp Suite Web Scanner Professional Edition. Upon completion, students will have a basic understanding of how this solution works.

Instructed By

Instructor Profile Image
Darian Gary
Senior Cyber Consultant at USDA ARS
Instructor