Hello and welcome to the secure coding course. My name, Miss anywhere, and I will be presenting an overview of the burbs. Sweet proxy tool. One of the tools we will be using in this course is called Burb Sweet.
It's Theburbs sweet proxy tool,
and I wanted to go ahead and give a quick introduction to the tool and some settings. Now you might be thinking, Well, what is burb sweet. So basically, burp suite is an interception proxy tool that sits between your browser and a website.
And what this does is it actually captures the traffic as it leaves your browser. Ah, but before it actually goes to the website and allows you to see that traffic and actually manipulate data that's in that request or or response
burps Weed is something that is running on your local machine,
and it runs usually on a particular port number, and we'll be using Port 80 80.
And so what happens is you change your browser to actually point to burp suite. First,
you turn the interceptor on Enberg sweet and so when the traffic leaves your browser, it gets gets captured in burbs. Sweet.
Where we can manipulate values inside of that request. And then perhaps we can forward the request on to the website where, of course, it's forwarded to the Web server, which is serving that website, and the exact same
mechanism can be done for. The response is Well,
so let's go ahead and start verb sweet inside of our V m.
What no need to do is open a terminal
and you can open a terminal window just by clicking on the left hand side terminal.
If you already have one open, you can open another one by clicking new terminal. We're actually gonna need a couple in order to show the instructions as well as starting a verb sweet.
So when you first log in,
if you do the command, who am I? You'll see that you are you bun, too.
And actually there is a directory in the home you bun, too.
Location that is called verb sweet, so you can go ahead and CD into that
inside of that directory. You're going to find some instructions that I've created
that tell you how to run burps week,
and you will need to go ahead and take a look at these
because I did have to modify the location where it's run. So the first prompt is that you should change to be route.
This is easily done in you bun to with e soo do command
so we can use our other terminal over here for that.
Now, when it prompts for the password, remember that our password is reverse.
And then step number two says we need to change to the OPS directory
and then step number three. Run the following command at the prompt.
You can just copy this command
and paste it over here.
So let's go ahead and test out our group. Sweet and make sure that it's working with their application
now in your V M. All you need to do is open your Firefox browser,
and it's going to actually default to the location of Tomcat where Tomcat is running, which is on Port 80 90.
what you should have is you should have a bookmark for Web goat
already in the bookmark dropped down. She can just click this
when you click that bookmark, you should have an authentication required of guest guest.
Now, make sure that burp sweets proxy intercept is off.
It will be on by defaults who make sure that it says intercept is off
in order to get the prompt for for Web goat.
So the user name is Guess the password is guest
and you should come to the first page of Web goat
and go ahead and click start Web goat.
So now going back to burbs. Sweet.
In order to actually verify that everything is working fine,
the general http Basics
and this is just a regular
Web page takes in. This is just a regular Web page that will take in your name and just reverse it. Now what we're going to do is
we're going to put our name inside of this text box. But before we click the go button,
we're actually going to go to the proxy tab
and turn intercept on.
So when burps we each of these tabs represents a different module,
and as you can see, Burb Suite is made up of quite a number of different modules. A lot of functionality in this tool.
Now, one of the problems is that you have to tell your browser to actually go to burp suite before it goes to the website before it goes to the Web server
a couple of different ways. You can do that. You can actually go into the configurations and modify the options,
and that would be under advanced network and settings,
and you could set the proxy settings here. However,
another way that you could do it is I actually have
and add on inside of your browser called Foxy Proxy.
Foxy Proxy allows you to set up multiple proxies
and just tab between them. So
if I wanted to turn off burb sweet
then I could use the default. And so it would no longer go to Burke. Sweet.
But in this case, I want to go ahead and have burb sweet intercept all traffic.
It should already be set up for you. But if it's not is very easy to add a new proxy,
you're going to put the
The port is going to be 80 80
and, um, and you can put a name here, burps weeds so that you know which one it is and just click. Okay,
so we've got everything set, and we have our intercept on Enberg. Sweet. So we're gonna go ahead and click to go.
And what you can see here is
inside of birth. Sweet.
the name that we typed in that's getting captured,
and you can see that this is being held here. So we have to actually click forward
in order for our request to get forwarded to the Web server.
And so it finally did, and it just reversed our name.
Now, a couple of settings that I want you to have
go to the proxy tab, go to the options tab,
and we're going to make some changes here.
um, move this. You are real option up.
This is for client requests. We're going to move that up.
We're going to enable that.
Because what we want to do is we want to look at the Urals, that Aaron our target scope, and we're going to do the spider ring in just a moment
now for the file extension. We want to add one more option here. So go ahead and edit to this,
J peg with an e. So just make sure that you get
the carrot, the J p e g, the dollar sign and the pipe
and click. OK, so your should look just like mine now.
Also, what we want to do is we want to intercept the responses. And so we need to click this check box here, intercept responses,
and we also want to make the same change. We want to enable this.
Ah, we can get rid of that 2nd 1 there. So we're going to focus on the Urals that Aaron scoop
A couple of other things to mention
there are all sorts of features with burp. Sweet.
If we were running over https, for example, the secured
protocol, then we could actually just click this and have burb sweet
convert that doing SSL strip and converted to http s O that it's no longer encrypted.
I don't need to do any of the other settings for now,
so that is all that we need to do. So please make sure that your settings look exactly like this.
Now, to move to our target
now, I have already started clicking around in my website.
But if I were to restart, burp
have it do a spider,
um, of this target location, what I would do is I would select Spider this host,
and I'm going to go ahead and have that included there.
Now, you can always check
the status of the spider ring action.
Um, by looking here,
and it actually looks like it's done.
Now, one of the things you could do is you can see how there are external websites that air referenced.
What we can do is we can actually
have burps. We only show us the items that are in scope,
okay? And so that helps to keep this much cleaner.
Now, as you take a look at your web goat installation,
you will see that there are lots of screens here
and we've not actually clicked many of them,
so they'll be grayed out. But as you go through
as you actually go through the website,
these grays will turn to a dark fought
and that lets you know that you visited that
So that's an overview off burp, sweet and the configuration settings