Part 3 BurpSuite

Video Activity

This training video offers participants step by step instructions into using the Burp Suite Proxy tool. The Burp Suite proxy tool is an interception proxy which sits between a browser and a web site. It captures the traffic as it leaves the browser and allows for data manipulation. It runs on the local machine on a specific port; in this particular...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

This training video offers participants step by step instructions into using the Burp Suite Proxy tool. The Burp Suite proxy tool is an interception proxy which sits between a browser and a web site. It captures the traffic as it leaves the browser and allows for data manipulation. It runs on the local machine on a specific port; in this particular training session, the instructor utilizes port 8080. Participants learn how to verify everything works in Burp Suite and to add the proxy so it can monitor all traffic. The instructor also shows participants her recommended settings.

Video Transcription
00:04
Hello and welcome to the secure coding course. My name, Miss anywhere, and I will be presenting an overview of the burbs. Sweet proxy tool. One of the tools we will be using in this course is called Burb Sweet.
00:17
It's Theburbs sweet proxy tool,
00:20
and I wanted to go ahead and give a quick introduction to the tool and some settings. Now you might be thinking, Well, what is burb sweet. So basically, burp suite is an interception proxy tool that sits between your browser and a website.
00:40
And what this does is it actually captures the traffic as it leaves your browser. Ah, but before it actually goes to the website and allows you to see that traffic and actually manipulate data that's in that request or or response
01:00
And so
01:00
burps Weed is something that is running on your local machine,
01:06
and it runs usually on a particular port number, and we'll be using Port 80 80.
01:12
And so what happens is you change your browser to actually point to burp suite. First,
01:19
you turn the interceptor on Enberg sweet and so when the traffic leaves your browser, it gets gets captured in burbs. Sweet.
01:29
Where we can manipulate values inside of that request. And then perhaps we can forward the request on to the website where, of course, it's forwarded to the Web server, which is serving that website, and the exact same
01:46
mechanism can be done for. The response is Well,
01:49
so let's go ahead and start verb sweet inside of our V m.
01:55
What no need to do is open a terminal
01:59
and you can open a terminal window just by clicking on the left hand side terminal.
02:04
If you already have one open, you can open another one by clicking new terminal. We're actually gonna need a couple in order to show the instructions as well as starting a verb sweet.
02:17
So when you first log in,
02:20
if you do the command, who am I? You'll see that you are you bun, too.
02:24
And actually there is a directory in the home you bun, too.
02:31
Location that is called verb sweet, so you can go ahead and CD into that
02:39
inside of that directory. You're going to find some instructions that I've created
02:45
that tell you how to run burps week,
02:50
and you will need to go ahead and take a look at these
02:53
because I did have to modify the location where it's run. So the first prompt is that you should change to be route.
03:04
This is easily done in you bun to with e soo do command
03:08
so we can use our other terminal over here for that.
03:14
Now, when it prompts for the password, remember that our password is reverse.
03:23
And then step number two says we need to change to the OPS directory
03:32
and then step number three. Run the following command at the prompt.
03:43
You can just copy this command
03:46
and paste it over here.
04:00
So let's go ahead and test out our group. Sweet and make sure that it's working with their application
04:06
now in your V M. All you need to do is open your Firefox browser,
04:15
and it's going to actually default to the location of Tomcat where Tomcat is running, which is on Port 80 90.
04:25
And
04:26
what you should have is you should have a bookmark for Web goat
04:32
already in the bookmark dropped down. She can just click this
04:40
bookmark, and
04:48
when you click that bookmark, you should have an authentication required of guest guest.
04:55
Now, make sure that burp sweets proxy intercept is off.
05:01
It will be on by defaults who make sure that it says intercept is off
05:06
in order to get the prompt for for Web goat.
05:13
So the user name is Guess the password is guest
05:18
and you should come to the first page of Web goat
05:23
and go ahead and click start Web goat.
05:32
So now going back to burbs. Sweet.
05:36
In order to actually verify that everything is working fine,
05:43
let's go to
05:46
the general http Basics
05:49
menu
05:53
and this is just a regular
05:57
Web page takes in. This is just a regular Web page that will take in your name and just reverse it. Now what we're going to do is
06:09
we're going to put our name inside of this text box. But before we click the go button,
06:15
we're actually going to go to the proxy tab
06:17
and turn intercept on.
06:20
So when burps we each of these tabs represents a different module,
06:26
and as you can see, Burb Suite is made up of quite a number of different modules. A lot of functionality in this tool.
06:33
Now, one of the problems is that you have to tell your browser to actually go to burp suite before it goes to the website before it goes to the Web server
06:46
a couple of different ways. You can do that. You can actually go into the configurations and modify the options,
07:04
and that would be under advanced network and settings,
07:10
and you could set the proxy settings here. However,
07:14
another way that you could do it is I actually have
07:17
and add on inside of your browser called Foxy Proxy.
07:23
Foxy Proxy allows you to set up multiple proxies
07:28
and just tab between them. So
07:31
if I wanted to turn off burb sweet
07:35
from intercepting,
07:38
then I could use the default. And so it would no longer go to Burke. Sweet.
07:45
But in this case, I want to go ahead and have burb sweet intercept all traffic.
07:49
It should already be set up for you. But if it's not is very easy to add a new proxy,
07:57
you're going to put the
07:59
1 27
08:03
01
08:07
The port is going to be 80 80
08:09
and, um, and you can put a name here, burps weeds so that you know which one it is and just click. Okay,
08:18
so we've got everything set, and we have our intercept on Enberg. Sweet. So we're gonna go ahead and click to go.
08:28
And what you can see here is
08:31
inside of birth. Sweet.
08:33
We actually have
08:37
the name that we typed in that's getting captured,
08:41
and you can see that this is being held here. So we have to actually click forward
08:46
in order for our request to get forwarded to the Web server.
08:52
And so it finally did, and it just reversed our name.
08:58
Now, a couple of settings that I want you to have
09:03
go to the proxy tab, go to the options tab,
09:09
and we're going to make some changes here.
09:11
We are going to,
09:13
um, move this. You are real option up.
09:18
This is for client requests. We're going to move that up.
09:24
We're going to enable that.
09:26
Because what we want to do is we want to look at the Urals, that Aaron our target scope, and we're going to do the spider ring in just a moment
09:35
now for the file extension. We want to add one more option here. So go ahead and edit to this,
09:43
and
09:43
you're going to
09:46
copy
09:50
the J peg
09:52
and add in
09:54
J peg with an e. So just make sure that you get
10:00
the carrot, the J p e g, the dollar sign and the pipe
10:07
and click. OK, so your should look just like mine now.
10:11
Also, what we want to do is we want to intercept the responses. And so we need to click this check box here, intercept responses,
10:22
and we also want to make the same change. We want to enable this.
10:26
Move it up.
10:28
Ah, we can get rid of that 2nd 1 there. So we're going to focus on the Urals that Aaron scoop
10:35
in our target scope
10:39
A couple of other things to mention
10:41
there are all sorts of features with burp. Sweet.
10:45
If we were running over https, for example, the secured
10:50
protocol, then we could actually just click this and have burb sweet
10:54
convert that doing SSL strip and converted to http s O that it's no longer encrypted.
11:03
Um, we actually
11:05
I don't need to do any of the other settings for now,
11:09
so that is all that we need to do. So please make sure that your settings look exactly like this.
11:18
Okay?
11:20
Now, to move to our target
11:24
now, I have already started clicking around in my website.
11:31
But if I were to restart, burp
11:33
and
11:35
have it do a spider,
11:39
um, of this target location, what I would do is I would select Spider this host,
11:46
and
11:50
and I'm going to go ahead and have that included there.
11:54
Now, you can always check
11:56
the status of the spider ring action.
12:01
Um, by looking here,
12:05
and it actually looks like it's done.
12:07
Now, one of the things you could do is you can see how there are external websites that air referenced.
12:15
What we can do is we can actually
12:18
have burps. We only show us the items that are in scope,
12:26
okay? And so that helps to keep this much cleaner.
12:30
Now, as you take a look at your web goat installation,
12:35
you will see that there are lots of screens here
12:39
and we've not actually clicked many of them,
12:45
so they'll be grayed out. But as you go through
12:50
as you actually go through the website,
12:54
these grays will turn to a dark fought
12:58
and that lets you know that you visited that
13:01
that page.
13:03
So that's an overview off burp, sweet and the configuration settings
Up Next
Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By