Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers manual analysis to conduct vulnerability scanning for custom web applications. This lesson offers some instruction on automated scanning but the main focus is on manual analysis. Participants learn how to use the java burp suite command to scan a system. The burp suite has many things it can do. In this lesson, it is used as a tool for sending traffic through a proxy.

Video Transcription

00:04
all right. Our test app for this is on your window. Seven system in the setup instructions tells you, Hodder, install this application.
00:14
This is certainly not the only vulnerable Web application. There are some better publicly available online. I like
00:22
one called bam Vulnerable Web out, which is freely available
00:27
but encourage you to try that one next. Oh, US with open Web application. Security project has one called web goat that actually has built in learning exercises in it. That's a good one for beginners as well.
00:42
And there's several others. So if you want to continue with websites, I encourage you to try some of those that probably have a few more vulnerabilities. And this one, This is just
00:54
kind of a specific application that I actually inherited.
00:58
I wouldn't even mind originally, but it has a lot of the major issues and it.
01:04
All right, so it is
01:07
book service on your Windows seven box. So it should look something like this if you don't see the books and stuff that you did, database isn't set up correctly. The love what we're gonna do isn't going to work. So go back and check your setup instructions. until you get it to look like this
01:25
has installed scripts and everything. It should be pretty straightforward if you follow the instructions.
01:30
Israel like me, you didn't give steps. Sometimes things don't work.
01:36
So what we're gonna do here is we're mainly gonna do
01:40
manual analysis. I find that there's not really
01:45
any products that do as good a job as I would like just doing vulnerability scanning for custom Web applications and not just given the nature of custom Web applications. Anybody can build an application, and it's really hard to
01:59
make checks that will check everything regardless of what the
02:04
content is.
02:06
So we will look at some automated skinning that Greenlee will do things manually.
02:10
I do use some scanners that air expensive on some of my jobs is like a kinetics web. Inspect things like that. I mean, just to pin down
02:21
what software of my client that I'm working for has generally assisting a pretty pricey for the
02:29
well
02:30
tester like me.
02:31
Um, but I do use those just as a base on. Then do my manual testing from there,
02:39
but
02:40
not gonna have you down like a genetics or anything, but if your company. Your school has products like that. I encourage you to get familiar with them. We're gonna use my favorite proxy equal burps weed
02:53
on. And
02:55
that's not good about Java,
02:58
Herb. Sweet
03:04
exception. And
03:13
that is going to kill everything.
03:17
Because about the proxy, you won't get very far at all.
03:25
I'm not actually gonna have a Web applications action. Probably.
03:37
Jove. Ever shoot dagger.
03:42
Okay,
03:49
actually, I get for changing the M. Something's gonna change.
03:53
We're actually, if I think about it, this is probably true in the old version of Kallias. Well, let me try one more thing. So I feel like the old version of Cali had the same issue. I used birth week pro. That I pay for. That is actually directly on my Mac. They have a free version on here
04:09
we go to applications and Callie Lennix
04:12
Web applications, Web application proxies and click on verb. Sweet. Yeah, that'll do it. I just forgot that again. I use the woman.
04:20
Prue.
04:25
It was Cliff. I accept. Should load it up.
04:30
There were All right, Cool.
04:32
So we have our perp sweet here. As you can see, it has lots of different things. It can do. Some of it is going to be limited on the free version as these things go.
04:45
But what we want to do it actually set up our browser to send all its traffic through this proxy to bite assault.
04:53
You're the proxy tab. Got options by default. Listens on local host 80 80. You can change that if you need Thio.
05:01
If I on my browser just going to be platform specific like I went back, it wants me to do it in system settings, things like that.
05:11
And
05:13
we go to preferences. So it it preferences
05:17
and should be under
05:19
advanced and network
05:21
this ice weasels like an offshoot of Fire Park. So it's similar to tell Firefox is set up.
05:28
I go to connection settings,
05:31
manual proxy configuration that we want
05:38
little Hearst 80 80
05:43
and use proxy configuration for all particles. Okay, that should send all air traffic through burps. We So if we go back to this proxy type and intercept, make sure that intercept is on
05:57
and,
06:00
well, just
06:01
click enter again on the sort of reload the page, so we should see. Burp. Sweet light up.
06:08
Get book service. Http slash one point ones were getting the main page
06:15
of this application so we can make changes to this. The who's not really anything. We want to change here when we're done with it. We could say Ford could not afford it onto the browsers. For instance, where does it have it where we can
06:29
Hello again.
06:30
Oh, are about
06:32
it was Click log in here
06:36
and
06:42
forward.
06:44
Get book service long in the S P X.
06:47
Don't take us to a new page.
06:51
What if we do? New user?
06:56
And for that
06:59
if I put in using name Georgia both security dot com Password Password is Brad Password.
07:06
Well, George, a bulb Security news anyway,
07:11
like, you know,
07:15
Quick, go get called to it, Catching our post requests as well.
07:24
If we break it down by parameter here, we could actually see the values that are being sent bigger. But we see Georgia password and Georgia Bulb security dot com.
07:34
I changed password, too.
07:40
Path forward one,
07:42
But change it in my proxy. The server hasn't seen it yet, so every change I'm making the proxy. That's what the server's gonna see. So have I seen this end? George is possible will be password one, regardless of the fact that originally I put in passport.
08:07
All right, Now, if I go to log in,
08:11
just turn intercept off.
08:13
Once I'm done intercepting thing, they're gonna just turn it off.
08:18
Overdue. Georgia and password one. Make sure I put in the same password that I did through the proxy
08:24
that logs, man. Just trying the proxies knife for, like, seeing the role traffic and hidden field manipulating the traffic,
08:33
which may come in handy for us in some cases,
08:37
we'll see
08:39
additionally some basic things that we can do here.
08:45
If we go over to the target task, we'll see
08:46
the i p address of her win seven system so we can right click on that
08:54
and we're not amiable. Scan
08:56
in the free version. I do like the scanners in here,
09:01
but we're not gonna be able to do that in the free versions of you by the pro version than you can possibly scan them.
09:07
But we can spider the Hearst
09:11
try and find some more pages.
09:15
Send it requests. Come see if it finds more pages. Basically haven't clicked on all these links.
09:22
You should be able to find this
09:24
additional pages.
09:45
What is it?
09:54
You can put in information to submit the forms tell, but all again and stuff as well. It's not too much, actually. Almost Cypress tree, just books and a few other things.
10:03
So that's the
10:05
basics on
10:07
our burp. Sweet. We do, of course, have the scanner.
10:11
But
10:11
this way, it doesn't do anything on free Virgin Olive.
10:16
Yeah.
10:16
Burp! Intruder. What this is gonna do is this allows us to
10:22
do password guessing and otherwise send different options automatically into Web forms. We can give it Lee. Payload lists are set up different ways of doing it with There's different options.
10:35
You can d'oh.
10:45
And
10:46
things like that. But, uh, that's another one is gonna be really slowed down in this version.
10:52
Decoders. Always nice. Like, if you're trying to decode
10:56
information, that's like base 64 in code or something like that. You just pee sitting here and it will take care of it. So, everyone I'm not necessarily doing Web application stuff. Occasionally. Pull this up.
11:09
There's other things as well, Like repeating the request. If you get interesting request,
11:13
you're repeating it.
11:16
The results.
11:20
It was like that.
11:22
It could do a lot of things. The pro version is much more powerful. So if you continue with Web app, so I encourage you to buy it.
11:30
So now let's actually start attacking some stuff.
11:33
Look at those common Web vulnerability classes.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor