Using Intercepting Proxies Part 1

00:00

using intercepting Proxies

00:03

are learning objectives. Would understand what an intercepting proxy is demonstrate how to set up Burp suite. Community Edition. No the different tools within Burp suite such as repeater, an intruder and decoder. And also understand Oas zap or zed attack Proxy

00:21

Burp suite. If you're anywhere in the web application security space, you should know what burp suite is. Um It is by by far, hands down the most popular um intercepting proxy out there. It's made by Port Swiger in the U. K. They have a free academy

00:40

at ports of your Net

00:42

web security.

00:44

I would highly recommend you go out there and you use these labs. I've done many of their labs

00:51

on various things, things not an O SCP things that are no SCP um you know, very complex topics such as like HTP requests, smuggling

01:02

or srf. So I think port swagger does a very great job

01:07

and their hands down if you want to do web application security,

01:11

they have the Academy for that.

01:15

The community edition of Burp suite is in Cali Lennox.

01:19

Um If you're going to be doing things like bug bounty or you're a professional web pen tester,

01:26

you really need to buy the pro version. It is. There's so many great features and functionality like active scan. Um

01:36

The only thing is you're allowed to use it in. Oh SCP So if you even if you have it you can't use it in. Oh SCP.

01:42

Mhm.

01:44

Uh What happened was there was this great spider ring feature in Burp suite that they removed in version two.

01:51

Some people prefer using version 1.7 which still have spider ring in it. Just because there

01:57

really in love with that feature and they don't want to migrate to the newer version because they want to be able to spider different web applications.

02:08

So if you have Burp suite you need to install their certificate authority.

02:14

Burp suite has his own C. A. Which you can get by going to http. Burp suite and downloading and then you'll have to import that into your browser.

02:23

That will mitigate issues of you going to h D h T T p S sites

02:30

and getting an error that pops up. So make sure that you install the Burp suite CIA into your browser

02:38

when you use it. Especially when going to https sites.

02:44

If you do a lot of capture the flag is typically things are on port 80 or they don't have https so you won't notice this. But if you're going to these https sites you really need to install the certificate authority.

02:59

Also I think this embedded browser which came about recently is a game changer. I really like it because I don't have to worry about installing the certificate authority in Firefox or chromium. I can use burps embedded browser and just put everything in there. And then I have to browsers. I have one that I don't have to

03:17

route through Burp suite

03:19

and the other one that is going through Burp suite.

03:25

So the proxy why why we call an intercepting proxy? Um it's because

03:31

it intercepts the traffic between our web browser

03:36

and the server.

03:37

The other thing is if you've used this before and you type in a web page and hit enter and you see nothing happens.

03:45

You know, that's because you forgot to turn intercept off or from on to off. I should say it's on by default. So

03:53

that means it's just going to sit there and it's just going to wait for you to turn off the proxy.

04:00

So ensure that when you start a Burp suite you turn intercept to off.

04:04

It's called intercepting proxy Because you can modify the packets

04:09

we saw Net Cat and we changed we downgraded http to 1.0. Well you can do that a lot easier using an intercepting proxy. You can change things from get requests to post requests. Get requests meaning you're getting a website post request, meaning you're posting data like you're entering a username and password

04:28

so you can do that easily here using Burp suite.

04:32

Mm

04:35

So repeat er I really like repeater because you can easily analyse different types of requests. You can see a post request here. I can easily change that into a get request

04:46

by changing the request method.

04:48

I can easily analyse the response. Maybe I want to change the password to something else

04:55

and I can quickly do that here as opposed to going through the browser. If I want to test a sequel injection, I can quickly do that here as opposed to having to look at the browser over and over and over every time I send a different request.

05:06

So repeater allows you to send different types of requests and analyze the response.

05:13

Yeah.

05:15

Intruder. Intruder takes a little bit of getting used to um, it's used for brute forcing logins. You can fuzz web applications,

05:23

you'll notice that it's throttled in the community edition. So if you're going to do things like brute forcing username and password, Hydro might be a better tool for you to use. You can read specific strings. So if I know when I log in, I see something that's his administrator,

05:40

I can grip for that. I'll show you that in the demo

05:43

but you need to specify positions. So

05:46

I'll show you the different types of payloads. I typically use sniper,

05:49

so I'll typically use one value or change one value

05:54

in the requests

05:57

and that usually works well for me. You can use battering ram which places the same payload value in all the positions as opposed to just one. You can use pitchfork

06:08

or you can use cluster bomb. Um

06:12

I don't talk about this here, but you if you use something like shell shock,

06:15

cluster bomb might be a great place for that. Uh or even battering ram um as well. So

06:24

just get to know these different types of payloads. Again, sniper is usually my go to uh payload type,

06:31

There's also decoder. So you can see here we have a base 64 encoded value that decodes the cyber is awesome,

06:40

But you can decode and encode things like base 64 URL. HTML.

06:46

So there's a lot of different options here, as far as encoding and decoding.

06:50

Um Sometimes you have to your l encode different payload types

06:56

so you can do that all in burp suite. Another great tool. You can use a cyber chef

07:00

and the link is down there. That's another great site for decoding things or encoding things.

07:06

Then there is zap

07:09

or is that attack proxy?

07:11

I don't think it's as popular as burp suite. It does have a spider ring function to it which makes it really great.

07:18

It's very noisy of course it's already installed in Cali

07:23

some people like Bert better. Some people like zap better. I'm gonna demonstrate both. So you can kind of compare the two and see which one you like. But I recommend trying both of them seeing which one you like.

07:34

So here's our quiz question.

07:35

Which feature was removed from Burp 1- 2?

07:40

Was it the built in browser. Active scanner or the Spider?

07:44

And the answer

07:46

is

07:47

Spider.

07:49

Mhm.

07:51

So I'm gonna do the summary and then I'm going to jump right into the demo. But in summary we should understand what an intercepting proxy is.

07:59

I will now demonstrate how to set up Burp Suite community edition for you.