The course is part of this learning path
This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.
Hi. Within this lecture, we're going to install the Burp Suite and also set it up so that we can use it with our pentesting tests. So, what I'm going to do, I'm already in my Ubuntu, actually we are done with the Ubuntu things because we have already installed the vAPI, and threading on the server, right? So, if you type your IP Address on the browser, you can see the vAPI. Now that's it. You don't need to just log into the server anymore after you're done, just don't forget to destroy the droplet or just delete the project so your credit card won't be charged, okay? So, if you see this when you go to your IP/vAPI, then it's okay. So, once you're done with the wAPI test over here of the vAPI test over here, you can come over here and say 'Destroy' this droplet or you can just delete the project from the settings as well, okay? Don't forget to do that. So far so good. So, what are we going to do within this section, within this lecture? We're going to install the Burp Suite so that we can work with this vAPI, and interrupt and capture the packets so that we can see them or manipulate them in a way that we want. So, if you have been watching this for the web pentesting course, you already know how to do that, right? So, if you're watching the mobile application, mobile ethical hacking course, then you need to watch this lecture. But if you're coming here from web pentesting course, just skip this lecture. So, if you google Burp Suite, you will see that this is a tool that has been produced by the PortSwigger company, portswigger.net. So, the website is actually portswigger.net/burp, and Burp Suite is kind of a proxy. So, we can see the requests that we are sending and analyze the responses that we are getting, and we can interrupt them and we can actually manipulate them before we send to the server as well. So, this works like a proxy because it captures the traffic, and we send this through the Burp Suite, and it's a very cool tool. Of course, this is going to be like a crash course for the mobile ethical hacking course users. But for the web pentesting side, we have already seen this a lot. So, this is another free tool but there is a free version, of course, we're going to use it. The free version is called Community version. So, if you come over here to products, you can see the Community Edition over here. Of course, if you want you can purchase the enterprise or the professional versions as well but it's a little bit expensive like 300-400 bucks. So, I'm just going to go with the Community Edition and we're going to talk about the differences between the Community Edition and also the Professional Edition as well. Don't worry about it. But all you going to do is just download this, and if you download this, you can just install it by clicking on 'Next', 'Next' 'Next' on Windows and on Mac as well. So, if you're using Kali Linux, it should be already installed on Kali Linux or any Linux distribution. You can just download it and install it as well. So, once you create a project in the Burp Suite, you can just use the defaults, okay? You don't need to change anything and you will see a screen like this. So, what are we going to do with the screen? Burp Suite has a lot of modules, okay? We can do so many things with Burp Suite. It's a very good tool. It's the tool for the web pentesting. We can intercept the packets using the proxy module over here. I'm going to show you how. All you going to do is just give some settings to proxy and make sure the browser has the same settings as well. Using the intruder module, you can actually do some brute force attacks and we're going to do a lot of those in the section as well. So, we're going to see how to use it. In the repeater, you can send some responses to send some requests and analyze the responses. You can manipulate the request and see how the API or the server reacts back, so you can try and try and try changing the parameters or changing the headers in this request. It's very good. For example, there's a decoder over here. You can decode or encode anything that you want. Like you can just write something and encode this as like Base65 or I don't know, HTML or any kind of encryption. It's a very good tool actually, and we're going to use a lot of modules from here. Don't worry about it. All you got to do very right now is to set it up and create a project. Once you do it, you can go to the options under the proxy module, because you're going to have to change something over here. If you don't see this 127.0.0.1:8080, you can click on 'Add' and add this number over here. So, ports should be 8080, okay? 8080, and the host should be 127.0.0.1, okay? So, this is your local host with the port 8080. Why are we doing this? Because we're going to give the exact same number, exact same proxy numbers to the browser as well, and all the other settings as you can see down here should be just left alone, okay? And I'm going to turn on and turn off the intercept regularly while you're using this, and I'm going to show you why. So, if you go to your browser, right now I'm using the Brave browser but you can use Google Chrome, you can use Safari, you can use Firefox anything you want. Brave is very cool, so that's why I'm using it. Turn the intercept Off for a minute, and go to google.com, because you need to download something called FoxyProxy. I believe this doesn't work in Safari but it works in Brave, Chrome and Firefox as well. FoxyProxy is kind of an extension, okay? You can add it to Google Chrome, you can add to Firefox, Brave. All you going to do is just search for it and find the extension website. So, this is what I'm looking for, FoxyProxy Standard. As you can see many users use it. So, this is a very easy tool to change your proxy settings for the related browser. You will see some 'Install' button over here, I'm seeing 'Remove' button because I'm already using it inside of my terminal inside of my browser. Here you go. I can see the FoxyProxy here. Once you install the FoxyProxy, you should open the 'Options'. In the options, you should give the exact same numbers that you have given to the Burp Suite. So, I'm going to say 127.0.0.1. And for the port I'm just going to say 8080. That's it. Of course, you can change the port, but it doesn't make sense. We are working with the Burp, you're intercepting the web requests and stuff, so go with the port 8080. So, you can give it a default name, you can delete it, you can edit, you can add any kind of proxy you want and after that, you can just use that proxy like this. So, if you use this proxy, if you use this 127.0.0.1 proxy over here with the port 8080. And if you use the same proxy inside of the Burp Suite as well, you can turn the intercept on, like this. And right now, all your traffic will be directed through the Burp Suite so that you can capture the packets. It's very easy. Right now let me show you what I mean. I'm just going to open a new tab or you can just go with this one. Actually, you can click on something, okay? You can click on something like this accessibility and as you can see it stops. It doesn't go anywhere because it has been captured in the Burp Suite. Unless I forward this, it won't be delivered to the server or unless I turn the interception off, it won't be delivered to the server. Right now I have this request packet. I can see this is a post request, I can see the endpoint that is directed to and I can see the cookie, I can see the headers, I can see the parameters, I can see everything. I can change it or I can just turn the interception Off and it will just forward it to the server and I can get the results back. Now I will disable these proxies because I want to show you something. Maybe if you did it and if you didn't capture the packet, maybe you will need to install some certificate, okay? So, if you come across in a situation like this, if your Burp doesn't work for some reason, you should google this: Install Burp certificate, okay? And of course it will lead you to the portswigger.net one more time because this is the company that has been developing the Burp Suite. It actually has a very good documentation, you can just see how to install it inside of Chrome, inside of Firefox, inside of Safari and even Explorer as well. So, if you come over here, so if you're using Brave, just go for the Chrome, okay? You can see the exact same steps for the Chrome, and it actually has different steps for the windows and MacOS and also for the Linux as well. So, I'm going to show you my steps in order to do that but it's very easy to accomplish. All you need to do is just follow along the steps, okay? Just watch these steps and it will work. It's very easy to install. We are going to download some certificate and we're going to install it on our browser or on our system and then it will trust the Burp Suite. Otherwise maybe you're not able to connect to the HTTPS site. So, if you're using Linux again, you can just see the documentation over here to install this on your machine. It's not very hard. I'm going to show you how to do it, don't worry about it. But if your Windows and Linux, the steps might be a little bit different. So, I'm going to open the Burp Suite over here, okay? And I'm going to run Burp Suite. But I'm going to run Burp Suite like this http://burpsuite, okay? Not burpsuite.com, but burp suite. Now Burp Suite is running and I have changed my proxy. That's why I'm seeing this, okay?. If you don't run the Burp Suite and if you don't change your proxy, you won't be able to get the certificate. As you can see, I can see the CA certificate at the right-hand hand side of this http://burpsuite, download this on your desktop or whatever folder you want, and that's it. After downloading the certificate, the steps are a little bit different for Mac and Windows and Linux. In Mac and Windows, you have to just double click on the certificate and it will let you install it on your system, but in Linux, as you can see, you can go to the settings of the Chrome or settings of the Brave, so that you can find the certificate and install it directly into the browser. You can see all the images, you can see all the steps that you need to do in order to install the certificate. But downloading the certificate is same for everyone. So, if you come over here and if you go to the settings like this in the Brave settings for example, I'm going to search for a certificate but I'm in a Mac remember that. As you can see it finds some certificates like under the security I believe, okay? And if I come down here to the advanced site I believe I can see the many certificates, okay? But once I click on that, it actually opens the key chain access. So, key chain access is the tool that we use in the Mac operating system in order to store the certificates and stuff. So, what I need to do, I need to double click on it and it will just add this to the key chain directly automatically. But if you're not using Mac or if you're using Windows or Linux, then steps will be very similar. You can see the documentation yourself but you will download the certificate in the exact same way that we have done after that for example, let me go to the Windows for the Internet Explorer. As you can see, it says that you have to run this as an administrator, okay? That's a little bit different, you going to right click and choose run as administrator and you can just say "install certificate", okay? You have to visit http://burpsuite in all operating systems in order to download the certificate. And after installing the certificate, if you haven't been able to capture the packet that we have seen, now you will be able to, okay? Or you will be able to use the Burp Suite like in a proper way right now. So, make sure to install the certificate if you experience any kind of weirdness, once you go to Burp Suite, once you open the Burp Suite project, and then try again. So, don't forget that if you're using Burp then you should also use proxy settings, okay? Or otherwise you won't be able to browse the internet. So, I'm going to search my name and as you can see I get the packet, I get the packet. If I forward this then it will be sent to the server. It will be sent to the Google servers. But if I don't forward the packets, then it will just get stuck on the main Google page. Here you go. Now as you can see we see all the details regarding me inside of Google and we're still capturing the packets, because Google's making some request to their APIs and maybe their other services, I don't know, many things. But we can see all the traffic and we can even capture the traffic and manipulate it in a way that we want. That is how we set the PortSwigger Burp Suite up. Of course, if you already have that running and working as properly in a way that you want, then I believe you already skip this lecture. But if not, it's a new great tool that you will learn during this section. So, we're going to stop here and continue with the postman installation.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.