1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. A Practical Introduction to HTML Injection

Burpsuite Setup

Contents

keyboard_tab

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
1h 34m
Students
18
Ratings
5/5
starstarstarstarstar
Description

This course explores HTML injection, stored HTML injection, and other types of attacks in order to begin carrying out some web pen testing in a practical way. 

Intended Audience

This course is intended for anyone who wants to learn the necessary skills to become an ethical hacker and/or a bug bounty hunter.

Prerequisites

We recommend that this course be taken as part of our Web Penetration Testing & Bug Bounty Hunting learning path.

Transcript

Hi. Within this lecture we're going to start working with our BeeBox. So, if you open your BeeBox, just make sure you open the terminal and run ifconfig, so ifconfig. So, let me change my keyboard because I cannot write ifconfig. So, if you write ifconfig you will see the IP address of this BeeBox. Of course, it can be found with some other tools as well, but it's very easy to find it from here, and make sure you start your bWAPP from there. So, right now I know my BeeBox is running on 10.0.2.9, it will be different for you most probably. If I go to Kali Linux, if I open the terminal, let me change my keyboard from here as well. And if I run ifconfig, of course this will be different. This is 10.0.2.4 for me, whatever it is for you, I don't know. And 10.0.2.9 is the BeeBox IP for me. So, I'm writing 10.0.2.9 in here, in my Firefox, in my browser and I can reach the bWAPP. So, whatever your IP address for the BeeBox is, just write it, and click on the 'bWAPP' and here you go.

Now what we want to do, we want to log into this webpage, so that we can start looking for vulnerabilities, learning about pan testing and stuff. So, this is actually a web page, web application and it runs on a web server. We run it locally. We can actually upload this to a web server and we can run it remotely as well, like a real web server or a real web service but it won't be safe, because it has a lot of vulnerabilities. Here you can see the credentials, the username is 'bee' the password is 'bug'. Just write it. And for your security level, we're going to work with multiple security levels throughout the course, but just start with low, and I'm not going to save my password, we can change the security level from here. So, this is a website as you can see, and it has a lot of different pages for representing and simulating a lot of different vulnerabilities. So, it is an extremely buggy web app and we're going to find about some bugs together in here. So, we have different functionalities here, like changing the password or creating the user, we can also reach the vulnerabilities from here as well. And it's ordered in regarding to a wasp top 10, as I said before. So, we actually see one of the most popular vulnerabilities throughout the web in here, like the most popular ones actually, for example, HTML Injection. So, you can choose any vulnerability that you want to learn or any kind of bug that you want to learn and just hit on hack and it will be opened for you.

So, there are a couple of things over here that I have done before. So, let me delete all of this stuff, you won't be seeing anything in here. So, let me go back to HTML injection, for example. And we're going to browse around here to see the different kind of pages, and we're going to see how we can exploit or search for vulnerabilities in those pages. So, that's what this course is about. And of course, bWAPP is not the only platform that we're going to do this with, we're going to do this with different platforms, different kind of security levels throughout the course, like low, medium, high but we're going to start with low every time. So, we can change the password, we can create a user, we can log out and log in if we need to. Right now, what we need to do is to get familiarized with this application. And in order to search for vulnerabilities, again we're going to use this 'choose your bug' menu. But also there are other vulnerabilities inside of the application itself. For example, if you just click one of these tabs like 'change password', 'create user', you will come across in a situation that you can actually find bugs and we're going to do that together. Don't worry about it. Just know that we're dealing with this website from now on for a couple of sections and then we will move on to other one. So, here we go. But before we go on and find vulnerabilities, we need some tools, and one of the most popular tools that is used in webpen testing is called Burp Suite. So, find the Burp Suite from Kali Linux, and most probably you will see an update like this. And I'm going to say 'OK', this is not an update actually, it's just a pop up saying that your java version is this. And you will come across a pop up like this. That is saying that update is available. If you say 'Update now', it will take you to this Portswigger web security website. I'm going to download the latest version from here. If you haven't seen any update pop ups, then it's okay. Just wait until I'm finished with this installation, then you can follow along with me and continue with me for the installation of the Burp Suite altogether. Just bear with me a couple of minutes here, but most probably you will see some updates. And again, in here the Burp Suite is a tool.

They sell this tool and we are going to use the community version because the enterprise version or professional version are expensive as you can see. At least you have to pay $400 per user, per year in order to use the professional. We're going to talk about the differences between the professional and free versions and just don't believe when you hear that. You have to buy Burp Suite in order to be a web pentester. Of course, it will ease things up for you, but it won't solve anything for you. You have to know the theory, you have to know how to look for vulnerabilities. Burp Suite is just a tool, it's a very good tool actually. It's one of the most popular tools. I believe, it's the best tool out there for web pentesting. But it's okay to use Burp Suite community for free. So, if you don't want to pay $400, I can totally understand it. And I'm just going to show you everything in community version, so you don't have to spend this amount of money, when you first start web pentesting. So, after we download, we're going to install this tool, and there is not going to be a Burp Suite section in this course actually. We're going to use Burp Suite in every step that we're going to take in this course, because it's the most important tool that you're going to work with. Now, I believe we are done with the downloading part. So, let me open this one. Here we go. We have an sh file over here. If you double click on it, it won't execute. It will just show the codes for us. We don't have to see the codes, we have to just run this. So, I'm going to open my terminal over here, and I'm going to move onto my downloads folder, and if I say 'ls', I can see the bash file where it is. Here we go. burpsuite_community_linux_v2020 sh. So, I will run this comment bash burpsuite_community_linux_v2020 and it'll run the installation file for me. That's it. That's how you install the Burp Suite.

So, if you do this, it will just pop up a wizard for you. You can just hit 'Next', 'Next', 'Next' and just save this. I believe it's going to install another version than we have over here. So, we're going to have two Burp Suites, but it doesn't matter. I'm going to show you which one to use. Just extract all these files, just install this and say 'Finish'. That's it. Now you can use Burp Suite. Now I'm going to close this down and you can just delete this sh file, and close this down as well, and this one. And I believe we have to close this down as well. I'm going to say 'Yes'. And now let me just minimize this and search for Burp Suite one more time. So, if you see Burp Suite like this and the community edition, this one is the newer one, 'Burp Suite Community Edition', just click on that. So, if you didn't have a pop up saying that you have to update, then it's okay. You can just continue from here. So, this is a starting page of the Burp Suite, and as you can see, we can only choose a temporary project. In professional versions, you get to create a new project and save your project. But in community edition, in free version, you get to work with temporary projects and when you close this down then all your scans will be gone. But it's no biggie for us right now. We can just totally make this work. So, it's one of the most important differences between the free version and the paid version. Just say 'Start Burp' and it will open the Burp Suite project for you. When you watch this, maybe the interface might be a little bit changed because they regularly change it. I'm just recording this right now. Maybe you can see some sort of new images and stuff, but the functionality will be the same. And if it actually changes, I'm going to update the course obviously. Now, what does Burp Suite do? Burp Suite is actually a proxy. Okay, so it acts as a proxy because it gathers the requests and responses. So, when I do a request, when I click on a button, for example, on a web page, I send a request to the web server and I get a response back, right? Because that's how websites work, right? We have seen this in the previous section. So, imagine we can interrupt these requests and we can interrupt the responses as well so we can see every packet going on and coming in, so we can analyze what's going on. And more importantly we can change the packets, and we can manipulate the requests and see what response we get when we manipulate them. So, it's a very good tool actually. As you can see, we have a lot of different tabs over here, we're going to be covering this in different sections. We're not going to have a separate section for Burp Suite again because you won't understand why I'm doing this or what am I doing? We're going to do Burp on a hands-on style, hands-on fashion way so that you will be understanding this in a more suitable way. So, here we go. First thing you need to do is just go to the proxy and the options tab. In here, we need to understand how proxy of the Burp Suite works. So, as you can see, mine is already set up, your will be, is already set up too most of the time. If it isn't, you can come over here and choose 8080 and 127.0.0.1 like this, okay? So, exactly like this. So, 8080, bind to port and loopback only. So, if you do this it will be done. So, what does it mean? 127.0.0.1 stands for the localhost. So, it will be actually interrupting all the traffic going on in our, actually from or coming in from our own computer. But again we need to notify the browser so that it can forward the request to the Burp Suite proxy as well. Right now, this is okay, 127.0.0.1, 8080 is okay for Burp Suite, you don't need to change anything at all if you already have this. Most probably you will have this but you will need to change the proxy settings of your own browser, okay? But because it won't be default for you. So, how do you do that? Of course, you will be using Firefox most probably if you don't have any other choice or if you don't have any other options in Kali Linux. If you already downloaded something else, I suggest you follow along with me and just use the Firefox here. So, if we go to the settings of the Firefox like this, the preferences of the Firefox, we need to find the network settings. So, most of the time they change where it's located, right now it's under privacy and security but the best way to find it is to come over here and search for network. So, this is it, we are looking for the network settings and just click on the settings. So, the default will be to use the use system proxy settings option in here but again we don't actually want this, we want to give a manual proxy configuration over here and we're going to write exactly the same thing that we have seen in the Burp Suite. So, 127.0.0.1, 8080, okay? So, just choose the manual proxy configuration from here. So, that's how we actually say to the Firefox that we will be using this. So, if you see no proxy for area in here, like if you have some IPs over here, just make sure you delete them and come over here and give 127.0.0.1 and 8080, that's all you need to do. So, after that we can actually see the packets going on and packets coming in right now. So, make sure it's exactly the same. Now, let's try this. Let's try to go to google.com and as you can see, we cannot go to google.com. Let's come over here and see if there's something wrong with the Burp Suite. So, under proxy, we can see the intercept and it's intercepting the packets. So, if you just say intercept this off, if you click over here, intercepting will be off so it won't be intercepting or interrupting any traffic going on inside of our computer but it will be tagging and just gathering information from the web. We're going to see what to do, when to do all of this stuff. Let me try to go to my own website and make sure this is working, okay? You can just try to browse to any website that you want. Yes, it seems to be working. So, let me come over here to target. I believe we're getting data in here so I can go to my own website. If you cannot go to your website or if you cannot go to any website right now, don't worry, I'm going to show you how to solve this problem. Because even though I can get to my website, if I click on any other stuff, it's not going to be tagged in here as you can see and this is not what we are looking for. If I click on someone, it should get all the information and show it to us in the target tab in here. Okay, now we have a problem. The intercept is off but the options are right in here so we need to make sure that we did the proxy settings in the Firefox, right? Because when we click on something it needs to gather data so that we can analyze them later on. Right now I can browse the Internet but it's not gathering any data, okay? So, let me come over here and go to the target as you can see, we cannot see the google.com. So, there might be a couple of reasons for that. I'm going to show you what are those and we're going to solve it, don't worry. So, this is right and dashboard is fine, target is fine. We're not doing anything wrong in the site, so maybe there is something wrong with the certificates. So, if you come over here to new tab, okay? Or if you come over here to google.com, you may search for the certificates of the Burp Suite. So, what do I mean? If you search for this install burp suite certificate, okay? Like that, Firefox, there are some certificates of Burp Suite that you need to install to your browser so that the connection will be smooth. So, this will direct us to the ports figure one more time. And it will instruct us to have to install the Burp's certificate in Firefox. As you can see, it says that go to Burp. So, I'm going to just type http://burp and it will open a website like this. So, over here we will see something called CA certificate and I'm going to just save it, okay? As you can see, it's named like cacert.der. So, make sure you download this DER. And now just follow along with me within this tutorial. It says that go to preferences and find the privacy and security and save view certificates and import the certificate that you have downloaded, okay? Just do this. Go to preferences and find the certificates and their privacy and security. Let's see where is the certificates. Here we go, let me scroll down and here we go, it's at the bottom. Just find the view certificates and these are certificates that my browser trusts, okay? So, there are a couple of them here already, we need to import the Burp Suite as well. So, in order to do that, just hit 'Import' and find the thing that you have downloaded, this one. I believe it's under downloads. Just choose this, okay? And say trust the CA to identify websites and I believe we don't have to trust the CA to identify email users, the the identification of websites is more than enough and just say, 'OK'. And let's see. Yeah, here we go. It's done. Now we have installed the certificate, okay? Now let's go back to google.com and the other thing that we need to make sure to make this work is to go back to the network security one more time, search for network, okay? Go for the settings and make sure if you don't have it checked, just check this. Use this proxy server for all protocols. So, it will be valid for the SSL, FTP, SOCKS Host as well. So, we haven't done this before. It worked but it didn't work very well in SSL, so make sure you choose it and then now we are okay, I believe. So, let me close this down and just go for google.com one more time and let me go to my website one more time. You can just go to any website you want and try to just browse around a little bit. If you come back to Burp Suite right now, if we go to target, as you can see, we have a lot of things going on right now so I can see all the requests that are made inside of my own website, inside of google.com, inside of the websites that Google interacts with like play.google.com, ads.google.com. Anything that you see. For example, we can already see that my website is using WordPress because we can see wp-json, wp-includes, wp-content. We already started getting information, gathering information about the website that we're going to be pentesting for. So, here we go. Now, this is what Burp Suite looks like. When we browse around the web, it actually intercepts the requests and responses. So, this is a request that we made explicitly or implicitly, maybe we didn't even know that we made this request by visiting that website. We can see all the requests that are made for us and all the responses back. This is going to be very good in web pentesting, okay? We're going to see why it's going to be very good. So, it's already here, 10.0.2.9, bWAPP and it's already started to gather some information from there. So, that's it. We're going to stop here and continue within the next lecture.

 

About the Author
Students
437
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.