1
00:00:00,240 --> 00:00:01,290
Welcome back, everyone.

2
00:00:02,130 --> 00:00:10,200
This is, again, one more interesting course for you, this is the goes on but sweet and for those

3
00:00:10,200 --> 00:00:19,380
who are not aware about bup bup, so it is application security to a testing tool, basically, and

4
00:00:19,380 --> 00:00:21,180
it's sort of a proxy server.

5
00:00:21,180 --> 00:00:24,490
But do more than that, right.

6
00:00:24,870 --> 00:00:33,990
It do all those security testing stuff and widely being used by bug bounty, widely used in the bug

7
00:00:33,990 --> 00:00:35,330
bounty programs basically.

8
00:00:35,640 --> 00:00:36,000
All right.

9
00:00:36,010 --> 00:00:43,770
So toward the scores, we'll learn a lot of about how the bug backbone of how the web applications got

10
00:00:44,730 --> 00:00:53,460
throughout that course will learn more about how the platform really works, how it involved them to

11
00:00:53,460 --> 00:00:58,020
plan to sever the relationship and communications.

12
00:00:58,350 --> 00:01:04,280
What are the different features being used by a lot of people involved in the bug bounty?

13
00:01:04,650 --> 00:01:11,640
And what are the different features can be used for security testing and will go even more further.

14
00:01:11,670 --> 00:01:12,020
All right.

15
00:01:12,030 --> 00:01:14,170
So without taking much time, let's get started.

16
00:01:14,460 --> 00:01:21,960
So before we go ahead, we'll also first understand the fundamentals and basic idea about how how the

17
00:01:22,830 --> 00:01:27,410
boxwood really works more than the proxy mechanism.

18
00:01:27,810 --> 00:01:29,420
So let's understand this.

19
00:01:29,550 --> 00:01:31,860
Let's have a quick intro about Bob.

20
00:01:32,520 --> 00:01:39,510
So, Bob, so it is basically a proxy server, as I told you earlier, but developed for application

21
00:01:39,510 --> 00:01:43,410
security testing and developed by a company, Balsiger.

22
00:01:43,740 --> 00:01:53,520
And if you look at it, the fundamental or the mechanism of client and server communication is all done

23
00:01:53,520 --> 00:01:58,920
by all starts with users sending request to a Web application.

24
00:01:59,980 --> 00:02:00,420
Right.

25
00:02:00,780 --> 00:02:02,940
Sending a request to the Web application.

26
00:02:02,940 --> 00:02:06,930
And it could be a certificate request or post or whatever it is.

27
00:02:07,230 --> 00:02:10,430
And from the from not itself, the communication starts.

28
00:02:10,440 --> 00:02:10,700
Right.

29
00:02:10,920 --> 00:02:18,420
If it asks for and you want to maybe dub, dub, dub, Google dot com and get the response coming back

30
00:02:18,750 --> 00:02:21,200
that Google wonderful Google doodle as well.

31
00:02:21,540 --> 00:02:25,500
And that's how the client server communication really works.

32
00:02:25,920 --> 00:02:34,590
But when you have a proxy in between the things changes and the user never understand, you know, what

33
00:02:34,710 --> 00:02:41,940
will happen and not even Web server it just that the proxy has to be changed in the user browser so

34
00:02:41,940 --> 00:02:48,150
that all the traffic, which was earlier going directly, straight away to the Web server, now it has

35
00:02:48,150 --> 00:02:50,160
to go via proxy server.

36
00:02:50,430 --> 00:02:57,180
Now it's up to proxies server if it can allow the request to go to the server or not.

37
00:02:57,270 --> 00:03:00,930
Now, who manages it in order to manage a proxy server?

38
00:03:01,380 --> 00:03:09,000
There are sys administration administration team in the organization who make sure what what group of

39
00:03:09,000 --> 00:03:15,930
users should be allowed to access these applications, this Web application, or maybe these sites.

40
00:03:16,050 --> 00:03:17,680
And some of them may not be.

41
00:03:18,090 --> 00:03:21,290
So this is called you are filtering out of figuring that out.

42
00:03:21,300 --> 00:03:24,720
Many dos for there are many open source tools.

43
00:03:25,470 --> 00:03:28,020
Firewalls also do those jobs as well.

44
00:03:28,380 --> 00:03:30,240
So but they exist.

45
00:03:31,590 --> 00:03:37,410
These are mainly used to have a complete control over that activity of their employees.

46
00:03:38,370 --> 00:03:43,440
They ask for their corporate policy that maybe they don't want to allow social media content.

47
00:03:43,710 --> 00:03:51,540
Maybe they don't want to allow any Web application websites outside of their territory or maybe country

48
00:03:51,540 --> 00:03:52,000
itself.

49
00:03:52,320 --> 00:03:53,390
So it's all up to them.

50
00:03:53,940 --> 00:04:00,090
But now, when you choose sort of sweet proxy, your purpose is more than that.

51
00:04:00,240 --> 00:04:10,800
Your purpose is to have complete control over our user activity at the same time using those request,

52
00:04:11,340 --> 00:04:15,030
modifying those requests and sending it back to the server.

53
00:04:15,060 --> 00:04:21,990
This is the job of Bob Sweet and that's what makes the book so unique and the tahboub.

54
00:04:21,990 --> 00:04:28,440
So it makes it beautiful because what's really happened is the user send the request to the server and

55
00:04:28,740 --> 00:04:35,850
once it goes wyborcza it up so it can, we can take this request, can modify it and then give it back

56
00:04:35,850 --> 00:04:36,780
to the Web server.

57
00:04:36,930 --> 00:04:43,560
And in that case, what happened is Bob, so it can modify multiple times and it is modified by the,

58
00:04:43,560 --> 00:04:45,960
you know, people who are managing it.

59
00:04:46,230 --> 00:04:51,090
And every time whenever we modify the request, we can see what's the response coming back.

60
00:04:51,090 --> 00:04:58,770
And it sounds exactly like quality testing and software testing program itself and actually does some

61
00:04:58,770 --> 00:04:59,610
something like this.

62
00:04:59,990 --> 00:05:06,640
But it is more focused on security aspects of it, like a school education, crosseyed scripting, a

63
00:05:06,650 --> 00:05:08,910
blind injection, all the stuff, right.

64
00:05:09,200 --> 00:05:12,770
So that is what we are all going to talk about.

65
00:05:13,130 --> 00:05:15,800
Let's get an understanding about it features a bit.

66
00:05:16,100 --> 00:05:18,710
And this is how the dashboard really looks like.

67
00:05:18,980 --> 00:05:26,290
And the basic idea is they allow you to edit the request sent to the Web server, I mean website where

68
00:05:26,300 --> 00:05:31,330
it says through your Web browser, in fact, and it has a feature called Repeater.

69
00:05:31,580 --> 00:05:39,320
But through Peter, you can actually read or you can actually repeat the request, which has been sent

70
00:05:39,320 --> 00:05:39,770
earlier.

71
00:05:40,040 --> 00:05:47,240
So you can recreate the situation and understand if the request was sent for the mobile phone as the

72
00:05:47,450 --> 00:05:48,120
agent.

73
00:05:48,380 --> 00:05:57,860
Now it can it can make the Egin it can change the agent information with maybe Windows or Firefox or

74
00:05:57,860 --> 00:06:01,050
Chrome or something and get to see what the response comes back.

75
00:06:01,050 --> 00:06:01,250
Right.

76
00:06:01,700 --> 00:06:04,460
And it can also modify the EPA setting.

77
00:06:04,460 --> 00:06:13,220
It can also modify any other information related to cookies or maybe maybe any other responses with

78
00:06:13,220 --> 00:06:17,360
the Grinches or any any any other barometer's as well.

79
00:06:17,660 --> 00:06:24,440
So in that case, what happened is we've with the repeater, we get to see if the response is not really

80
00:06:25,040 --> 00:06:33,410
not really good enough maybe to not other than two hundred okaya four zero three or three hundred series

81
00:06:33,770 --> 00:06:36,100
responses, something we get the idea.

82
00:06:36,110 --> 00:06:43,210
What what is that any change and how does change happen or is there any security implications to it.

83
00:06:43,220 --> 00:06:43,460
Right.

84
00:06:43,790 --> 00:06:49,280
So that's all we do it for that then those intercept of course the intercept is just when you turn up

85
00:06:49,280 --> 00:06:53,390
the intercept it actually intercept what all happening.

86
00:06:53,540 --> 00:06:58,580
And it's up to you if you want to allow this request to the server or not.

87
00:06:58,580 --> 00:07:02,240
If you drop that request, the user browser will get in.

88
00:07:02,690 --> 00:07:04,430
No response on the browser.

89
00:07:04,790 --> 00:07:09,290
But once you're done of the intercept, the request has to go to the proxy.

90
00:07:09,560 --> 00:07:17,180
If you disable the intercept or the request directly goes to the website, even if you have a proxy

91
00:07:17,180 --> 00:07:17,660
in between.

92
00:07:17,900 --> 00:07:23,960
So in fact, and in a situation when you thought off the intercept, it bypassed the proxy and goes

93
00:07:23,960 --> 00:07:24,680
directly with it.

94
00:07:24,940 --> 00:07:25,240
All right.

95
00:07:25,640 --> 00:07:26,990
So that's what it is.

96
00:07:26,990 --> 00:07:27,950
An intruder.

97
00:07:28,280 --> 00:07:30,890
Intruder is the one more interesting feature.

98
00:07:31,340 --> 00:07:38,090
The purpose is basically majorly to not just about brute force attack, although I have mentioned this,

99
00:07:38,090 --> 00:07:40,370
but major leaders for brute force attack.

100
00:07:40,370 --> 00:07:41,870
And there are many as well.

101
00:07:41,870 --> 00:07:49,040
In fact, discovering new APIs are kind of enumeration.

102
00:07:49,040 --> 00:07:57,190
All the stuff even that is also one of the use case, but predominantly for brute force attack, wherein

103
00:07:57,350 --> 00:08:03,830
you you want to see what all passwords or whatever possible you can try and attempt with or maybe a

104
00:08:03,830 --> 00:08:05,780
combination of user and password.

105
00:08:06,050 --> 00:08:11,950
But several attacks, you know, there could be category of attacks that you can possibly drive it with,

106
00:08:11,960 --> 00:08:19,400
with the help of by marking those parameters and then applying the payload to each and every mockers,

107
00:08:19,400 --> 00:08:19,860
in fact.

108
00:08:19,880 --> 00:08:22,430
So I'll tell you about all those aspects.

109
00:08:22,850 --> 00:08:30,180
So this is all about Bob Suite and from next lecture on which will understand about installation individuals,

110
00:08:30,290 --> 00:08:33,560
individual features and will go more deep inside of it.

111
00:08:33,650 --> 00:08:34,000
All right.

112
00:08:34,280 --> 00:08:36,700
So I hope you like this lecture on it.

113
00:08:36,950 --> 00:08:38,240
I will get you in the next one.

114
00:08:38,270 --> 00:08:38,750
Thank you.