1
00:00:00,240 --> 00:00:06,030
Now let's talk about brb sweet since we have everything set up we've already installed burp sweet in

2
00:00:06,030 --> 00:00:09,620
an earlier video and we got the certificate set up.

3
00:00:09,630 --> 00:00:16,500
We talked about what it's capable of and we did a basic intercept and kind of just looked at the responses

4
00:00:16,500 --> 00:00:20,670
that we were getting and we we saw that we could do a little bit of a numerator through it.

5
00:00:20,670 --> 00:00:25,950
But for this entirety pretty much of all of these exploits we're going to be using brb sweet in one

6
00:00:25,950 --> 00:00:31,570
way or another and it's gonna be really flexible and you're gonna see what it's capable of doing.

7
00:00:31,680 --> 00:00:37,710
Now I am going to be using the Community Edition I will describe the differences as we talk about it

8
00:00:37,830 --> 00:00:40,280
of the pro versus the community.

9
00:00:40,280 --> 00:00:44,060
And in this video I just want to give you a high level overview of what we're going to be doing.

10
00:00:44,160 --> 00:00:50,530
And I also want to talk briefly about what to expect when you're doing a web app pen test so typically

11
00:00:50,530 --> 00:00:54,790
with web apps you have three stages of testing.

12
00:00:54,940 --> 00:01:02,140
You have a UN authenticated stage so when you come in here and you are on this Web site like you're

13
00:01:02,140 --> 00:01:08,250
here right and you go to account there's no account where we're not logged in were considered on authenticated.

14
00:01:08,260 --> 00:01:14,710
So with that we can try to navigate around the page and turn the intercept off here and we can just

15
00:01:14,710 --> 00:01:21,520
click around and see what we can find right click on certain things see what's available to us see what

16
00:01:21,520 --> 00:01:29,800
we're capable of as a user we can go to log in form we could try to log in here with you know credentials

17
00:01:29,800 --> 00:01:35,440
stuffing or we could just try admin admin if we see default credential kind of deal we go to forgot

18
00:01:35,440 --> 00:01:42,490
your password and try to utilize it forgot your password scenario and etc..

19
00:01:42,580 --> 00:01:42,920
OK.

20
00:01:42,930 --> 00:01:45,340
So there's a lot of different features that we can do.

21
00:01:45,340 --> 00:01:49,150
The second tier is what's called a user tier.

22
00:01:49,300 --> 00:01:58,060
So we log in as a user and we don't have admitting privileges but we do have some user accessibility.

23
00:01:58,060 --> 00:02:04,760
So we'll get some sort of extra access that we wouldn't have as a authenticated site.

24
00:02:04,780 --> 00:02:10,240
And then lastly we're going to test the application as a admin user.

25
00:02:10,240 --> 00:02:15,650
And that will give us access to admin panels and other things that users should not be able to see what

26
00:02:15,700 --> 00:02:22,690
we do all this testing to see if maybe from the UN authenticated side you can access an app and panel

27
00:02:22,720 --> 00:02:24,090
or maybe from a user side.

28
00:02:24,090 --> 00:02:24,520
You should.

29
00:02:24,580 --> 00:02:31,240
You can access an admin panel or you can just bypass certain restrictions that should be there across

30
00:02:31,240 --> 00:02:32,170
these users.

31
00:02:32,170 --> 00:02:36,650
So it's always good to test and see who can get to where and why.

32
00:02:37,600 --> 00:02:40,330
And we want to find all those vulnerability types.

33
00:02:40,330 --> 00:02:42,830
So we're we're doing this testing we.

34
00:02:42,860 --> 00:02:46,020
We come in and we start on authenticated usually.

35
00:02:46,180 --> 00:02:51,900
And what I like to do is again I just like to click around and kind of get a feel for what's going on.

36
00:02:51,910 --> 00:02:55,820
So you know there's customer feedback there's the about us here.

37
00:02:55,840 --> 00:02:58,180
I'm just clicking through photo wall.

38
00:02:58,360 --> 00:03:03,250
And if you go to Target we have our local host of three thousand here.

39
00:03:03,250 --> 00:03:08,020
I always like to just get the target and I like just added to the scope so I'll right click and add

40
00:03:08,020 --> 00:03:14,200
the scope and then I'm going to go ahead and just click up here on the top and I'm gonna say show only

41
00:03:14,200 --> 00:03:19,630
in scope items that filters out the rest that way when the proxies picking things up it's only picking

42
00:03:19,630 --> 00:03:21,550
up and storing in this area.

43
00:03:21,550 --> 00:03:23,100
What we need.

44
00:03:23,140 --> 00:03:28,690
So if we clicked on this here you can see those starting to pick up things that even we didn't go to.

45
00:03:28,730 --> 00:03:33,700
There's API back here and you can see challenges feedbacks quantities.

46
00:03:33,790 --> 00:03:36,740
There's a lot of different things in here that we have access.

47
00:03:36,740 --> 00:03:41,320
Look there's a rest admin and we can kind of click through some of this stuff and see if any of this

48
00:03:41,320 --> 00:03:49,120
is interesting and this is what we want to do on an authenticated side and what this is doing here is

49
00:03:49,120 --> 00:03:56,110
this is going through and it is pulling down information from the traffic that it sees through this

50
00:03:56,110 --> 00:04:04,120
proxy and one feature that we do not have access to is the scan feature now pro addition has access

51
00:04:04,120 --> 00:04:07,900
feature of scanning and of engagement tools.

52
00:04:07,990 --> 00:04:10,320
So we're gonna be without those for this course.

53
00:04:10,330 --> 00:04:17,290
But if I were doing a pen test I would have pro and you will have pro as well and you're going to want

54
00:04:17,290 --> 00:04:21,580
to scan the site and scanning we'll do two different things.

55
00:04:21,580 --> 00:04:27,220
One is going to do crawling is used to be called spider ring and this was a feature that was part of

56
00:04:27,220 --> 00:04:30,780
brb suite prior to edition to point zero.

57
00:04:30,880 --> 00:04:34,720
So they took that away and made it more of a paid addition type deal.

58
00:04:34,720 --> 00:04:40,240
But you would do spider ring which is trying to go out to different Web sites within the branch here

59
00:04:40,570 --> 00:04:46,930
and it's going to look for you know other sites and try to see where it can get access to on top of

60
00:04:46,930 --> 00:04:52,210
that we have what's called active scanning now active scanning we'll go out and we have a dashboard

61
00:04:52,210 --> 00:04:57,400
here and this is just a demo but it shows the you know the different issues that I might pull up and

62
00:04:57,400 --> 00:05:05,320
it's going to actively scan against a Web site and it's going to try to do sequel injection or do cross-eyed

63
00:05:05,320 --> 00:05:09,250
scripting attacks or do all these different attacks and see what it can pick up.

64
00:05:09,670 --> 00:05:16,660
Now the thing about scanning Inge with my experience and I brand actually as you shop through a scanner

65
00:05:16,690 --> 00:05:20,660
before it picks up maybe 10 percent of what's out there.

66
00:05:20,860 --> 00:05:27,760
So scanning is nice but you shouldn't rely on your scanning you should rely on manual testing and going

67
00:05:27,760 --> 00:05:32,890
through your checklist scanning is good at picking up some things and helping you identify certain little

68
00:05:32,890 --> 00:05:39,430
flaws here and there but do not rely on your scanners don't rely on your NSA don't rely on your brb

69
00:05:39,430 --> 00:05:47,570
sweet pro or any of that while they're good to have they're not fully reliable so let's talk about some

70
00:05:47,570 --> 00:05:51,760
of the features of brb suite and what we can do with it.

71
00:05:52,350 --> 00:05:54,080
So you've already seen the proxy feature.

72
00:05:54,080 --> 00:05:59,900
We can turn the intercept on and when the intercept is on we refresh refresh your page here.

73
00:05:59,900 --> 00:06:02,990
You can see that it intercepts and it just hangs this page.

74
00:06:02,990 --> 00:06:09,770
And what that's doing is this is giving us the option to mess with this or at least see what's going

75
00:06:09,770 --> 00:06:10,560
on here.

76
00:06:10,580 --> 00:06:15,740
We could see the what the request looks like we're making a get request and we're making it to the local

77
00:06:15,740 --> 00:06:16,320
host.

78
00:06:16,340 --> 00:06:18,740
And we have our user agent here.

79
00:06:18,890 --> 00:06:23,120
We've got some cookies and this is just a basic request.

80
00:06:23,120 --> 00:06:30,900
Now I want you to right click on this request and go ahead and just send that to repeater and repeater

81
00:06:30,900 --> 00:06:36,980
is a request repeater so we can go ahead and send this request and you can see what comes back.

82
00:06:36,990 --> 00:06:37,200
OK.

83
00:06:37,200 --> 00:06:39,270
We get a three or four not modified.

84
00:06:39,720 --> 00:06:43,030
So let's go here and just for this request and see what happens.

85
00:06:43,180 --> 00:06:47,850
And you can see get socket the IO comes through and there's a few little things that's going on.

86
00:06:47,970 --> 00:06:54,390
This one's coming through which is timing that this is an API and we're going to keep forwarding through

87
00:06:54,390 --> 00:06:59,090
and what's happening to is where we're intercepting more than just local host three thousand.

88
00:06:59,130 --> 00:07:02,700
So what we want to do to is we're gonna go ahead and go into the options here.

89
00:07:03,880 --> 00:07:12,400
And we're going to say we're going to intercept client requests if targets in scope and server responses

90
00:07:12,490 --> 00:07:13,550
if the targets in scope.

91
00:07:13,570 --> 00:07:16,940
That way we'll intercept anything from any other Web sites.

92
00:07:16,960 --> 00:07:21,700
Mozilla will go in the background and have requests come through while you're sitting there on intercept

93
00:07:21,700 --> 00:07:22,670
as well.

94
00:07:22,810 --> 00:07:28,930
So a repeater allows you to repeat requests when we're doing this or we can do is say like we want to

95
00:07:28,930 --> 00:07:35,320
do parameter tampering or we wanted to test here we say you know we've got to get we've got to get requests.

96
00:07:35,410 --> 00:07:37,300
Let's go ahead and just change it to a poetry class.

97
00:07:37,310 --> 00:07:39,010
Let's see how the Web site handles it.

98
00:07:39,250 --> 00:07:45,760
And we can make different modifications maybe we delete a cookie here or we change the user agent or

99
00:07:45,760 --> 00:07:51,430
we do something in here that is a little bit malicious after we've intercepted this request and then

100
00:07:51,430 --> 00:07:55,480
we take it to repeater and we can repeat our requests over and over and over and you'll see how this

101
00:07:55,480 --> 00:07:58,790
becomes useful as we go on through the course.

102
00:07:58,840 --> 00:08:03,040
So other things we've already covered intruder in this course now.

103
00:08:03,120 --> 00:08:10,720
Intruder again is where we can store a payload and then we can use that to use it intruder attack.

104
00:08:10,720 --> 00:08:14,880
Now the intruder attack on Community Edition is very slow.

105
00:08:14,890 --> 00:08:18,760
We don't have access to a lot of speed here because they limit you because they want you to buy the

106
00:08:18,760 --> 00:08:20,070
pro edition.

107
00:08:20,170 --> 00:08:27,520
You can go into the extender store here and if you go to the App Store if you click on AppStore sort

108
00:08:27,520 --> 00:08:33,500
by popularity and there are some free ones so you see the ones where it says requires brb suite.

109
00:08:33,580 --> 00:08:36,720
There are some free ones in here that we can install.

110
00:08:37,030 --> 00:08:43,360
And one of those is actually the turbo intruder which would do intruder at a faster speed.

111
00:08:43,360 --> 00:08:47,680
We're really not going to need it for this cause I just want to point out and this is another feature

112
00:08:47,680 --> 00:08:55,090
to a brb suite versus pro is that the prohibition has all these additional scanning features like active

113
00:08:55,090 --> 00:09:02,140
scan plus plus is additional on top of the active scanning that does it looks for even more vulnerabilities.

114
00:09:02,350 --> 00:09:10,030
Retired James looks for vulnerabilities in javascript libraries which is really nice you know and you

115
00:09:10,030 --> 00:09:15,510
go down the list and there's all these different really really nice features like CSR f looks for CSR

116
00:09:15,520 --> 00:09:20,410
F on our abilities and you don't have to know what any of these are right now but it's just nice to

117
00:09:20,410 --> 00:09:25,760
have those in the prohibition that we won't have now in the community edition.

118
00:09:25,870 --> 00:09:29,080
So on top of this we have a compare feature in here.

119
00:09:29,230 --> 00:09:35,080
We can send one item to compare and then another item and just to look at the differences if we want

120
00:09:35,080 --> 00:09:35,410
to.

121
00:09:35,410 --> 00:09:37,650
I don't use this too much but it's always nice to see it.

122
00:09:37,670 --> 00:09:38,170
Hey.

123
00:09:38,170 --> 00:09:43,930
Has something changed on this page and what change in the page or the response that we got decoder is

124
00:09:43,930 --> 00:09:45,240
a nice feature as well.

125
00:09:45,460 --> 00:09:48,250
So say that you have something like this.

126
00:09:48,670 --> 00:09:55,210
I can highlight this cookie and we're going to send this to decoder and say something is encoded as

127
00:09:55,210 --> 00:09:57,820
like base64 you are all encoding.

128
00:09:58,000 --> 00:10:01,580
You can go ahead and decode this or you can encode this.

129
00:10:01,580 --> 00:10:06,340
So say you want to encode this whole thing as you are all encoding well encodes the whole thing or you

130
00:10:06,340 --> 00:10:09,100
want to encode the whole thing as you know base64.

131
00:10:09,500 --> 00:10:14,440
Let's put this in a base sixty four and this isn't just another feature of birth suite.

132
00:10:14,440 --> 00:10:20,050
That is good to use mainly what we're going to be using in this course is the proxy intercept.

133
00:10:20,050 --> 00:10:24,190
We'll be hanging out a lot in the target page and we'll be looking through the targets and what comes

134
00:10:24,190 --> 00:10:31,240
through when we're scanning and we're going to be in the repeater tab mostly.

135
00:10:31,240 --> 00:10:36,700
So the repeater is going to allow us to intercept requests send them to repeater and modify the requests

136
00:10:36,730 --> 00:10:40,650
and keep targeting different things until we get something that works for us.

137
00:10:40,660 --> 00:10:44,020
So that's just the high level overview.

138
00:10:44,020 --> 00:10:49,350
Again it's not going to go into full detail because we only have the community edition.

139
00:10:49,510 --> 00:10:54,070
I do recommend purchasing the prohibition if you once you get into it.

140
00:10:54,100 --> 00:11:00,730
So it's not a necessity right now but if you are interested in bug bounty hunting or if you want to

141
00:11:00,760 --> 00:11:07,390
get the full the full effect of learning web apps I I highly recommend the prohibition but again it's

142
00:11:07,390 --> 00:11:09,710
not a necessity at this time.

143
00:11:09,730 --> 00:11:15,190
So from here we're going to move into our different attacks and we're going to start explaining these

144
00:11:15,250 --> 00:11:19,780
attacks and we'll focus on each one of them and what we can do with them.

145
00:11:19,780 --> 00:11:24,250
So the first attack up in the US top 10 are injection attacks.

146
00:11:24,250 --> 00:11:27,160
So in the next video we're going to start talking about sequel injection.