Your First Bug (Burp Suite)
Cc: InsidePHD
Target → fills up as you explore a website. The scope is used to hide a lot of unimportant staff by narrowing it down.
Scope → organizes the requests.
Proxy → Turning off intercept, interacting with the requests before sending it
HTTP History à Timeline of when we did something, I prefer it over the site map. It is easy.
Options → some of the SSL Pass through (Important)
Repeater → Allows you to repeat a request. What we can do is? We can try a fuzz some of the values, we can edit them, we can delete them (Playing around with them and seeing what happens).
*e.g. For something like a login page which has a ton of stuff it’s not that useful but when we start to look at login forms where we are sending something like a username or a password or we are interacting with an API where we have a kind of product, can we do things like what if I log in to another account can I do something on the second account which is a request I made from the first account by just changing the cookies so that is called finding IDOR’s
*So all you need to find an IDOR (You can access something you shouldn’t be able to access because you’re logged in to the wrong account and you’re using the cookie from one account but you’re making changes from the first account) is the repeater or you can do it all manually i.e. you can go in there and find a cookie which is AS and you can physically edit that cookie there, you can just remove it, what does it do?
*There is another use of it is to find interesting endpoints and really what you want to do when you’re testing is try to take all the data you know we have so many requests in
*Useful for finding business logic errors (BLE) → If you let’s say got something where you can set a quantity of something that happens if you say I talked on to do instead of one minus one, or you can add a coupon code, are you sending the actual coupon like the amount it’s discounted by and you using something like repeater you can sit there and edit this requests then kind of fuzz that?
Intruder → A brute forcing (If we go to payloadallthethings {GitHub}), (Fuzz DB{GitHub})
*One of the things we can do is Blind SQLi, a d by that we open the SQL map, which takes some time. We do the SQLi in the password context, username, display name, email, and of course, the password.
We can try a generic time base SQLi which is super useful because it can tell us whether something’s SQL injectable by just looking at the time difference so what we say when we do a time-based SQLi is we let the database wait and that’s all we’re doing, we’re not trying to access database we’re just saying. Wait, if it’s SQL injectable, that page will wait for us so we’re going to paste the list. (Highlighted)
We are looking for those endpoints that seem suspicious, right? We are not looking for bugs. We’re looking for something that could be a bug.
*Useful for using something like fuzz DB where you can use the discovery file or a ton of stuff that is there, and that’s all about finding themes or just finding folders that no one wanted us to see.
*We can predict login but if we have products and ads and stuff like that, we can discover that using an intruder.
The primary use of intruder is kind of like sending payloads. See what comes out, do you get a different length? A different response?
Discovering API endpoints, discovering files, and each of those can lead to a bug.
Remember, you are looking for things outside the ordinary (So you must know the ordinary)
Extender → allows you to install and accept extensions to burp e.g., JSON, SQL integration (You can send injections directly from burp to SQL map and tell it what the parameters are and make sure the cookies get sent properly)
All you need to find is your first bug is just an intruder, repeater, proxy, and target. That’s it, you don’t need to pay, and you don’t need to find like amazing bugs on your first try.
