1
00:00:06,564 --> 00:00:10,780
- [Instructor] One of the
types of the most used tools

2
00:00:10,780 --> 00:00:13,350
for hacking web applications, by far,

3
00:00:13,350 --> 00:00:15,580
are proxies, or web proxies.

4
00:00:15,580 --> 00:00:17,300
And, basically, what a web proxy is,

5
00:00:17,300 --> 00:00:19,620
I'm gonna put here P, for short,

6
00:00:19,620 --> 00:00:23,963
is a piece of software that
sits between your web browser,

7
00:00:25,350 --> 00:00:26,763
and the web application,

8
00:00:27,650 --> 00:00:30,610
and intercepts all the transactions

9
00:00:30,610 --> 00:00:33,050
between the client or the web browser,

10
00:00:33,050 --> 00:00:36,840
and the application for
you to be able to inspect,

11
00:00:36,840 --> 00:00:41,330
modify or delete any
types of transactions.

12
00:00:41,330 --> 00:00:45,260
And, by far, one of the most
popular proxies is Burp Suite.

13
00:00:45,260 --> 00:00:48,750
And Burp Suite is,
basically, a series of tools

14
00:00:48,750 --> 00:00:52,850
that include a proxy,
or proxy capabilities,

15
00:00:52,850 --> 00:00:54,520
within the environment.

16
00:00:54,520 --> 00:00:55,580
And as you see him here,

17
00:00:55,580 --> 00:00:58,310
you can actually intercept transactions

18
00:00:58,310 --> 00:01:01,430
between a web client, or a web browser,

19
00:01:01,430 --> 00:01:03,373
and a web application.

20
00:01:04,300 --> 00:01:06,440
Later, we're are gonna be using Burp Suite

21
00:01:06,440 --> 00:01:08,460
to launch different types of attacks,

22
00:01:08,460 --> 00:01:10,360
and to find different vulnerabilities,

23
00:01:10,360 --> 00:01:13,060
like cross-site scripting,
cross-site request forgery,

24
00:01:13,060 --> 00:01:15,223
SQL injection, and many more.

25
00:01:16,100 --> 00:01:16,960
Now, there are a few ways

26
00:01:16,960 --> 00:01:18,660
that you can set up your environment

27
00:01:18,660 --> 00:01:21,947
to intercept transactions
between the web browser

28
00:01:21,947 --> 00:01:24,360
and the web application using Burp Suite.

29
00:01:24,360 --> 00:01:28,400
The easiest way is by
using the built-in browser

30
00:01:28,400 --> 00:01:30,510
that comes with Burp Suite.

31
00:01:30,510 --> 00:01:32,810
So, if you go under Proxy Intercept,

32
00:01:32,810 --> 00:01:36,250
you see that, in here, you
can click on Open Browser,

33
00:01:36,250 --> 00:01:39,370
and it will open a Burp Suite browser.

34
00:01:39,370 --> 00:01:41,460
At the end of the day,
it is actually Chromium,

35
00:01:41,460 --> 00:01:44,520
that is built-in within the application.

36
00:01:44,520 --> 00:01:48,810
Now, another way is that
you can use other browsers,

37
00:01:48,810 --> 00:01:53,490
such as Firefox, that comes
with Parrot and Kali Linux,

38
00:01:53,490 --> 00:01:56,003
and you can go under Preferences,

39
00:01:57,510 --> 00:02:02,510
scroll all the way down
onto Network Settings,

40
00:02:02,720 --> 00:02:05,900
and in there, you can set the
manual proxy configuration

41
00:02:05,900 --> 00:02:07,990
for your loopback IP address,

42
00:02:07,990 --> 00:02:12,070
So 127.0.0.1, on Port 8080,

43
00:02:12,070 --> 00:02:17,010
which is a default port that
Burp Suite is configured

44
00:02:17,010 --> 00:02:19,470
to perform the proxy transactions.

45
00:02:19,470 --> 00:02:21,670
Now, in this case, I'm
setting up for HTTP proxy.

46
00:02:21,670 --> 00:02:25,450
You can also use proxy
settings for FTP and HTTPS,

47
00:02:25,450 --> 00:02:26,690
if you so desire.

48
00:02:26,690 --> 00:02:28,610
And, if you click on Okay, of course,

49
00:02:28,610 --> 00:02:31,640
all the transactions
between the web browser

50
00:02:31,640 --> 00:02:36,640
and the web application will
be intercepted by Burp Suite.

51
00:02:37,920 --> 00:02:39,670
Now, in this case,

52
00:02:39,670 --> 00:02:43,530
I also have installed an
add-on or an extension

53
00:02:43,530 --> 00:02:45,503
to my web browser, called FoxyProxy,

54
00:02:46,590 --> 00:02:48,840
and I already have it
configured here, for Burp,

55
00:02:48,840 --> 00:02:51,320
and I wanted to be a
little bit more creative,

56
00:02:51,320 --> 00:02:54,680
and I put Burp lit, so 1337,

57
00:02:54,680 --> 00:02:56,143
but if you go under Options,

58
00:02:57,780 --> 00:02:59,040
and I'm gonna go into Edit.

59
00:02:59,040 --> 00:03:00,520
Of course, I've already had an entry,

60
00:03:00,520 --> 00:03:04,350
but you can create an entry,
and name it as you will.

61
00:03:04,350 --> 00:03:06,480
In this case, I actually
have it pointed also

62
00:03:06,480 --> 00:03:09,700
to 127.0.0.1, on Port 8080.

63
00:03:09,700 --> 00:03:11,630
We don't need a username and password,

64
00:03:11,630 --> 00:03:14,350
and I will save those settings.

65
00:03:14,350 --> 00:03:18,340
Now, if I actually go and
turn on Burp, or turn it off,

66
00:03:18,340 --> 00:03:21,240
turn on the proxy, by any
means, and turn it off,

67
00:03:21,240 --> 00:03:24,570
it's a lot easier than
navigating to Preferences,

68
00:03:24,570 --> 00:03:28,500
and then, if you want
to stop the transactions

69
00:03:28,500 --> 00:03:29,893
from going to the proxy,

70
00:03:29,893 --> 00:03:32,340
it's a more lengthy way to actually,

71
00:03:32,340 --> 00:03:34,370
go all the way to Settings again,

72
00:03:34,370 --> 00:03:38,200
and then, of course, to
disable a proxy this way.

73
00:03:38,200 --> 00:03:41,920
But once again, one of
the best or easiest way,

74
00:03:41,920 --> 00:03:44,720
is actually to use the built-in browser.

75
00:03:44,720 --> 00:03:47,700
Now, in this case, just to
provide a very quick example

76
00:03:47,700 --> 00:03:51,240
on how to intercept transactions
between this web browser

77
00:03:51,240 --> 00:03:54,450
and the web application using Burp Suite

78
00:03:54,450 --> 00:03:57,790
I'm gonna navigate to an intention
of vulnerable application

79
00:03:57,790 --> 00:03:59,590
that I have in my environment,

80
00:03:59,590 --> 00:04:01,320
in the Weblo labs environment

81
00:04:01,320 --> 00:04:03,030
that I mentioned earlier.

82
00:04:03,030 --> 00:04:08,030
And in this case, I'm
pointing it to 10.6.6.23

83
00:04:08,490 --> 00:04:10,800
which is an application called Gravemind.

84
00:04:10,800 --> 00:04:14,830
But as you see, nothing is
displayed in the browser because,

85
00:04:14,830 --> 00:04:17,860
Burp Suite is actually
intercepting the transactions.

86
00:04:17,860 --> 00:04:19,740
And you see here that I actually,

87
00:04:19,740 --> 00:04:21,810
I am intercepting that transaction.

88
00:04:21,810 --> 00:04:23,390
I can click on Forward.

89
00:04:23,390 --> 00:04:24,990
And when I do that,

90
00:04:24,990 --> 00:04:27,640
you see that the page is
actually being populated.

91
00:04:27,640 --> 00:04:32,070
Every time that I click on
something or that I navigate

92
00:04:32,070 --> 00:04:35,140
or refresh, you will see
that the transactions

93
00:04:35,140 --> 00:04:38,520
are intercepted with the proxy.

94
00:04:38,520 --> 00:04:42,630
You can also look at the HTTP history

95
00:04:42,630 --> 00:04:46,510
to see any other transactions
that we have concluded before.

96
00:04:46,510 --> 00:04:48,510
And you see that had a lot of them

97
00:04:48,510 --> 00:04:50,620
with different applications
in there, right?

98
00:04:50,620 --> 00:04:54,750
Some of them actually are part
of a little bit of fuzzing

99
00:04:54,750 --> 00:04:55,670
that I was actually doing.

100
00:04:55,670 --> 00:04:58,850
And I'm gonna cover what
fuzzing is a little bit later

101
00:04:58,850 --> 00:05:02,280
in the presentation, and in this course.

102
00:05:02,280 --> 00:05:06,870
Now, let's go over another
proxy that you can use.

103
00:05:06,870 --> 00:05:08,790
And it's actually a
series of tools as well,

104
00:05:08,790 --> 00:05:12,480
not only a proxy, that
is called the OWASP.

105
00:05:12,480 --> 00:05:15,570
So the Open Web Application
Security Project,

106
00:05:15,570 --> 00:05:19,480
Zed Attack Proxy or ZAP, and
you can navigate in Parrot,

107
00:05:19,480 --> 00:05:22,070
to pen testing web application analysis,

108
00:05:22,070 --> 00:05:26,190
and a launch OWASP from there
or from the command line

109
00:05:26,190 --> 00:05:28,740
is the command line is zaproxy.

110
00:05:28,740 --> 00:05:30,540
Let's actually launch it real quick.

111
00:05:32,790 --> 00:05:35,200
And in this case, I am not
gonna persist this session

112
00:05:35,200 --> 00:05:38,520
at this moment, I'm just
gonna start the application.

113
00:05:38,520 --> 00:05:41,970
And basically unlike Burp,

114
00:05:41,970 --> 00:05:44,440
this is an open source
and free application.

115
00:05:44,440 --> 00:05:45,840
Now, Burp Suite,

116
00:05:45,840 --> 00:05:48,070
the one that we were discussing before,

117
00:05:48,070 --> 00:05:51,660
comes in two different
versions, a community edition,

118
00:05:51,660 --> 00:05:53,810
that's the one that I was actually using,

119
00:05:53,810 --> 00:05:56,700
and a professional version
that you have to pay.

120
00:05:56,700 --> 00:05:58,330
And one of the differences

121
00:05:58,330 --> 00:06:00,840
between the community edition of Burp,

122
00:06:00,840 --> 00:06:02,610
and the professional edition,

123
00:06:02,610 --> 00:06:04,630
is the ability to do automatic scanning,

124
00:06:04,630 --> 00:06:07,750
and of course a whole bunch
of additional plugins,

125
00:06:07,750 --> 00:06:09,780
and features as well.

126
00:06:09,780 --> 00:06:13,933
Now, in this case, the OWASP
Zed Attack Proxy, or ZAP,

127
00:06:14,790 --> 00:06:16,480
it's an open source and free,

128
00:06:16,480 --> 00:06:19,330
and it's an amazing OWASP project,

129
00:06:19,330 --> 00:06:22,250
on where allows you to do
automated scanning, right?

130
00:06:22,250 --> 00:06:25,480
So if I wanted to actually point this

131
00:06:25,480 --> 00:06:30,480
to the same IP address, that
we were navigating before,

132
00:06:31,350 --> 00:06:33,380
I can launch an attack,

133
00:06:33,380 --> 00:06:37,050
or I can launch basically
an automated scan,

134
00:06:37,050 --> 00:06:38,410
just by clicking an Attack here.

135
00:06:38,410 --> 00:06:41,410
Now there's different modes
that I can launch that attack,

136
00:06:41,410 --> 00:06:44,690
like Protected, Standard,
ATTACK Mode, and so on.

137
00:06:44,690 --> 00:06:46,980
I'm just gonna leave
it into Standard Mode.

138
00:06:46,980 --> 00:06:49,200
And I'm gonna launch this
at quote unquote attack.

139
00:06:49,200 --> 00:06:50,340
And basically what it's doing,

140
00:06:50,340 --> 00:06:52,840
is actually is navigating through

141
00:06:52,840 --> 00:06:56,780
all the different constructs
of the application,

142
00:06:56,780 --> 00:06:59,600
and then is also allowing

143
00:06:59,600 --> 00:07:03,040
to potentially find
different vulnerabilities.

144
00:07:03,040 --> 00:07:05,120
And in that case, you
will see them in Alerts.

145
00:07:05,120 --> 00:07:08,220
Now so far it hasn't found
a lot of the vulnerabilities

146
00:07:08,220 --> 00:07:11,540
in there yet, and this
can take a few minutes

147
00:07:11,540 --> 00:07:13,410
depending on how big the application is.

148
00:07:13,410 --> 00:07:17,900
So in some cases, even an
automated scan can take hours.

149
00:07:17,900 --> 00:07:21,470
No, this one is a very,
very simple web application

150
00:07:21,470 --> 00:07:25,480
that I have here for you to
practice in your own skill.

151
00:07:25,480 --> 00:07:29,160
Now, in this case, this is a
very simple web application

152
00:07:29,160 --> 00:07:31,570
that I have for you to
practice your skills

153
00:07:31,570 --> 00:07:34,970
in a safe environment with Weblo labs.

154
00:07:34,970 --> 00:07:37,210
In many cases actually a
lot of these applications,

155
00:07:37,210 --> 00:07:40,920
actually can take a
significant amount of time.

156
00:07:40,920 --> 00:07:43,350
Now, as far as the actual proxy itself,

157
00:07:43,350 --> 00:07:45,990
you can turn on intercept basically,

158
00:07:45,990 --> 00:07:48,810
and set breaks into all
the requests and responses.

159
00:07:48,810 --> 00:07:51,620
And basically you can
literally see the request

160
00:07:51,620 --> 00:07:55,833
and the response in the
window that I'm showing here.

161
00:07:57,980 --> 00:07:59,420
And you see that, of course,

162
00:07:59,420 --> 00:08:01,720
you can get very detailed information

163
00:08:01,720 --> 00:08:04,710
about all the transactions
that are happening

164
00:08:04,710 --> 00:08:06,780
between your web browser.

165
00:08:06,780 --> 00:08:08,780
In this case actually
narrowed scan, right?

166
00:08:08,780 --> 00:08:11,120
But you can do it within your web browser

167
00:08:11,120 --> 00:08:13,053
and the web application.

168
00:08:14,010 --> 00:08:17,700
Now, there are also a few other
open source web application

169
00:08:17,700 --> 00:08:20,780
vulnerability scanners
that are very popular

170
00:08:20,780 --> 00:08:21,660
in the community.

171
00:08:21,660 --> 00:08:24,310
And one of them is called Nikto.

172
00:08:24,310 --> 00:08:26,270
And Nikto is a command light scanner

173
00:08:26,270 --> 00:08:31,270
to a web application and find
different misconfigurations

174
00:08:31,660 --> 00:08:33,610
or vulnerabilities.

175
00:08:33,610 --> 00:08:35,800
And also you can do a
little bit of reconnaissance

176
00:08:35,800 --> 00:08:39,910
and find different directories
and interesting files

177
00:08:39,910 --> 00:08:44,470
that you may then combine and
deep dive using other tools

178
00:08:44,470 --> 00:08:46,070
like Burp Suite, and so on.

179
00:08:46,070 --> 00:08:47,722
Now, in this case, what I'm going to do,

180
00:08:47,722 --> 00:08:50,090
is I'm gonna point Nikto
to the same web application

181
00:08:50,090 --> 00:08:53,180
that we were just navigating before.

182
00:08:53,180 --> 00:08:57,710
And as you see, it automatically
within just a few seconds

183
00:08:57,710 --> 00:09:00,707
found that is running nginx.

184
00:09:00,707 --> 00:09:05,190
And is running this older
version of nginx, a 1.14.2.

185
00:09:05,190 --> 00:09:08,060
And it actually found a
few different directories,

186
00:09:08,060 --> 00:09:13,060
like admin, wp admin, wp login, and so on.

187
00:09:13,180 --> 00:09:15,430
So this just took a few seconds.

188
00:09:15,430 --> 00:09:18,600
And as you see, some of these
tools can be fairly powerful

189
00:09:18,600 --> 00:09:21,650
on doing enumeration and fuzzing,

190
00:09:21,650 --> 00:09:23,490
and of course, finding
different vulnerabilities.

191
00:09:23,490 --> 00:09:27,110
Like for example, it
found that it did not have

192
00:09:27,110 --> 00:09:29,640
any cross-site scripting
protection headers,

193
00:09:29,640 --> 00:09:33,960
and also a few configurations
for anti-clickjacking

194
00:09:33,960 --> 00:09:36,620
are not present in the web applications.

195
00:09:36,620 --> 00:09:39,830
Later in the course, you're
gonna be learning about

196
00:09:39,830 --> 00:09:41,330
how to analyze web applications,

197
00:09:41,330 --> 00:09:42,930
how to do additional footprinting,

198
00:09:42,930 --> 00:09:45,270
and how to find these
type of vulnerabilities,

199
00:09:45,270 --> 00:09:48,580
and what these
vulnerabilities are all about.

200
00:09:48,580 --> 00:09:51,420
Now, later in the course,
you're gonna be learning about

201
00:09:51,420 --> 00:09:55,100
how to analyze web applications
a little bit further,

202
00:09:55,100 --> 00:09:59,010
also how to bypass client side controls,

203
00:09:59,010 --> 00:10:01,220
how to find vulnerabilities
like cross-site scripting,

204
00:10:01,220 --> 00:10:04,170
cross-site request forgery, clickjacking,

205
00:10:04,170 --> 00:10:07,610
and also how to do
additional footprintings

206
00:10:07,610 --> 00:10:10,973
of web infrastructures
and web applications.