Posted on

OWASP Top 10 training for Burp Suite

Hello and welcome again in this OWASP Top 10 training series. In this blog post, you will setup Burp Suite. Then, you will configure it to capture HTTP traffic.

By the end of this blog post, you will have everything ready to start practicing all the OWASP Top ten vulnerabilities.If you would like to setup Zaproxy instead, I prepared a step-by-step guide to do it here. My suggestion is to setup both OWASP Zap and Burp Suite and get yourself comfortable in working with them. They are both the best tools to have under your ethical hacking belt.

OWASP Top 10 training setup steps for Burp Suite

Burp Suite is a web application security testing collection of tools developed by Portswigger Web Security. If this doesn’t ring a bell with you, you should add @albinowax in your Twitter account and google Postwigger Academy, you will thank me later 😉  

Burp Suite is a great piece of software which enables you to perform the same tasks as OWASP Zap does. It comes with a free, Pro and enterprise version. The Pro version includes the Burp Scanner, which is for automated(ish) testing. The enterprise version is meant for enterprise environments where you need to constantly scan your assets. 

For now, all you have to know is that the free version is more than enough for the purpose of this training.

Setup Burp Suite Community Edition

  1. As we did with Owasp Zap, go to the download page and download Burp Suite Community Edition. This is the free version.
  2. Follow the setup instructions by clicking the Next button.
  3. When the installation is done, click on the Finish button.
  4. When you open Burp Suite, you will have the only option to use a temporary project, which is fine for our case. Click Next. Then click “Start Burp”.

Configure Burp Proxy settings

  1. In the top left you can see tabs. Click on the one named “Proxy”, then the tab OptionsOWASP Top 10 training: Burp Suite proxy settings
  2. Make sure you change the port to 8087, or any other port that you’d like which doesn’t interfere with an already running service. Remember that if you have Zaproxy running from the previous episode, you obviously cannot use its port in Burp Suite.

Configure the web browser

  1. To configure Foxyproxy add-on, follow the same steps as we have done in Zaproxy and create a new proxy with the port 8087. Give it a meaningful name, like “Burp”
  2. Now we are going to import Burp CA certificate. Go to http://burp, make sure that you have chosen Burp as your proxy in FoxyProxy.
  3. Click on CA Certificate on the top right corner of the web page.
  4. Follow the same steps as we did in the Zaproxy setup part to import the downloaded certificate into Firefox.

Testing HTTP traffic with Burp Suite

  1. Go to the Proxy tab, then the Intercept tab
  2. Disable “Intercept is on”, and click on the “HTTP history” tabOWASP Top 10 training: Burp Suite HTTP history
  3. Go to any web page on your Firefox browser, you should see HTTP traffic coming through Burp Suite in the HTTP history.

Congratulations! You’ve made another step forward towards practicing OWASP Top 10 vulnerabilities! In the next episodes, we will set up and configure our vulnerable web applications.

That’s it for today! I hope you enjoyed reading this blog post. Stay tuned for the next one. If you’d like to be notified when there is news on thehackerish.com, please subscribe to the Newsletter below. Until then, stay curious, crave for learning, be ethical and share with the world!

Find the video here

Posted on

OWASP Top 10 training setup for OWASP Zap

Hello and welcome to this first blog post in the OWASP Top 10 training series where we will setup OWASP Zap to exploit OWASP Top ten vulnerabilities. Chances are that you are already familiar with OWASP Top 10 and are looking for ways to practice them. Let me tell you that you made a great decision, and I’m honored to help you continue your journey of learning. However, if you are not familiar with the theory behind OWASP Top 10 vulnerabilities, I highly suggest you learn them before.

OWASP Top 10 training summary

In this OWASP Top 10 training series, you will practice the exploitation of most OWASP Top 10 vulnerabilities both in Java and NodeJs. You will learn how to leverage the power of the best web proxies and you will understand why you were able to exploit the vulnerabilities. It is going to be a very exciting journey, so let’s get started!

In this blog post, you will setup your lab using the OWASP Zap. Then, you will configure them to capture HTTP traffic.

By the end of this blog post, you will have your favorite proxy ready for the next step.

Zaproxy setup for OWASP Top 10

Zap is the open-source web application security testing which belongs to OWASP, it is one of their flagship projects. It proxies HTTP traffic and allows to inspect, modify and resend them to test for security vulnerabilities. Zaproxy has many other features, like spidering web applications and performing automated scans, plus many more! It comes in many packages; you can even run it on your VPS on HTTP and have the same user interface as the Desktop one! For now, we are just going to use the bare minimum as the focus is the OWASP Top 10.

Download and install OWASP Zap

  1. You first need to download the Desktop version. Go to the Zaproxy Wiki page and download according to your OS.
  2. Then, install it as you normally would in your OS. I will be using a Windows box for the remaining steps. However, it should be straight forward for you as it is just a matter of clicking Next.
  3. Choose a Standard installation when prompted as shown belowOWASP Zap installation type
  4. When you finish the installation, go ahead and open Zaproxy
  5. For now, we will not persist our Zap session, so just click start as you can see belowOWASP Zap session
  6. Go to Tools and choose Options at the bottom
  7. In the menu on the left, click on Local Proxies
  8. Verify that your Address is set to 127.0.0.1 and that the Port is something other than 8080. I will be using 8088, so choose the same to avoid any troubles throughout this training.OWASP Zap local proxy

Configure the web browser

For now, we will configure the Web Browser with OWASP Zap. I personally recommend using Firefox. In fact, I’ve had some issues setting up Chrome in the past; I wasn’t able to capture the traffic as expected from localhost. Anyways, feel free to use whatever you choose. In case things don’t work as intended, go back to this step and use Firefox.

  1. First, we will generate a Zaproxy Dynamic Certificate. This is optional, but will allow you to work with HTTPS web applications. So go to Tools > Options as you did before for the Zaproxy listener, and choose Dynamic SSL Certificates.
  2. Click Save as shown belowOWASP ZAP dynamic SSL Certificate
  3. Choose your destination file and save the Zaproxy root CA.
  4. On Firefox, type “about:preferences” in the address bar and search for Certificates, see the screenshot belowFirefox Certificate Settings
  5. Click on View Certificates. Under the Authorities tab, choose Import and locate your previously generated Zaproxy root CA file.
  6. Check both boxes as seen below and hit OKFirefox Certificate import

Setting up Firefox proxy settings

I’m going to use the well-known FoxyProxy add-on for that. It allows for more flexibility and makes it more reliable to capture HTTP traffic.

  1. On Firefox, go to this addon page and install it.
  2. You will have a new icon of a fox next to your Browser’s address bar.
  3. Click on it and choose Options in the drop-down menu.
  4. On the top left corner, click on Add. Make sure that your IP address is 127.0.0.1 and your Port is 8088 or whatever port number you set earlier. I named it “OWASP Zap”, feel free to name is however you like, then click on Save.foxyproxy add new proxy
  5. Now, click on the fox icon next to your Firefox’s address bar and choose the newly created proxy.
  6. Make sure Zaproxy is up and running, then visit a webpage of your choice. You should see that you have some HTTP traffic going through Zaproxy.OWASP Zap history tab

Congratulations! You’ve made a step forward towards practicing OWASP Top 10 vulnerabilities!

For a penetration testing career, I find it good to be fluent in both OWASP Zap and Burp Suite. I personally work with the latter. However, during an assessment, I had to tamper with Web Sockets before Burp Suite implemented this feature. I knew Zaproxy supported it. So I used Zaproxy and I was able to find cool bugs using the resend feature inside of OWASP Zap. So be open to learning new tools, you don’t know when it will come handy!

For this reason, I will also show you how to setup Burp Suite to achieve the same thing in the next blog post.

That’s it for today! I hope you enjoyed reading this blog post. Stay tuned for the next one. Subscribe to the Newsletter below to be notified when there is news on thehackerish.com. Until then, stay curious, crave for learning, be ethical and share with the world!

If you enjoy learning on Youtube, I prepared the Owasp Top 10 training videos series just for you. Here is the setup video.

OWASP Top 10 training: How to setup OWASP ZAP