Or log in to access your purchased courses

Web App Security Testing & Burp Suite Fundamentals 

Manual Web App Security Testing Fundamentals
Understanding how to use Burp Suite to perform a web app test
Integrating Burp with Skipfish
Integrating Burp with SQLMap

Day 2: Integrating Burp Suite with other tools and writing your own plugins 

Using Burp to mask Nikto headers
Running w3af plugins through Burp
Integrating Burp with SoapUI
Burp Suite Automation

Lessons

C1L1: Course Materials

Author: Joseph McCray

Introduction: Welcome to the introductory tutorial to Burp Suite. It gives details about the installation and usage of Burp Suite, which is an essential tool for bug hunters and web application pentesters. Learning Objectives: Learn how to install Burp Suite Understand how to use a Proxy connection to analyze web applications Understand  how to use Burp Suite [...]

C1L2: Getting started with VMWare

Author: Joseph McCray

For this workshop you’ll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player. A 30-day trial of Workstation 11 can be downloaded from here:  https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0   A…

C1L3: Basic: Web Application Testing

Author: Joseph McCray

WEB APPLICATION TESTING Most people are going to tell you to reference the OWASP Testing guide. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents I’m not a fan of it for the purpose of actual testing. It’s…

C1L4: SQL Injection

Author: Joseph McCray

Basic XSS Cross-Site Scripting (XSS) is a type of injection script that can be directed to the perforation of security standard on a trusted website, it is often used to…

C1L5: Union-Based SQL Injection

Author: Joseph McCray

http://54.213.252.28/bookdetail.aspx?id=2 order by 100– http://54.213.252.28/bookdetail.aspx?id=2 order by 50– http://54.213.252.28/bookdetail.aspx?id=2 order by 25– http://54.213.252.28/bookdetail.aspx?id=2 order by 10– http://54.213.252.28/bookdetail.aspx?id=2 order by 5– http://54.213.252.28/bookdetail.aspx?id=2 order by 6– http://54.213.252.28/bookdetail.aspx?id=2 order by 7– http://54.213.252.28/bookdetail.aspx?id=2 order…

C1L6: Blind SQL Injection Testing

Author: Joseph McCray

BLIND SQL INJECTION TESTING Time-Based BLIND SQL INJECTION – EXTRACT DATABASE USER 3 – Total Characters http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY ’00:00:10′– http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY ’00:00:10′– http://54.213.252.28/bookdetail.aspx?id=2; IF…

C2L1: What is XSS

Author: Joseph McCray

WHAT IS XSS   https://s3.amazonaws.com/infosecaddicts-files/2-Intro_To_XSS.pptx OK – what is Cross Site Scripting (XSS) 1. Use Firefox to browse to the following location: http://45.63.104.73/xss_practice/ A really simple search page that is…

C2L2: A Better Way To Demo XSS

Author: Joseph McCray

XSS DEMO   Let’s take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box. Use Firefox…

C3L1: Setting up Burp Suite

Author: Joseph McCray

Download latest free version of Burp at http://www.portswigger.net/burp/download.html Make sure that burpsuite_free_v1.6.31.jar is set as executable (chmod +x burpsuite_free_v1.6.31.jar) and then run: Installing JAVA In Ubuntu open the terminal then run: sudo…

C3L2: Web Services

Author: Joseph McCray

WEB SERVICES   http://data.serviceplatform.org/wsdl_grabbing/seekda-wsdls.with_ini/36-CurrencyConvertor.wsdl Question 1: What is the process that you use when you test? Step 1: Automated Testing Step 1a: Web Application vulnerability scanners – Run two (2)…

C4L1: Nikto with Burp in Linux

Author: Joseph McCray

NIKTO WITH BURP cd ~/toolz/ rm -rf nikto* git clone https://github.com/sullo/nikto.git Nikto2 cd Nikto2/program perl nikto -h http://zero.webappsecurity.com -useproxy http://localhost:8080/   Masking the Nikto header reference: http://carnal0wnage.attackresearch.com/2009/09/btod-nikto-thru-burp-masking-nikto.html