TryHackMe: Burp Suite

  1. First, visit this link: https://portswigger.net/burp/communitydownload → Download the appropriate version of your OS → Install Java here: https://www.java.com/en/download/ as Burp Suite requires Java JRE to run.
  2. For BurpSuite to be able to read and intercept HTTPS data, we’ll have to install CA certificate → Go to http://localhost:8080 → Click on ‘CA Certificate’ in the top right to download and save the CA certificate → Go to your browser settings → Search for ‘Certificates’ → Click on ‘View Certificates’ → In the Authorities tab, click on ‘Import’ → Navigate to where you saved the CA certificate and click OK.
  3. Open Firefox and install FoxyProxy browser extension so that we can easily route traffic through it. Click on FoxyProxy → Click on ‘Options’ → Click ‘Add’ in the top left → Enter the following details: Title = “Burp” || Proxy Type = “HTTP” || Proxy IP Address = “127.0.0.1” || Port = “8080”.
  • HTTP History: Burp Suite saves the history of requests sent through the proxy along with their varying details.
  • Options: Here we can apply further fine-grained rules to define which requests we would like to intercept. This allows us to effectively leave intercept on permanently but at the same time it won’t disturb sites outside of our scope especially if we need to Google something in the same browser.
  1. Go to “Customers Feedback” page → Fill up the form → Click “Submit”. (If you can’t see what the CAPTCHA question is, turn off your browser proxy and turn it on after.)
  2. Search for POST request for /api/feedbacks/ under “Proxy” section | “HTTP History” tab → Right click and select “Send to Repeater”.
  3. Under “Repeater” section → Search for “Rating” field → Change the value to 0.
  1. Which attack type allows us to select multiple payload sets (one per position) and iterate through them simultaneously?
Pitchfork
Battering Ram
Cluster Bomb
Sniper
  1. Select the “Positions” tab → Click on “Clear” → Select the field that we want to brute force on, in this case email field → Click on “Add”.
  2. Select the “Payloads” tab → Go to “Payload Options” subsection → Click on “Load” to load this fuzzdb SQLi platform detection list.
  3. Under the same “Payloads” tab → Go to “Payload Encoding” section → Uncheck the tickbox as we don’t want any encoding to happen.
  4. Click “Start Attack”.

--

--

--

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Relative Locators in Selenium 4 : Yet another way to handle dynamic Web Tables and Pagination

Python Tutorial for Beginners

Python Tutorial For Begginners

Creating a better Zoom background with the help of GitHub Copilot

How to configure Selenium in Eclipse

3 Ways to Use Feature Flag Management in DevOps

Risky Scenarios in Selenium Webdriver

Script Kiddie — HTB

Docker container for HP servers management with ILO

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
goay xuan hui

goay xuan hui

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️

More from Medium

Attacktive Directory THM Writeup

Content Discovery — TryHackMe WalkThrough

Aster- TryHackMe Writeup

Kioptrix: Level 1 [Vulnhub] Walkthrough