Oh hey! I presented at the Australian Information Security Association (AISA) Conference in 2019 with a presentation called SQL Injection for Beginners: It’s Hammertime. Peeps asked for the slides so here they are as a YouTube experience with all the vids and giph’s and as a bone dry SlideShare experience minus all the fun stuff.
In order to execute a SQL injection, for example, we need to see what’s going on in the code behind the interface when we enter our username and password and send it over the internet or from the login page to the database.
To do that we need to use what’s called a Proxy and that’s just a program that intercepts traffic for you and tells you what’s going on behind the scenes.
A proxy is like an interpreter on an art gallery tour. You can turn it on and it will tell you what is happening when you enter data into a website as opposed to interpreting the the abstract water colour you’re staring at blankly.
Burp Suite
Burp Suite is absolutely free and comes pre-installed with Kali Linux which you can download from the official kali website and depending on whether you’re using virtual box or vmware you can choose specific instances of the operating system. They are mostly already set up for you but there is a learning curve if you’ve never used a virtual machine or VM before. It’s really just another computer that you have operating alongside and inside your regular laptop or desktop so you can keep your regular computer and all its programs safe and have specialised software like Kali Linux running separately and safely at the same time.
Burp Suite Community Edition
Burp Suite
So you’ve got Kali and you open Burp which is already in the favourites bar on the left hand side of the desktop – its that orange icon in the image above.
Foxy Proxy
But before you can use it you need to tell your browser that you want it to intercept the traffic for you and send it to Burp so you can view it. The easiest way to do that is to install an add on called Foxy Proxy.
Burp Suite & Foxy Proxy
Installing Foxy Proxy
Click on the hamburger menu as shown in the image above – click on add ons and search for Foxy Proxy Standard – install it – turn it on.
Burp Suite & Foxy Proxy Options
Turning Off Intercept
Now go back to Burp and go to the Proxy setting as shown in the above image because by default intercept is set to on and we want to turn that off. Otherwise you’ll be trying to use your website to login and look around as usual but you won’t be able to as Burp has intercepted your first request and is waiting for you to tell it what to do. So if you can turn that off you can login and look around as usual and Burp will intercept everything you do in the background rather than the just the first request.
Burp Suite | Get the Certificate
Getting Burp’s Certificate
You need to install the Burp certificate in your browser so you don’t constantly get warnings that the site you are visiting isn’t safe because your browser knows something is intercepting your traffic.
To get the burp cert you open a new browser window and type burp into the URL as shown in the above image. Ensure that your foxy proxy is set to on and you’ll be deliver a page like shown on the previous slide. Click on the CA CERTIFICATE title that is actually a link and download the burp certificate.
Burp Suite | Import the Certificate
Installing Burp’s Certificate
Now you have to install in your browser so again go to preferences as shown in the above image – use the search box and type in ‘CERT’ – click IMPORT – browse to the burp you just downloaded – click OK and it will install for you and you’ll no longer get those annoying warning pages when you’re trying to use Burp to intercept traffic.
Congratulations you are now setup and ready to start intercepting all the internet traffic!