Application Security Tips: Intro to Burpsuite, user name enumeration and brute-forcing passwords

Описание: This Application Security Topic and Tip demo should be especially useful for people new to application security testing, bug-bounty hunting, or red-teaming.

Burpsuite (https://portswigger.net/burp) is a powerful tool to include in your AppSec widget box. Seth demonstrates how to use Burpsuite to (1) watch the traffic going on behind web applications, (2) probe an application’s functionality so it leaks information (in this case valid user names), and (3) brute-force exploits using Burpsuite’s built-in tools, eventually gaining access to an insecure application.

Facilitating this demo is VTM (vulnerable task manager), an intentionally vulnerable web application that cktricky and Seth often use in application security and secure code review training courses. An open source repo for VTM can be found here: https://github.com/redpointsec/vtm

OWASP’s Juice Shop is another intentionally vulnerable application Seth mentions against which people can test and educate themselves about Burpsuite’s functionality and use cases. https://github.com/bkimminich/juice-shop