Man this tutorial rocks! I just started my journey with cyber security (I have frontend and backend background) and I very appreciate that beside of explaining how burp works you are providing very useful info about whole pentesting and finding out the vulnerabilities. Now I am more aware how important its checking requests and sending safe responses.
seriously the best pen testing tutorial of any kind I've seen yet, I'm a beginner and know next to nothing about this stuff, but man this was simple and amazing
Sure thing! I plan on redoing my Web Hacker Basics walkthroughs with better quality and more up to date information down the line, since those have been super popular. In the mean time, check them out on my channel.
Really enjoy seing your video with proper timestamp, good explanation which is easy to understand and proper web methodology such as application mapping where I don't see much other tutorial talk about it. Burp colouring, tab renaming, show highlighted items, many more tips. Truly appreciate your effort. Can't wait to see the next video. Quick question, why did you disable payload encoding?
That's a good question. It turns out that payload encoding automatically URL encodes your input. This isn't so much of a problem when you're doing numbers or simple strings, but if you're fuzzing email addresses or API endpoints, it can really mess up your results. It's bitten me in the butt enough times that I always turn it off.
Glad you liked it! Not quite yet, I'm balancing videos with a full time job at a high-paced startup. When I get to a point I can release more regularly, then I will absolutely pour more time into them. For now, give me ideas on topics.
♥️👌👌👌🎉. Excellent very useful. I really liked the voice over. Can you please tell me how and where did you do that voice over settings for smooth and loud voice . Is thier any link please send me . Very helpful video 🎉🎉. Thank you 🌟
20:18 how did you know it was base64 encoded? what gave it away? i know usually when it ends in == that's base64 encoding, but how did you know this one is? is it because it's a JWT token?
Good question! You will develop an intuition over time as to what looks like a Base64 string vs not. However, in this instance we can see the letters "eyJ" which translates to {" from Base64. That usually indicates the start of a JWT. Try repeating what I did here on your own and see if you notice the connection.
I don't know if you (Internet user reading this) only use Burp in your spare time or if you use it for a job. But if you do, I strongly advise buying the professional version, it is worth it and can spare you so much time when working on decent websites that aren't specifically made to be easily hacked like OWASP web server you've used when following along with this video. Also, I find the title being not only misleading, but straight up wrong. This knowledge alone is absolutely not even close to someone who has mastered Burp Suite. Not even the community edition, let alone the whole software including the pro features.
Hey, thanks for your input. I use Burp professionally, but we decided to show community edition in this video to allow others to follow along without getting overwhelmed by the cost and additional options in professional. If you'd like another video on how to use Burp Pro and all it's extra features, we can make that for you.
100% There's plenty of videos that are created by beginners for beginners, but not many for those who work in the field. I try to introduce people into pentesting and network security from a senior's perspective.
If you want to learn how to use "Burp" then you should not watch this video. Do not waste your time. much more information can be read in 5 minutes in the text instructions. all the examples given in the lecture will never come across you in real life, and the principles they reveal can be written down in several paragraphs of text on one page of a small notebook. this guy is very good at teaching you but he has big problems with the content of the lesson. This reminded me of the lesson "How to draw a raccoon in 3 steps." step one: draw a line. step two: draw another line. step three: add a raccoon to them. Done. Only in this video you will only be taught to draw lines and straight ones. This criticism is written with respect to the creator of the video and his work
I agree, this video isn't for beginners who have not used Burp before. This video is aimed at those who have used Burp but want a better understanding on how professionals use the tool on real-world engagements, beyond what the manual will tell you. I walk through the thought process and methodology and where Burp fits every step of the way.
Great video, thank you. I see video was posted 8 months back, is that still the case that we can't generate targeted report with req/resp and explanation of vulnerability that can be shared with dev team?
When you design a website to have 30 million vulnerabilities obviously it’s easy. You should teach from a standpoint of live sites that are pentestable (authorized) and secure. 🤓
I have a few on my channel that do just that. The biggest issue is that hacking is like 80-90% not finding anything. Unless I do a livestream, I don't think people will enjoy watching me spend 40 hours on a real assessment. So I try to distill what my process is in a way that others can try at home.
This was an amazing video , loved the concepts explained with the help of examples rather than a basic tutorial. Hey , I am learning cyber security from basics would you recommend a specific path or is there a wat i can contact you for guidance?
Depends on what you want to do. I recommend learning the basics and getting a strong foundation. Security+ is an OK place to start, Cisco has their Cyberops certification that I also highly recommend. Then decide if you want to do red team, blue team, forensics, GRC, etc. For blue team, blue team labs has decent training. For pentesting, I'd start with web apps and Portswigger Academy has good (free!) material. If you're not sure what to do, try them both.
brother you need to explain everything from the beginning how u installed burp suite and how to configure it then we can continue, sorry I'll have to see another video cuz I'm a beginner .
I appreciate your feedback. This video was meant to be of how to use Burp on a simulated pentest assessment. If you need a video on how to install Burp, then this one isn't for you. Best of luck.
Hello bro, This is the Best video on Burp Suite I have seen so far, well constructed and straight to the point, while showing the usage of tools practically, this video tops all man, thanks for uploading, already subscribed, going to share it in my community so other beginners can learn burp too.
Haha I like that title. I'm invested in growing your skillset. I'm not just teaching you what Burp is, but how to use the tool in a real-world setting. It's like trying to watch a guitar tutorial and expecting to play AC/DC's whole discography. Of course there's going to be homework, I can only cover so much in 1 hour. On top of that, there are things you're going to have to play around with to be any decent at the techniques I show you. The struggle is part of the process.
Glad it helped! That's how I feel about most tutorials, they tend to sound like manuals instead of how the software is used in practice. I'll make more of these for sure.
This is honestly so helpful. I'm really surprised you're not bigger than you are on UA-cam.. I love your process of looking at the HTTP history, the highlighting, using the decoder/encoder, everything is so useful. I used to entirely dismiss the HTTP history because of all the ad/analytics requests that flood it and focus solely on interception... not anymore. And another mistake I was making was constantly switching my proxy on/off just to search up various encoders/decoders. Thanks so much.
It is really good tutorial thank you. I will also be happy to fully understand what it is like to see a full steps in pentesting and I will wait with anticipation. Thank you again. Subscribing and liking the video.
Burp intercepts the SSL traffic and inserts its own certificate between Burp and your browser. So no, it can read SSL/TLS traffic you directly interact with. However, it cannot read the SSL/TLS traffic between the server and someone else.
very good content I used burp suit doing ctf walks throughs but didn't understand what it was actually doing and had to assume what it was doing but I can actually say I understand some of it
Hey there! The homework is more to get you to practice the things I describe and to explore other areas. However, there are plenty of writeups on Juice Shop that you can find online.
Online about 2 seconds into the video and I must TYANjust like to say thank you so much for being what you say you are and given what you said you advertise and having your video completely in English! None of this English title bulshit with some language with no subtitles that I have no earthly idea of what's being said! So thank you so much just at least for that
Excellent video. The highlghting using colors is awesome. You have an excellent way of explaining things. This is the best burpsuite video I have ever watched. I subscribed and liked. Keep up the good work.
I juts started my journey as a Blue Sec champion and this tool is incredibly useful. Im just stunned to see what the CE offers already. Nice video by the way. There are stuff that I didn't know that definitely gives a smoother experience while doing reconnaissance.
I run my VMs with 4GB minimum, but Burp dynamically adjusts. Honestly, JS heavy apps will crash it if they're not optimized websites. So get a laptop with 16GB and you'll be good.
I will sometimes. It helps to think of an application as having a front end and a backend (full details in another video on my channel). 90% of the time you want to edit the request to modify things on the server. Sometimes it is helpful to modify the response if you have a complicated JavaScript front end, but that's not as important since you usually use that to modify the next downstream request anyways. This video showcases what it's like to hack real-world applications and I do this method every day for my job.
Thank you very much, I was going to start this topic and decided, and my stop over was the best moment. I am very greatful for all your effort to teach for free, and with work related examples.
Excellent video Netsec Explained! Very detailed so we'll reference this video when we have questions about some Pentesting How Tos. Thank You for putting this out there!
I'd recommend you start with Portswigger Academy. My channel tends to focus on those who are already experienced with CTFs and technical security topics to get you up to that next level.
Man this tutorial rocks! I just started my journey with cyber security (I have frontend and backend background) and I very appreciate that beside of explaining how burp works you are providing very useful info about whole pentesting and finding out the vulnerabilities. Now I am more aware how important its checking requests and sending safe responses.
I'm glad this helped! That's exactly what I wish I had when I first started, so I'm making videos like these now.
@@NetsecExplained great bro! I will be watching. Your teaching style its very good. thanks
really useful, highly comprehensive and detailed guide, lots of detailed not viewed in other guides.I do recommend it
seriously the best pen testing tutorial of any kind I've seen yet, I'm a beginner and know next to nothing about this stuff, but man this was simple and amazing
I'm so glad I came across your video. It prepared me for a job interview. Thank you so much!
Keep up the great work. This is what I've been looking for! Favorite channel!!
Thank you for the kind words!
keep going man please do a tutorials of web bugs such as IDOR , XSS etc..
i love YOU ...
Sure thing! I plan on redoing my Web Hacker Basics walkthroughs with better quality and more up to date information down the line, since those have been super popular. In the mean time, check them out on my channel.
@@NetsecExplained perfect !!!
Great Video. Best tutorial for beginners
This is great! You should keep doing this and help us ❤
Subscribed to you to see more content like this, best of luck man!
Even when I am not finished with this video I put comment to give this great guide more chance to get into algorithm
Glad you liked it!
Really enjoy seing your video with proper timestamp, good explanation which is easy to understand and proper web methodology such as application mapping where I don't see much other tutorial talk about it. Burp colouring, tab renaming, show highlighted items, many more tips. Truly appreciate your effort. Can't wait to see the next video.
Quick question, why did you disable payload encoding?
That's a good question. It turns out that payload encoding automatically URL encodes your input. This isn't so much of a problem when you're doing numbers or simple strings, but if you're fuzzing email addresses or API endpoints, it can really mess up your results. It's bitten me in the butt enough times that I always turn it off.
Please make the full video you've promised I love this
Will do. I'll put it together as a whole class, that way I can go over everything start to finish.
@@NetsecExplained Thanks bro
@@NetsecExplained Would love to see your full pentest methodology
@@NetsecExplained please make this a course in udemy, i'l gladly buy it
This is what a noobie should be looking for 🔥
its awsome is there any way to donate so we can get more tutorial like this
Glad you liked it! Not quite yet, I'm balancing videos with a full time job at a high-paced startup. When I get to a point I can release more regularly, then I will absolutely pour more time into them. For now, give me ideas on topics.
Want a detailed video on pentest methodology
0:55 I'm interested 100%
Glad to hear it. I'll put it together as a course.
We too brov!
good video. well explained
Great work!
♥️👌👌👌🎉. Excellent very useful. I really liked the voice over. Can you please tell me how and where did you do that voice over settings for smooth and loud voice . Is thier any link please send me . Very helpful video 🎉🎉. Thank you 🌟
It's just my voice honestly. You can play with equalizer settings in Audacity if you really want to. There are tons of tutorials online.
20:18 how did you know it was base64 encoded? what gave it away? i know usually when it ends in == that's base64 encoding, but how did you know this one is? is it because it's a JWT token?
Good question! You will develop an intuition over time as to what looks like a Base64 string vs not. However, in this instance we can see the letters "eyJ" which translates to {" from Base64. That usually indicates the start of a JWT. Try repeating what I did here on your own and see if you notice the connection.
Thanks! I’ll try to be better at cyber security (I’m 14 btw)
I recommend starting with Portswigger Academy and TryHackMe. They're very approachable and will cover the deeper technical topics as you grow into it.
hey can please do the same with Nmap, i watched so many Nmap Tutorials and i know the cmammands but i dont understand the hole thing...
Yeah, I'll put that together for you! It's been on the list but I'll bump it up.
I don't know if you (Internet user reading this) only use Burp in your spare time or if you use it for a job. But if you do, I strongly advise buying the professional version, it is worth it and can spare you so much time when working on decent websites that aren't specifically made to be easily hacked like OWASP web server you've used when following along with this video.
Also, I find the title being not only misleading, but straight up wrong. This knowledge alone is absolutely not even close to someone who has mastered Burp Suite. Not even the community edition, let alone the whole software including the pro features.
Hey, thanks for your input. I use Burp professionally, but we decided to show community edition in this video to allow others to follow along without getting overwhelmed by the cost and additional options in professional. If you'd like another video on how to use Burp Pro and all it's extra features, we can make that for you.
Awesome, not one of the thousand "basic" videos, but one with actual content!
100% There's plenty of videos that are created by beginners for beginners, but not many for those who work in the field. I try to introduce people into pentesting and network security from a senior's perspective.
If you want to learn how to use "Burp" then you should not watch this video. Do not waste your time. much more information can be read in 5 minutes in the text instructions. all the examples given in the lecture will never come across you in real life, and the principles they reveal can be written down in several paragraphs of text on one page of a small notebook. this guy is very good at teaching you but he has big problems with the content of the lesson. This reminded me of the lesson "How to draw a raccoon in 3 steps." step one: draw a line. step two: draw another line. step three: add a raccoon to them. Done. Only in this video you will only be taught to draw lines and straight ones. This criticism is written with respect to the creator of the video and his work
I agree, this video isn't for beginners who have not used Burp before. This video is aimed at those who have used Burp but want a better understanding on how professionals use the tool on real-world engagements, beyond what the manual will tell you. I walk through the thought process and methodology and where Burp fits every step of the way.
@@NetsecExplainedwhy not add in the title then "not for complete beginners"
need ansewers for homeworks as a beginner 😭
Beautiful, Congratulation Netsec, I have watched a lot of sec videos and this is very usefull
Insanely helpful! Beats any other tutorial I've seen in almost any other skill. Will watch more of your videos now!
Great video, thank you. I see video was posted 8 months back, is that still the case that we can't generate targeted report with req/resp and explanation of vulnerability that can be shared with dev team?
Can you please help in the HW I made the intercept request of product id 38 but it's not comming
Why ?
Do for Wireshark, Nmap, OpenVAS, Nessus, Metasploit, BeEF, OWASP ZAP, Aircrack - ng, Kismet, Autopsy, Volatility
Great suggestions! I'll get right on those.
When you design a website to have 30 million vulnerabilities obviously it’s easy. You should teach from a standpoint of live sites that are pentestable (authorized) and secure. 🤓
I have a few on my channel that do just that. The biggest issue is that hacking is like 80-90% not finding anything. Unless I do a livestream, I don't think people will enjoy watching me spend 40 hours on a real assessment. So I try to distill what my process is in a way that others can try at home.
Bahut bhadhiya
Excellent - concise, well explained. And worth the time. Please keep it up.
Such an amazing video thank you!
Awesome content, bro! Just wondering, when can we expect the full pentesting methodology video? It's been about 10 months now
I'm putting the course together. Since it will be everything that I know about pentesting, I won't be able to release it for free on UA-cam.
This was an amazing video , loved the concepts explained with the help of examples rather than a basic tutorial. Hey , I am learning cyber security from basics would you recommend a specific path or is there a wat i can contact you for guidance?
Depends on what you want to do. I recommend learning the basics and getting a strong foundation. Security+ is an OK place to start, Cisco has their Cyberops certification that I also highly recommend. Then decide if you want to do red team, blue team, forensics, GRC, etc. For blue team, blue team labs has decent training. For pentesting, I'd start with web apps and Portswigger Academy has good (free!) material. If you're not sure what to do, try them both.
Best of the best! If it's possible pls make full course video about burp)
This is simply magnificent ✨
brother you need to explain everything from the beginning how u installed burp suite and how to configure it then we can continue, sorry I'll have to see another video cuz I'm a beginner .
I appreciate your feedback. This video was meant to be of how to use Burp on a simulated pentest assessment. If you need a video on how to install Burp, then this one isn't for you. Best of luck.
Hello bro, This is the Best video on Burp Suite I have seen so far, well constructed and straight to the point, while showing the usage of tools practically, this video tops all man, thanks for uploading, already subscribed, going to share it in my community so other beginners can learn burp too.
Glad you liked it!
keep going and make more videos on web and pt plz
My first Burp Suite tutorial and I'm so grateful. Thank you.
You're so welcome!
me too
the title must be This is homework for you
everything you did is repeating the same phrase
Haha I like that title. I'm invested in growing your skillset. I'm not just teaching you what Burp is, but how to use the tool in a real-world setting. It's like trying to watch a guitar tutorial and expecting to play AC/DC's whole discography. Of course there's going to be homework, I can only cover so much in 1 hour. On top of that, there are things you're going to have to play around with to be any decent at the techniques I show you. The struggle is part of the process.
Make the full pentest methodology
Man...this is the first video that was able to teach me this software. Even a course did not made the trick. Thank you sir for your efforts!
Glad it helped! That's how I feel about most tutorials, they tend to sound like manuals instead of how the software is used in practice. I'll make more of these for sure.
This is honestly so helpful. I'm really surprised you're not bigger than you are on UA-cam.. I love your process of looking at the HTTP history, the highlighting, using the decoder/encoder, everything is so useful. I used to entirely dismiss the HTTP history because of all the ad/analytics requests that flood it and focus solely on interception... not anymore. And another mistake I was making was constantly switching my proxy on/off just to search up various encoders/decoders. Thanks so much.
Glad you found it useful. That process works for CTFs but not on real-world pentests.
I have something to comment.
But I will leave as a homework for You
😆 It's really the only way to learn some of this stuff.
first 30 seconds and I can guess that its going to be a good tutorial, auto subscribed my dude.
Love the feedback! Thank you.
7:14 tip: burp added a feature where you can group repeater tabs into folders, it's so helpful for organizing
I didn't know that, thanks for letting me know. That would save me from the 50+ tabs I typically make haha
1:49 you already fukin lost me
I subscribed to the channel just because you asked so nicely.
and because I want to know more about burp
It is really good tutorial thank you. I will also be happy to fully understand what it is like to see a full steps in pentesting and I will wait with anticipation. Thank you again. Subscribing and liking the video.
Excellent
You did a good job, keep it up
So precise and professional.Thanks bro !!
are you safe from burp when the site is already in SSL?
Burp intercepts the SSL traffic and inserts its own certificate between Burp and your browser. So no, it can read SSL/TLS traffic you directly interact with. However, it cannot read the SSL/TLS traffic between the server and someone else.
super best best pentest using burp suite i've seen, seriuosly if you open the class, definietly i'll register.
+1
Thanks. That was a very good tutorial
damn that was really helpful, only video on youtube which talks in depth about Burp Suite and that too very well
Great video!
very good content I used burp suit doing ctf walks throughs but didn't understand what it was actually doing and had to assume what it was doing but I can actually say I understand some of it
thanks a lot but where can i find solutions to homework
Hey there! The homework is more to get you to practice the things I describe and to explore other areas. However, there are plenty of writeups on Juice Shop that you can find online.
Thank you
Thanks for the neat and simple Burp Suite explanation, great job!
Online about 2 seconds into the video and I must TYANjust like to say thank you so much for being what you say you are and given what you said you advertise and having your video completely in English! None of this English title bulshit with some language with no subtitles that I have no earthly idea of what's being said! So thank you so much just at least for that
how did your burp crashed and how did you fixed this
My VM ran out of memory 😞
great video! very helpful. Im very green with burpsuite and this video helps me feel more comfortable with using it
Excellent video
This is awesome and I can't wait to watch your full pentest methodology! Hats up.
Great & Real Content.
Thank you. Very practical application of Burp Suite
Thank you for a FANTASTIC overview of Burp Suite!
Just messed with it and i have no clue what the fuck im doing. Kinda like kid in candy store shit
Love it. Great job on this video
Thank you!
PERFECT
Thanks for the video man, really appreciate it.
Q: Do you have an interceptor on ?
Yes. In the video, there's a few places where I do use the Burp proxy interceptor.
is there anyway to get the new usernsme when its changed , i only got the old username
Great video! it was pretty quick and covered a ton of useful stuff about Burp. You earned a sub.
Now, How about one focusing on testing APIs?
Great idea! I'll do that soon.
💯
Excellent video. The highlghting using colors is awesome. You have an excellent way of explaining things. This is the best burpsuite video I have ever watched. I subscribed and liked. Keep up the good work.
Thank you so much!
I juts started my journey as a Blue Sec champion and this tool is incredibly useful. Im just stunned to see what the CE offers already. Nice video by the way. There are stuff that I didn't know that definitely gives a smoother experience while doing reconnaissance.
Absolutely! It will also help you to see how things look from an attackers perspective and a developers perspective too.
Thank you very much, the explanation you have given is very helpful for me in learning the Burpsuite tool👍👍👍
Glad it was helpful!
Hey, Excellent tutorial. Just wondering, How much memory is enough to run burp so that it doesn't crash? 24:11
I run my VMs with 4GB minimum, but Burp dynamically adjusts. Honestly, JS heavy apps will crash it if they're not optimized websites. So get a laptop with 16GB and you'll be good.
Awesome video, watched countless videos showing features but never really explaining why you do it. Will follow and see your following videos!
Awesome, thank you!
Amazing vid man
Glad you enjoyed
This is really cool but I was thinking you’d Edit something in the response tab too, I mean not only in the request tab 😊
I will sometimes. It helps to think of an application as having a front end and a backend (full details in another video on my channel). 90% of the time you want to edit the request to modify things on the server. Sometimes it is helpful to modify the response if you have a complicated JavaScript front end, but that's not as important since you usually use that to modify the next downstream request anyways. This video showcases what it's like to hack real-world applications and I do this method every day for my job.
Thank you very much, I was going to start this topic and decided, and my stop over was the best moment. I am very greatful for all your effort to teach for free, and with work related examples.
Well done. easy to understand and straight to the point.
it's awesome video thanks for the video.
Excellent video Netsec Explained! Very detailed so we'll reference this video when we have questions about some Pentesting How Tos. Thank You for putting this out there!
23:25 probably one of the best intro Burp Suites out there thank you for your video
Thank you!
Thanks bro 😎
Реально помог👍
very clear thanks a lot
this video only teach us of understanding of simple thing.. Not recommended for newbie.. too bored
Great video. Thanks!
U got a sub bro . Thx👍
Do you think a complete beginner can learn this
I'd recommend you start with Portswigger Academy. My channel tends to focus on those who are already experienced with CTFs and technical security topics to get you up to that next level.
You dont need to assign homework lol but you could link to other videos you make talking about the topics you dont get into deeply in this video
As I have time to make more videos I will. I started my channel to teach juniors I worked with how to do this job. It's not perfect, but it's a start.
@@NetsecExplained I appreciate i!
woah I didn't know about if none matched, thanks for the tip!
Yeah, that was part of their cacheing. That's why you were seeing all those 304 No Changes in response headers