When it comes to testing the security of web applications, you'd have a hard time finding a set of tools better than Burp Suite from Portswigger web security. It allows you to intercept and monitor web traffic along with detailed information about the requests and responses to and from a server.
There are way too many features in Burp Suite to cover in just one guide, so this one will be broken down into four parts. This first part will cover setting up Burp Suite and using it as a proxy for Firefox. The second one will cover how to gather information and use the Burp Suite proxy. The third part goes into a realistic testing scenario using information gathered through the Burp Suite proxy. The fourth guide will cover many of the other features that Burp Suite has to offer.
In this guide, you will practice using Burp Suite on a self-hosted instance of WordPress. If you need help setting it up, check out your Debian guide.
By now, you should be familiar with the way basic classes work in Python. If classes were just what you've seen, they'd be fairly rigid and not all that useful.
Thankfully, classes are much more than just that. They are designed to be much more adaptable and can take in information to shape the way they look initially. Not every car starts off exactly the same, and neither should classes. After all, how awful would it be if every car was an orange 71' Ford Pinto? That's not a good situation.
Writing A Class
Start off by setting up a class like the one in the last guide. This class will evolve over the course of this guide. It will move from being a rigid, photocopy-like, situation to a template that can generate multiple unique objects within the outline of the class.
Write the first line of the class, defining it as a class and naming it. This guide is going to stick with the car analogy from before. Don't forget to pass your class object so that it extends the base object class.
Classes are the cornerstone of Object Oriented Programming. They are the blueprints used to create objects. And, as the name suggests, all of Object Oriented Programming centers around the use of objects to build programs.
You don't write objects, not really. They are created, or instantiated, in a program using a class as their basis. So, you design objects by writing classes. That means that the most important part of understanding Object Oriented Programming is understanding what classes are and how they work.
There are web forms all over the Internet. Even sites that don't usually allow regular users to log in probably have an admin area. It's important when running and deploying a site to make sure that the passwords gating access to sensitive controls and admin panels are as secure as possible.
There are different ways to attack a web application, but this guide is going to cover using Hydra to perform a brute force attack on a log in form. The target platform of choice is WordPress. It is easily the most popular CMS platform in the world, and it is also notorious for being managed poorly.
Remember, this guide is intended to help you protect your WordPress or other website. Use on a site that you don't own or have written permission to test is illegal.
Hail Hydra! Okay, so we're not talking about the Marvel villains here, but we are talking about a tool that can definitely do some damage. Hydra is a popular tool for launching brute force attacks on login credentials.
Hydra has options for attacking logins on a variety of different protocols, but in this instance, you will learn about testing the strength of your SSH passwords. SSH is present on any Linux or Unix server and is usually the primary way admins use to access and manage their systems. Sure, cPanel is a thing, but SSH is still there even when cPanel is being used.
This guide makes use of wordlists to provide Hydra with passwords to test. If you aren't familiar with wordlists yet, go check out our Crunch guide.
Warning: Hydra is a tool for attacking. Only use it on your own systems and networks unless you have the written permission of the owner. Otherwise, it is illegal.