PortSwigger has a whole ‘academy’ where you can hone your Burpsuite skills. Or in my case - Learn how to actually use BurpSuite.
I’ve used Burpsuite before in a few of the CTFs I’ve done, but I’ve not really dug into how to use it properly. Those few instances were just using it to capture a request to pass off the brute-forcing to hydra or blindly hoping that it would get me a flag. Burpsuite is a very useful tool, so it’s about time I train myself specifically on it.

Let’s jump in with the first lab.

Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following: SELECT * FROM products WHERE category = 'Gifts' AND released = 1 To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.

Seems simple enough. When we check the lab we see a fancy looking storepage: A webpage storefront with the heading title: We like to shop. There are options to refine the search with filters; All, Accessories, Food & Drink, Pets, and Tech Gifts

At first I was looking for some search bar that I could add 'OR 1=1;-- to. I clicked around and wondered if everything had loaded until I realized this was all I got.
With all my clicking around looking for a search-bar I saw that the URL was changing. For example when I clicked on ‘Pets’ the URL changed to https://0a46006503f0d7aa825f38cf004a008d.web-security-academy.net/filter?category=Pets.
We know what the SQL query looks like when a filter is added. We just need to inject our own SQL query into the query. We could use Burpsuite for this - Or we could just add it directly to the URL.
We’ll go with the same example I give above of 'OR 1=1;--. We need to encode this for a URL, which is pretty easily done by changing it to 'OR+1=1--;.
Our new URL is https://0a46006503f0d7aa825f38cf004a008d.web-security-academy.net/filter?category=Pets'OR+1=1;--.

Once we go to this link we get a nice banner that tells us we’ve completed the lab. Great!

That was easy. As expected from an introduction lab. I didn’t actually use Burpsuite though, oops. I’ll be using the community edition for the future labs though!