====== Ch 4: Environmental Setup and Traffic Interception ======

Source: Bug Bounty Bootcamp by Vickie Li (No Starch Press, 2021)

===== OS =====

Use a Unix-based system. Kali Linux is recommended -- it ships with Burp Suite, Gobuster, DirBuster, Wfuzz, and other tools. macOS also works fine.

===== Burp Suite =====

Burp is a web proxy that sits between your browser and the server, intercepting and allowing modification of every HTTP/HTTPS request and response.

  * **Community** -- free; intruder is rate-limited; no scanner; no session saving
  * **Professional** -- paid; full intruder speed; active scanner; session saving; match-and-replace rules

==== Firefox + Burp Setup ====

  - Open Firefox > Preferences > General > Network Settings
  - Select **Manual proxy configuration**
  - HTTP Proxy: `127.0.0.1`, Port: `8080`, check "Also use this proxy for HTTPS"

==== Install Burp's CA Cert ====

Required to intercept HTTPS without certificate errors:
  - With Burp running, browse to `http://burp/` in Firefox
  - Download **CA Certificate** (top-right link)
  - Firefox > Preferences > Privacy & Security > View Certificates > Authorities > Import
  - Select the file, check "Trust this CA to identify websites"
  - Restart Firefox

==== Enable Intercept ====

Burp > Proxy > Intercept > click until it reads **Intercept is on**. Browse to any HTTPS site to confirm requests appear.

===== Burp Tools =====

**Proxy** -- captures all requests/responses. Modify before forwarding. Right-click to send to any other module.

**Intruder** -- automated payload injection. Use for: brute-forcing passwords, iterating IDs for IDOR, fuzzing parameters.
  - Send to Intruder > Positions tab: highlight value, click Add
  - Payloads tab: paste list
  - Start attack, sort results by status/length

**Repeater** -- manually replay and modify individual requests. Most-used for exploitation and bypass testing. Right-click any request > Send to Repeater.

**Decoder** -- encode/decode base64, URL, HTML, hex. Use "Smart decode" when unsure of encoding.

**Comparer** -- diff two requests or responses side by side. Useful for comparing auth vs. unauth responses.

**Copy as curl** -- right-click any request > Copy as curl command. Paste into a report as PoC.

===== Taking Notes =====

Organized notes are how you avoid repeating work and missing chains:

  * **Per-target folder** -- subfolders per feature (auth, uploads, API, payments)
  * Record every weird behavior even if not immediately exploitable -- revisit during chaining
  * For each vuln class you study: theory, impact, steps to exploit, sample PoC code
  * Tools: **Obsidian** (Markdown + graph view), Sublime Text, XMind for mind maps
  * Back up to external drive or cloud regularly