Before you move into Lab 11, it’s important that you understand how GET Requests and POST Requests are interpreted by web servers. This is a super fundamental piece of the puzzle. So, please ask questions if you are unsure.

For this lab, you’ll need a Kali Linux VM.

Throughout this course, we’ll use Burp Suite as a proxy to intercept web requests and responses. It’s one of the most common tools bug bounty hunters utilize during testing.

For the intro to Burp, I’d like you to work through the following flags on the iCSI Cyber Range.

• RED1
• RED2
• RED3

Checkpoint: Screenshot that you have credit on the scoreboard for RED 1, 2, and 3

(Key Sec+ Concept)

GET and POST requests send data from web browsers to web servers. Username and password information is commonly sent using GET and POST requests.

In your Burp Browser, go to http://172.25.51.1

Turn on Burp intercept and add a GET parameter of user_get_data_1 as seen below:

<http://172.25.51.1/index.php?user_get_data_1=Achievement> Unlocked!

In the intercept tab, you’ll see that this is indeed a GET request with an explicit URL parameter being sent.

Forward this to the web server, and you’ll see that the web browser expects this GET parameter and prints it back to us.

As seen above, the first GET parameter will be separated from the webpage with a ‘?’, but an ampersand will separate subsequent GET parameters ‘&.’