Tools
We'll be using a variety of tools this chapter, some of which we'll be coming back to throughout the book:
- wfuzz
- scrapy
- striker
- Burp Suite
- Homebrew (package manager)
- SecLists
- virtualenv
- jenv(Java version manager)
- Java Development Kit (JDK)
- Java Runtime Environment (JRE) 1.6 or greater
wfuzz is a fuzzer and discovery tool built by pentesters for pentesters. To install it, simply use pip: pip install wfuzz.
Homebrew is an excellent package manager for macOS that allows you to install dependencies from the command line, much like you would with apt-get in Debian or yum in Redhat-flavored Linux distributions. Homebrew is easily installed via its website (https://brew.sh/), then packages can be installed simply via brew install <PACKAGE_NAME>.
Burp Suite requires a JRE (version 1.6 or greater), but we'll also need the JDK to use the java command line tool to bootstrap Burp Suite from the command line. Running Burp from the command line lets us pass in settings via arguments that give us more control over the execution environment.
Please install Burp Suite by following the directions on Portswigger's website: https://portswigger.net/burp/help/suite_gettingstarted.
To use Burp Suite, you need to run a legacy version of Java. If you try to start Burp from its CLI with Java 10.0.0 or later, you'll receive a message to the effect that Burp has not been tested on this version and is susceptible to errors.
If you just need Java for Burp, you can install an older version—we'll be using Java 1.8.0 (Java 8)—and use that system-wide. But if you need a more up-to-date Java installation for other programs, you can still run legacy Java by using the jenv command-line utility that allows you to switch between versions. jenv is similar to the Ruby version manager rvm or the Node version manager nvm, they all allow you add, list, and switch between versions of the language with just a few commands.
After you've installed jenv, you can add a new Java version to it simply by using the path to its /Home directory. Then we'll set our system to use it:
jenv add /Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home
jenv global 1.8
You might have to restart your Terminal. But you should have Java 8 installed! Check it's Java 8 with java -version. You should see this output:
java version "1.8.0_172"
Java(TM) SE Runtime Environment (build 1.8.0_172-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.172-b11, mixed mode)