Burp Suite

An introduction to using Burp Suite for Web Application pentesting...

Introduction

Burp Suite is a framework written in Java that aims to provide a one-stop shop for web application penetration testing. It is also very commonly used when assessing mobile applications, as the same features which make it so attractive for web app testing translate almost perfectly into testing the s powering most mobile apps.

Burp can capture and manipulate all of the traffic between an attacker and a web server.

There are various versions of the application. We will be covering the Burp Suite Community edition. There are also Professional and Enterprise editions.

Features & Tools

Proxy - allows the user to intercept and modify requests or responses when interacting with web applications.

Repeater - allows the user to capture, modify, then resend the same request numerous times. This can be useful when crafting payloads through trial & error.

Intruder - allows the user to spray an endpoint with requests. This is often used for brute force attacks or to fuzz endpoints.

Decoder - this can decode captured information or encode a payload prior to sending it to the target.

Comparer - allows the user to compare two pieces of data at either word or byte level.

Sequencer - this can be used to assess the randomness of tokens such as session cookie values. If the algorithm is not generating secure random values, then this could open up some devastating avenues for attack.

Installation

To download the application, click here to go to their downloads page.

Note that there are two versions, Burp Suite Community Edition (which is free for all) and Burp Suite Professional (which is the paid version). Everything here will and can be done with the Community Edition to ensure that everyone is able to implement what is mentioned.

If you have a Linux machine, make sure you execute the script from the terminal (it works better with sudo). The default settings are perfectly fine and no adjustments to them are needed.

The Dashboard

Congrats! You’ve now launched Burp Suite. Accept the terms and conditions and you’ll then be prompted to select a project type. The options are limited, however, due to the fact we are using the free version. Just click on the Next button and proceed.

Now choose the configuration for Burp Suite. It is recommended to just use the general setting as they are suitable. If encountered with a screen showing training options, go through them as they’ll help you understand how and when to use the application.

The dashboard is divided into four quadrants:

  1. Tasks This menu allows you to define background tasks that Burp Suite will perform while you use the application. In Burp Suite Community, the default “Live Passive Crawl” task, which automatically logs the pages visited, is sufficient. Burp Suite Professional offers additional features like on-demand scans.

  2. Event Log This provides information about the actions performed by Burp Suite, such as starting the proxy, as well as details about connections made through Burp.

  3. Issue Activity This is specific to Burp Suite Professional and essentially, it displays the vulnerabilities identified by the scanner, ranked by severity and filterable based upon the certainty of the vulnerability.

  4. Advisory This section provides more detailed information about the vulnerabilities including references & suggested remediations. Due to the fact that we are using the Community version, we may not get any vulnerabilities showing here as it’s a Professional feature.

If you notice a little question mark anywhere, it’s a good idea to click on them. This will open a new window with helpful information specific to that section.

Navigation

In this application, the navigation is primarily done through this menu bar:

This bar displays the available module in Burp Suite. If a selected module has multiple tabs to it, those tabs can be accessed via the second bar that appears below it.

Note that if you prefer to view multiple tabs separately, you can detach them into separate windows. To do so, go to the Window option above the Module Selection bar. Then choose the Detach option.

Some useful shortcuts that are worth knowing include:

  • Dashboard; Ctrl + Shift + D

  • Target Tab; Ctrl + Shift + T

  • Proxy Tab; Ctrl + Shift + P

  • Intruder Tab; Ctrl + Shift + I

  • Repeater Tab; Ctrl + Shift + R

We’ll go through these later, don’t worry!

Options

There are two types of settings in Burp Suite:

  1. Global Settings These affect the entire Burp Suite installation and are applied every time you start the application. They provide a baseline configuration for your Burp Suite environment.

  2. Project Settings These are specific to the current project and apply only during the session. However, please note that Burp Suite Community Edition does not support saving projects, so any project-specific options will be lost when you close Burp Suite.

To access the settings click on the Settings button in the top navigation bar. There is a search bar which may help you when looking for certain settings.

It’s worth noting that many tools within Burp Suite provide shortcuts to specific categories of settings. For example, the Proxy module includes a Proxy settings button that opens the settings window directly to the relevant proxy section.

Answers

Task 2

Which edition of Burp Suite runs on a server and provides constant scanning for target web apps? Burp Suite Enterprise

Burp Suite is frequently used when attacking web applications and ______ applications. Mobile

Task 3

Which Burp Suite feature allows us to intercept requests between ourselves and the target? Proxy

Which Burp tool would we use to brute-force a login form? Intruder

Task 5

What menu provides information about the actions performed by Burp Suite, such as starting the proxy, and details about connections made through Burp? Event Log

Task 6

Which tab Ctrl + Shift + P will switch us to? Proxy Tab

Task 7

In which category can you find a reference to a “Cookie jar”? Sessions

In which base category can you find the “Updates” sub-category, which controls the Burp Suite update behaviour? Suite

What is the name of the sub-category which allows you to change the keybindings for shortcuts in Burp Suite? Hotkeys

If we have uploaded Client-Side TLS certificates, can we override these on a per-project basis (yea/nay)? Yea

PreviousWeb Hacking Fundamentals

Last updated