Burp Suite — Web Application Security, Testing & Scanning

Norton [CPS] WW
EnglishFrenchGermanItalianKoreanPortugueseRussianSpanishTurkish

Megatron

Administrator
Staff member
General
Moderator
Burp or Burp Suite is a collection of multiple tools built in Java used for penetration testing of web applications. It is developed by Portswigger web security. Burp Suite is a graphical tool which aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps.

751


Burp Suite is the most popular tool among professional web app security researchers and bug bounty hunters. Kali Linux has a free community version of Burp Suite pre-installed.

Burp suite has various products, such as Spider, Proxy, Intruder, Repeater, Sequencer, Decoder, Extender, Scanner. Let we know about a little bit about the tools used in Burp, then we go for the practices.

Some tools in Burp Suite
Spider: Spider is a web spider/crawler that is used to make a map of the target website or web application. The mapping can give us a list of endpoints so that their functionality can be observed and potential vulnerabilities can be found. Spidering or crawling is done for a simple reason that the more endpoints we gather during our recon process, the more attack surfaces we possess during our actual testing.

Proxy: Burp suite has an intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. It also help the user to end the request or response under monitoring to another tool in Burp suite, it removes the copy-paste process. The proxy server can be run on a specific loop-back IP and a port. The proxy in Burp suite also can be configured to filter out specific types of request-response pairs.

Intruder: Intruder is a tool that allow us to perform various types of attacks that can be used to find all types of vulnerabilities. Intruder used to run a set of values through an input point. Those values are run and the output is observed for success or failure and content length. Generally, an anomaly result in a change in response code or content length of the response. Some of the most common attacks that can be used with Intruder as follows:

  • Brutef-orcing
  • Fuzzing
  • Enumeration
  • Application layer DoS
Repeater: This is a very simple tool for manually manipulating and reissuing individual HTTP and WebSocket messages, and analyzing the web application’s responses. It is used for

  • Verify that the user supplied values are being verified.
  • If the values are verified then, how well is it being done?
  • What values in the server expecting in an input parameter or request header.
  • How the server handle with the unexpected values.
Sequencer: Burp Sequencer is a tool for analyzing the quality of randomness in an application’s session tokens and other important data items that are intended to be unpredictable. This is an entropy checker that checks for the randomness of tokens generated by the targeted web server. These tokens are generally used for authentication in sensitive operations like cookies and anti-CSRF tokens.

Admirably, these tokens must be generated in a fully random manner so that the probability of appearance of each possible character at a position is distributed uniformly. This should be achieved both bit-wise and character-wise. An entropy analyzer tests this hypothesis for being true. It works like this initially, it is assumed that the tokens are random. Then the tokens are tested on certain parameters for certain characteristics.

Using Burp Sequencer may result in unexpected effects in some applications. Until we are fully familiar with its functionality and settings, we should only use Burp Sequencer against non-production systems.
Decoder: Decoder lists the commonly used encoding methods like URL, HTML, Base64, Hex, etc. Decoder comes handy when looking for chunks of data in values of parameters. It is also used for payload construction for different vulnerability classes. It is used to uncover session hijacking.

Extender: Extender allows us to load various extensions that can be used to make penetration testing even more efficient. These extensions are called BApps. These work just like browser extensions. These can be viewed, modified, installed, uninstalled in the Extender tab.

Scanner: Scanner automatically scans for many common vulnerabilities in target web application. It updates frequently and add many lesser known vulnerabilities with the updates.

How to use the Burp Suite
To read the full tutorial please Click Here