Notes on Burp Suite
Burp Suite is a framework written in Java that aims to provide a one-stop-shop for web application penetration testing. In many ways, this goal is achieved as Burp is very much the industry standard tool for hands-on web app security assessments. Burp Suite is also very commonly used when assessing mobile applications, as the same features which make it so attractive for web app testing translate almost perfectly into testing the APIs (Application Programming Interfaces) powering most mobile apps.
At the simplest level, Burp can capture and manipulate all of the traffic between an attacker and a webserver: this is the core of the framework. After capturing requests, we can choose to send them to various other parts of the Burp Suite framework – we will be covering some of these tools in upcoming rooms. This ability to intercept, view, and modify web requests prior to them being sent to the target server (or, in some cases, the responses before they are received by our browser), makes Burp Suite perfect for any kind of manual web app testing.
- Proxy: The most well-known aspect of Burp Suite, the Burp Proxy allows us to intercept and modify requests/responses when interacting with web applications.
- Repeater: The second most well-known Burp feature – Repeater – allows us to capture, modify, then resend the same request numerous times. This feature can be absolutely invaluable, especially when we need to craft a payload through trial and error (e.g. in an SQLi – Structured Query Language Injection) or when testing the functionality of an endpoint for flaws.
- Intruder: Although harshly rate-limited in Burp Community, Intruder allows us to spray an endpoint with requests. This is often used for bruteforce attacks or to fuzz endpoints.
- Decoder: Though less-used than the previously mentioned features, Decoder still provides a valuable service when transforming data – either in terms of decoding captured information, or encoding a payload prior to sending it to the target. Whilst there are other services available to do the same job, doing this directly within Burp Suite can be very efficient.
- Comparer: As the name suggests, Comparer allows us to compare two pieces of data at either word or byte level. Again, this is not something that is unique to Burp Suite, but being able to send (potentially very large) pieces of data directly into a comparison tool with a single keyboard shortcut can speed things up considerably.
- Sequencer: We usually use Sequencer when assessing the randomness of tokens such as session cookie values or other supposedly random generated data. If the algorithm is not generating secure random values, then this could open up some devastating avenues for attack.
portswigger.net portswigger.netburp/releases/community/latest getfoxyproxy.org
Basic Usage:
- Start Burp Suite
- Go to Proxy
- Turn Interceptor On
- Open Browser
- Go to target website
Using The Repeater
- After capturing some traffic, send it to the Repeater with CTRL + R
- Change something in the request and send it and see what happens.
- Look at the result in different views (Pretty, Raw, Hex, or Render)
- The Inspector can help you with your changes to the request
Using Intruder
- After capturing some traffic, send it to the Intruder with CTRL + I
- Edit the Positions you want to change.
- Choose the Attack Type:
- Sniper (most common) use one set of payloads like a username and password.
- Battering Ram- puts the same word in each position like (admin, admin)
- Pitchfork (best to use)- one payload set per position (up to a maximum of 20) and iterates through them all at once.
- Cluster Bomb- uses multiple lists and iterates through all combinations.
- Choose the Payloads (list of values or wordlist)
- Choose the Options for the Payloads
- Add prefixes or suffixes with Payload Processing rules
- Use any of the other advanced options there
Decoder
Can be used to decode the output of items found in Burp.
Comparer
Compares two items to find differences.
Sequencer
Sequencer allows us to measure the entropy (or randomness, in other words) of “tokens” – strings that are used to identify something and should, in theory, be generated in a cryptographically secure manner.