Burp Suite

by | Jun 23, 2022 | Uncategorized | 0 comments

Introduction

Burp is a popular investigation tool among pen-testers since it can be used to uncover and attack vulnerabilities. Burp Suite, Owasp Zap, and Fiddler are the most frequently used traffic interception tools. The Burp Suite is a graphical tool for assessing the security of Web applications. It is a Java-based utility created by PortSwigger Web Security.

It is a prominent HTTP/S intercepting proxy in web penetration testing. With high-level extensibility and versatility, as well as support for developing independent add-ons. Burp is available in two editions: community and professional.

Burp Suite is an advanced web proxy written in Java. Although Burp has a free community edition, it is recommended to use the professional edition due to its additional features. You can visit on Port Swigger website.

Zap is the successor to WebScarab, an open-source Java project. It incorporates other OWASP independent projects to give an all-in-one web penetration testing solution.

Fiddler was created as a web debugging proxy to allow developers to examine HTTP traffic.

CommunityProfessional
No web vulnerability scanner.A web vulnerability scanner that checks for the OWASP Top 10.
No advanced reporting options.Advanced manual tools testing integrated with real-time feedback and reporting options.  
Limited functionality and speed of certain featuresUnlimited functionality and speed of built-in tools and features.
Only temporary projects are useable.File functionality that enables management and multiple project saving.

Burp Suite Setup

Proxy Configuration

Burp starts a monitoring proxy on 127.0.0.1 and port 8080 by default. In the Add section, you can define additional proxies. Burp can withhold some packets when intercepting traffic to allow modification and examination. By default, only outbound requests are intercepted. However, server answers can also be intercepted.

Browser Proxy

A browser proxy protects your online privacy by serving as a gateway, routing traffic, and hiding your IP address. FoxyProxy is a browser extension that simplifies proxy management. FoxyProxy is a Chrome extension as well as a Firefox add-on.

Certificate Installation

When a browser is set to utilize Burp as a proxy, its traffic is recorded in Burp’s HTTP history tab. The traffic content can then be examined using each packet’s request and response tabs. To use encrypted HTTPS traffic, a custom Burp certificate must be imported and validated in the browser.

When connected to the proxy, the certificate can be obtained from http://burp or exported using Burp’s proxy options. For more detailed information, visit the website of Port Swigger.

Traffic Interception and Manipulation

Burp’s ability to intercept and alter HTTP/S requests and responses is critical. Burp allows you to define rules that govern which messages are marked for interception. The proxy tab has intercept options.

A debugging proxy’s primary feature is traffic modification. This is possible with Burp by using the intercept and Repeater tools. Interception will cause each packet to be delayed if it is not safe listed by the proxy’s filtering rules. The traffic can then be examined in Raw or Hex mode, with the option to display simply the headers. After being reviewed, traffic can be changed, forwarded, or dropped.

Scope Definition

Because all traffic is redirected while utilizing a proxy, the interception window may receive a large amount of spam. The “Scope” option can be used to filter data addresses, requests, and file types.

The scope can be managed. Managing the scope is possible via the “Target” menu or by right-clicking an element. By clicking the filter banner at the top, you can configure the display to filter itself in practically every sub-view of Burp.

Burp Suite Components

Burp Suite Toolset

Repeater: Burp’s Repeater functionality allows you to transmit packets to the server repeatedly while tracking changes in the response. This tool comes in handy while inspecting server responses.

Repeated transmissions are handled by the repeater. A previously captured packet can be transmitted to the repeater, modified, and resent. The Repeater is extremely useful for testing certain client-server communications.

Intruder: Burp’s brute-force tool is Intruder. It allows you to identify and manipulate HTTP/S request parameters and headers using a pattern, a sequence, a rule, or a wordlist. The Intruder allows you to brute-force parameters and headers with numerous payloads. Following packet capture, they might be designated for substitution.

Burp will attempt to automatically detect and label all parameters to be substituted using special symbols. By choosing Clear, you can clear the entire request of noted content. By selecting Add, you can make one cleared, manual selection of the selected content.

Intruder Payloads: The second stage is to define a payload, which can be anything from a wordlist to a numeric sequence to bit manipulation. The invader is adaptable and may be configured for complicated brute-forcing.

Intruder Attack Types:

  • Sniper: The Snipper assault employs a single payload set that replaces only one indicated spot at a time. It merely replaces the first marked position with the payload, leaving all other spots unchanged. It then moves on to the second position.
  • Battering Ram: The payload value of a Battering Ram attack is the same in all placements. It uses one payload set, cycles through it, and replaces the payload value in all spots.
  • Pitchfork: The Pitchfork attack employs a single payload at each spot. The first request uses the first payload in each payload set, the second request uses the second payload in each payload set, and so forth.
  • Cluster Bomb: The Cluster Bomb attack explores a variety of payload combinations. It places the first payload in the first position and the second payload in the second position, but as it cycles through the payload sets, it attempts all combinations.

Brute-Forcing Website paths:  By picking the required section of the URL, the intruder can be used to brute-force enumerate a website’s directory and files. Intruders, like brute-forcing for user names and passwords, may search for directories and files. The pro edition has built-in dictionary wordlists for various circumstances.

Burp Sequencer: The Sequencer’s principal function is to test for randomness. Tokens and cookies can be predicted and spoofed if non-random values are used. The sequencer can be programmed to do many tests to identify the unique bit order.

Decoder: The decoder is a little tool that saves time by allowing data encoding and decoding from within the Burp framework. Capable of decoding and encoding raw data in various encoded and hashed forms.

HTML, URL, Hex, and other encoding formats are supported. A decoder can also do hashing operations. The decoder can conduct many decoding layers on the same data, allowing for recursive data changes.

Comprarer: It permits direct data comparisons from within the tool itself, eliminating the need for additional apps. The comparer is a utility for comparing HTTP requests and answers. It can assist in detecting tiny changes in responses and altered values in requests. Word-by-word or bit-by-bit comparisons are possible.

Searching in Data: Burp allows you to search for specific strings in requests and answers. By looking for a response to whether or not a login was successful. Most Burp tools support search, including the Repeater, Intruder, and Comparer.

Burp Site Mapper: The left pane contains a hierarchical view of all content viewed from visited pages. The middle pane lists all resources discovered by Burp in the web application. The right pane lists all of Burp’s faults on the visited pages. This feature is only accessible in the pro version.

Web Crawler: The term “crawler” is believed to have originated from the first search engine, “The Web Crawler.” It is an online document scanning and indexing application. Crawlers are classified into several categories, each of which searches for distinct types of information.

Crawlers are most commonly found in search engines that comb the internet for websites. A web crawl operation can be done in Burp Suite by selecting “crawl and audit” from the “scan type” choices. Select the folders to include in the scan on the left pane.

Burp Extender: The Burp Extender option allows you to add more tools to Burp. Some utilities are available for download through the official BApp store, which may be found at https://portswigger.net/bappstore. The JWT addon streamlines the decoding, manipulation, and encoding of JSON web tokens.

Features

The Burp Suite is an integrated platform and graphical tool for web application security testing. Its technologies integrate smoothly to assist the whole testing process, from initial mapping and analysis of an application’s attack surface through detecting and exploiting security vulnerabilities.

  • Burp Suite detects all the OWASP Top 10 vulnerabilities.
  • Burp Suite acts as an excellent proxy service, allowing you to proxy all web-based requests, which can even be adjusted while sent or received.
  • Break HTTPS effectively.
  • You can find buried target functionality with a powerful automatic finding tool for “invisible” content.
  • Accelerate granular procedures by modifying and reissuing individual HTTP and WebSocket messages while analyzing the answer in a single window.
  • Determine the size of your desired application as soon as possible.
  • Web-Sockets messages have their own history, which you may see and edit.
  • Easily assess the unpredictability quality of data pieces designed to be unpredictable (e.g., tokens).

For more details, visit the website.