Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is developed by the company named Portswigger, which is also the alias of its founder Dafydd Stuttard. BurpSuite aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps.
It is the most popular tool among professional web app security researchers and bug bounty hunters. Its ease of use makes it a more suitable choice over free alternatives like OWASP ZAP.
Burp Suite is available as a community edition which is free, professional and an enterprise edition that is paid. This article gives a brief introduction to the tools offered by BurpSuite. If you are a complete beginner in Web Application Pentest/Web App Hacking/Bug Bounty, we would recommend you to just read through without thinking too much about a term.
The tools offered by BurpSuite are:
It is a web spider/crawler that is used to map the target web application. The objective of the mapping is to get a list of endpoints so that their functionality can be observed and potential vulnerabilities can be found. Spidering is done for a simple reason that the more endpoints you gather during your recon process, the more attack surfaces you possess during your actual testing.
BurpSuite contains an intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. It also lets the user send the request/response under monitoring to another relevant tool in BurpSuite, removing the burden of copy-paste. The proxy server can be adjusted to run on a specific loop-back ip and a port. The proxy can also be configured to filter out specific types of request-response pairs.
It is a fuzzer. This is used to run a set of values through an input point. The values are run and the output is observed for success/failure and content length. Usually, an anomaly results in a change in response code or content length of the response. BurpSuite allows brute-force, dictionary file and single values for its payload position. The intruder is used for:
- Brute-force attacks on password forms, pin forms, and other such forms.
- The dictionary attack on password forms, fields that are suspected of being vulnerable to XSS or SQL injection.
- Testing and attacking rate limiting on the web-app.
Repeater lets a user send requests repeatedly with manual modifications. It is used for:
- Verifying whether the user-supplied values are being verified.
- If user-supplied values are being verified, how well is it being done?
- What values is the server expecting in an input parameter/request header?
- How does the server handle unexpected values?
- Is input sanitation being applied by the server?
- How well the server sanitizes the user-supplied inputs?
- What is the sanitation style being used by the server?
- Among all the cookies present, which one is the actual session cookie.
- How is CSRF protection being implemented and if there is a way to bypass it?
The sequencer is an entropy checker that checks for the randomness of tokens generated by the webserver. These tokens are generally used for authentication in sensitive operations: cookies and anti-CSRF tokens are examples of such tokens. Ideally, these tokens must be generated in a fully random manner so that the probability of appearance of each possible character at a position is distributed uniformly. This should be achieved both bit-wise and character-wise. An entropy analyzer tests this hypothesis for being true. It works like this: initially, it is assumed that the tokens are random. Then the tokens are tested on certain parameters for certain characteristics. A term significance level is defined as a minimum value of probability that the token will exhibit for a characteristic, such that if the token has a characteristics probability below significance level, the hypothesis that the token is random will be rejected. This tool can be used to find out the weak tokens and enumerate their construction.
Decoder lists the common encoding methods like URL, HTML, Base64, Hex, etc. This tool comes handy when looking for chunks of data in values of parameters or headers. It is also used for payload construction for various vulnerability classes. It is used to uncover primary cases of IDOR and session hijacking.
BurpSuite supports external components to be integrated into the tools suite to enhance its capabilities. These external components are called BApps. These work just like browser extensions. These can be viewed, modified, installed, uninstalled in the Extender window. Some of them are supported on the community version, but some require the paid professional version.
The scanner is not available in the community edition. It scans the website automatically for many common vulnerabilities and lists them with information on confidence over each finding and their complexity of exploitation. It is updated regularly to include new and less known vulnerabilities.
Setting up burp suite:
Once you have confirmed that the proxy listener is up and running, you need to configure your browser to use it as its HTTP proxy server. To do this, you change your browser’s proxy settings to use the proxy host address (by default, 127.0.0.1) and port (by default, 8080) for both HTTP and HTTPS protocols, with no exceptions. This ensures that all HTTP and HTTPS traffic will pass through Burp. The details of how to do this vary by browser and version. Please refer to the relevant section below based on which browser you intend to use with Burp.
Check your browser proxy configuration
- When you’ve configured your browser, you need to test that it is working properly by performing the following steps. If anything does not happen in the way described below, there is a problem with your browser configuration. In this case, please refer to the troubleshooting
- Make sure you have checked that the proxy listener is activeand have configured your chosen browser.
- With Burp running, open the browser that you configured and go to any HTTP URL (don’t use HTTPS for the moment). Your browser should sit waiting for the request to complete, that is, it should look like it is stuck trying to load a page. This is because Burp has intercepted the HTTP request that your browser is trying to send.
- In Burp, go to the “Proxy” tab and open the “Intercept” sub-tab. Both of these tabs should be highlighted. On the “Intercept” tab, you should see the intercepted HTTP request in the main panel.
- Notice the button that says “Intercept is on”. If you click it, it will change to “Intercept is off” and the request will be released from Burp.
- Go back to your browser. You should now see the requested page loading as it would during normal browsing.
If everything went as described above, you have finished the mandatory configuration steps for using an external browser with Burp Suite. However, at the moment you will only be able to test web applications that exclusively use HTTP. If you try and access an HTTPS URL using your external browser, you will notice that the connection is blocked. Therefore, we strongly recommend that you perform the final additional step to install Burp’s CA certificate so that you can also test applications using HTTPS.