Burp Suite is, as far as I’m concerned, the de facto tool for Web Application Assessments. It’s simple to use and takes little time to get the hang of, but to make sure you’re making the most out of your toolset, I thought I’d post a quick introduction to run through the main tabs and features.
Burp Suite is a man-in-the-middle proxy which can intercept HTTP/HTTPS data from web browsers and mobile applications and allow you to read, modify, and repeat requests to servers. It can detect and monitor WebSockets. It’s ideal for testing for a range of security issues within applications. It can automate many of the tasks required for an effective penetration test and it’s even extensible!
Installation – Configuration
Launch Burp, click on “New project on disk,” click on the “Choose file” button and navigate the directory created above. While there, create a project file called Juice-Shop-Non-Admin.burp; Click “Next” and “Use Burp defaults,” then select “Start Burp.” BurpSuite launches and you are greeted with the default panel. Introduction and check of Burp Suite capabilities Introduction Burp Suite. Burp Suite is one of the most attractive tools in both defensive and offensive security. Check Burp Suite capabilities. Burp Suite gives you advanced capabilities that allow you to manually make changes to the. In this article, we will learn to set up our device and Burp Suite for capturing network traffic of an iOS application. All the test cases encountered in the process will be covered. Apr 06, 2020 Burp Suite is a man-in-the-middle proxy which can intercept HTTP/HTTPS data from web browsers and mobile applications and allow you to read, modify, and repeat requests to servers. It can detect and monitor WebSockets. It’s ideal for testing for a range of security issues within applications. Introduction Proxies like the one included in Burp Suite are designed for traffic interception. This allows the owner of the proxy to view, modify and drop packets passing through the proxy. While this can certainly be used for criminal purposes, it can also be used by cyberdefenders to protect against malware and dangerous user behavior.
Burp Suite is written in Java and so there’s no specific installation or configuration for Burp itself, if you have JRE installed then it’s likely that you can just go ahead and double click the .jar file and it’ll run just fine. If you’re a Linux user on a distribution that comes with OpenJDK you should find that it runs just fine – however here’s some notes on Oracle Java and using that.
Even though you can execute the .jar directly, it’s often recommended to supply a little more memory to Burp using the following command:
Once Burp is up and running you’ll need to configure your browser to use burp as its proxy. This is no different to setting up a normal proxy in your browser of choice, but I recommend using Firefox and the FoxyProxy add-on. This adds a button into your browser that allows you to quickly swap between having your browser run through burp or directly to the target application.
Once you’ve got everything set up burp will automatically be set to intercept all requests from your browser. So if you try to view a page, you’ll get a flashing intercept tab and your raw request will be displayed. This is means you’re all set and good to go!
Intercept is enabled on start-up by default and allows you to make changes to requests in-line as requests are sent to the server or responses are sent back to the browser. You can configure what is and isn’t captured by Intercept through the Options tab which allows you to specify things like intercepted file types, for example.
One thing you’re going to run into quite quickly is the fact that your browser will “complain” about the SSL certificate whenever you view a HTTPS site, you can often click-through these errors but a much better thing to do is to install the Burp CA certificate into your browser as a trusted CA. I test from Firefox but the steps are essentially the same for any browser. First of all download the CA certificate from Burp by visiting http://burp/cert
Once you’ve got the certificate open Firefox’s preferences:
In preferences you want to hit “Advanced” and then “Certificates” and finally “View Certificates”:
That’ll give you this menu where you need to select “Import”:
Browse to where you downloaded the file from http://burp/cert and hit open, you’ll then be given this menu and you’ll need to hit at least “Trust this CA to identify web sites”, then okay:
Hit okay and you’re done! Firefox is now configured to trust any certificate signed with your Burp CA certificate, so the nasty SSL complaints will vanish and you can get on with playing with Burp Suite!
Target and Scope – ‘The Dashboard’
Before we get into messing with request and testing applications I’m going to run through all of the tabs in this article and overview each one, if a specific article is worth further information I’ll break out into a separate post to keep things here nice and neat. First of all though, take a look at the Scope option of the Target tab. It’s a good idea to set this up first so that you can reduce all of the information Burp feeds you on the other tab just down to the application that you’re testing.
When you define an application in scope it allows you to filter by that application, although this menu accepts Regex there’s little difference between the neat looking gracefulsecurity.com and the technically accurate gracefulsecurity.com. If you’re not comfortable with Regex you can just go ahead and paste in your application URLs without worrying about the regex options and things should work as you’d expected. Here’s my set up:
Specifying a scope allows you to alter the way that other tabs, such as Intercept, work but also allows you to clean up the sitemap to show only the applications that you are assessing – keeping your working environment nice and neat!
So now when I take a look at the other tabs and options, such as Target – Site Map, I can reduce the output just to my desired application. As you can see in the following screenshot I’ve used the Filter Option (found by clicking the banner just below “Site Map Scope” and chosen “Hide out of scope items”, leaving me with this:
Intercept, Repeat, Intrude – The tools
Once you have your browser configured to pass through Burp suite you can capture, modify and replay messages to allow you to flex and test the functionality of an application. When it comes to manual testing there are three main tools that bring in the fundamental functionality of Burp and you can quickly send requests between all three simply by right clicking a request in any window and selecting the appropriate “Send to” option.
The first of all is Interceptor, this is the function that allows your to interact with an application and then pause the communications between the browser and server and make individual changes to messages as they pass through. With intercept enabled, if you click a link in your browser Burp will gain focus, present the message to you and allow you to either forward, modify or drop the message. You can also do the same with responses from the server. This function looks like this:
Intercept is great to see the raw requests and responses and for making individual small changes to a request/response. However if you want to make repeated manual changes then swap over to Repeater and if you want to make multiple automated changes then Intruder is the tool for that!
Interceptor is great for quick individual changes to an application, or for viewing and modifying the source code returned from a server using the “show response to this request” option. It’s simple to use and allows you to message around with an application during normal interaction, but it doesn’t offer a lot in the way of automation, and to allow you to send multiple payloads to the same function you’d need to constantly swap back and forth between your browser and burp.
If you’re wanting to manually test a specific function a much better tool would be repeater. This one offers a side-by-side view of the response and request, allowing for faster changes to payloads – great if you’re trying to manually exploit a vulnerability like SQL injection or alternatively you’re trying to get just the right payload to evade a filter.
Repeater puts the request and response side by side, if you’re working on two monitors you can always drag the window a little winder and have the request on one monitor and the response on the other. It’s a good tool for multiple manual changes such as fuzzing an input filter or writing up a payload for vulnerabilities like SQL injection.
If you’re using repeater to type payloads into the URI then remember that there’s an option to get it to automatically URI encode payloads for you, which is definitely convenient when you’re just starting out and having quite committed all of the characters to memory.
Although repeater is essentially intercept set to rapid-fire, it’s still very manual and doesn’t offer automation, the trick here then is to use Intruder. With intruder you can select a single, or multiple, items in a request to automatically replace with a list of options. The list can be a simple text file with some payloads, they can be automatically generated (for example numbers 1 to 1000, or all even numbers below 100), or they can be selected from a predefined list (such as common usernames and passwords). This option is great to automate non-complex tasks (if they’re complex then skip on to Macros and Extensions!) such as bruteforcing a login page. In this scenario you’d capture a login request, send the request to Intruder, select the value section of the username and password field and then supply burp with two lists of payloads.
You’ll need to note however that Intruder has four “modes”: Sniper, Pitchfork, Battering Ram and Cluster Bomb. Their use is obvious so I won’t go into detail here. Kidding of course, their use isn’t immediately obvious, but they’re not difficult:
Sniper – takes a single payload set and places each entry of that set into the marked position, so it’s good for fuzzing a function as you can supply a selection of payloads and then burp will neatly present you with all of the responses side by side.
Battering Ram – is very similar to sniper however it can place the same payload in multiple positions, for example if you have a username which must be present in both the post request and the cookie you can select one payload set and this will position it in all positions.
Pitchfork – is a little more complex, but just a touch. You can select multiple payload sets (up to 20) and pitchfork will iterate through each set in turn, so the first request contains the first payload from each set and the second request contains the second payload from each set. It’s great if you’ve got a set of payloads which are different but related, so instead of a username having to be in both the post request and the cookie, imagine a username must be in the post and a related userID must be in the cookie – Pitchfork can help with this one.
Cluster Bomb – is best remembered as the one used for bruteforcing passwords. You can select multiple payload sets and it will iterate through by sending all combinations of all sets. So it’ll take the first payload and try that with each payload of the second set before moving onto the second payload and trying that with each payload of the second set. So effectively it’ll try a username with each possible password before moving on to the next username.
Also it’s worth noting that payload lists can be modified before they’re sent, such as Base64ing payloads or URI encoding them. This is done under the Payloads menu in the “Payload Processing” box. Options include encoding, adding prefixes, adding suffixes, hashing, modifying case – all sorts!
There are two main windows for Intruder, the first is where you set up the requests and payload sets, and the second is where the results are show.
Intruder allows you to define insertion points, shown above in orange, You can specify multiple insertion points and either supply Intruder payload sets for manual fuzzing or perform an active scan of just the highlighted sections. The latter is good if you want to active scan an input but Burp doesn’t support the serialisation type (it supports XML and JSON for example, but if the application is using something custom you can help Burp parse it using Intruder and manual insertion points)!
There are many types of payload set, such as simple lists, generated numbers of built in lists of things such as usernames and passwords!
When you hit “Start Attack” Burp will send each request and show you all of the data that it can about each response, such as the response code, length and if an error occurred. You can expand on the items that are highlighted by giving Burp strings to match on (such as “Login Successful”) or by asking it to extract items automatically (such as a list of exposed usernames!
Scanner – Automation
Burp Suite Introduction Worksheet
The active scanner within Burp suite is incredibly simple to use, just capture a request and hit “Do active scan”. However there’s a trick that comes in handy, you can choose to active scan specific parameters (or parts therefore) instead of a whole request, by first sending the request to Intruder you can define insertion point much like you would if you were to use intruder payloads, but instead just right click and “Do Active Scan”.
Manually defining insertion points and then active scanning those is good if you want to scan a single input, if you want to exclude certain inputs or if Burp doesn’t understand the serialisation method used!
Scanner results from both the passive scanner and active scanner are then displayed on the target “Dashboard” page, including the relevant payloads and essentially the reason why burp thinks it’s a vulnerability.
Sequencer can be used to test the randomness of data within a web application, so usually we’d employ it to test how secure cookie are, if they’re being generated through an incrementing integer, if they’re running through a predictable pattern or if their PRNG is bad hopefully Sequencer will pick up on that. It’s pretty simple to use, you just give it the response that contains the item you’re wanting to assess (for example the Set-Cookie header) and tell it to start capturing! It’ll repeat the request several thousand times and test the randomness as it goes.
The following screenshot shows a request that contains a Set-Cookie header that has been sent to sequencer, it’ll automatically pull out common sequence-point such as cookies, form fields, etc.
Sequences can test the randomness of any server output, but automatically picks up on things like cookies and form fields. If it’s something non-standard that you’re wanting to test then you can configure a custom location to show burp the item to extract and assess.
We can go ahead and hit “Start Live Capture” for it to repeat the (in this case, login) request and gather lots of items to test.
Burp will repeat the request many times until it has gathered enough tokens – for bit level tests you can assess after 100 tokens although for Character-level analysis you’ll need 20.000. Don’t forget that you can ask Burp to Base64 decode the tokens first before assessing them if you’d like and you can export the list of captured tokens for your records or to make additional changes to them before analysing them.
After enough cookies have been received it can test them for randomness, 20000 have to be captured for Character-level analysis but the output quite quickly shows how random an analysed item is and a large number of randomness tests are supported! All green is good, lots of red shows bad random.
Each test has its own tab and graph output to keep things neat, plus if poor randomness is detected then you can scroll down in this window for an explanation of why Burp has flagged this bit/character.My vanishing country.
Decoder is a neat little added extra to Burp which comes in handy a surprising amount of the time, found some encoded data in a response and was to quickly know what it means? Highlight it, right click and select “send to Decoder”!
Many of the tabs allow you to “Send to Decoder” but I find that I use this option most frequently from either Intercept, Repeater or HTTP History. You can only have one item loaded into decoder at a time, but you can run multiple encodings on that item, such as hex encoding and then base64 encoding.
Once your data is in decoder you can select which encoding/decoding option you like, on the right:
Macros, Extender – The future
Burp Macros are great for repeating several requests at key moments, automatically. For example if during an active scan the web application logs you out as an automated protection mechanism then you can record a macro of the authentication process, show burp what it looks like when you’re logged out and tell it to auto-run the macro!
Macros definitely deserver their own post though, so I dive into them in detail here, using the above as an example: Burp Macros Example – Re-authentication
Extensions on the other hand allow you to build on the basis of Burp if you need t add a feature that just doesn’t exist, this could be adding new scanner payloads, tying burp into another tool such as SQLmap or even bypassing complex protective mechanisms in an automated way such as anti-CSRF tokens
Extensions can be written in Ruby, Java or Python (or more accurately Jython) and I’ve got a whole post on this topic with example code to get you started! Extensions Example – Burp vs CSRF Tokens
There are a whole host of Extensions already written though, and I’d certainly recommend taking a look at Logger++, WSDLer, and Additional Scanner Checks. These can all be installed within a couple of clicks from the built in “Apps Store”:
All of the items in the App store are free, but some items have dependencies such as the Jython standalone file, I’ve done a write up for how to install Jython to get you started!
Burp suite is an intercepting proxy that can intercept requests from client side & responses from the server side. The ability to intercept allows hackers to manipulate requests/responses to look for & exploit vulnerabilities. It is mainly used by experienced security engineers & pen testers as it presents a single interface with various integrated toolsets.
Burp Suite has multiple capabilities. The professional & Enterprise version of the tool have scanner feature that scans a target web application / API to discover vulnerabilities. This is possible only if we are able to intercept the requests first.
Burp Suite Professional also as an extender tab where in we can add a set of extensions that can look for additional security violations or work slightly in a different way to discover some default vulnerability checks applied by the scanner
Getting Burp Suite :
Burp Suite is available in following types
Burp Suite Community
Burp Suite Professional
Burp Suite Enterprise
The community version is available for everyone & free to use. It can be downloaded from the portswigger official website. The Professional & Enterprise versions are available as a commercial use. If you are someone that didn’t try this tool & if your organization hasn’t requested for a trial license before then you can use this chance to request for trial version valid for 30 days with full features(note: this option is available while publishing this content, may change in future). Assume we are going to request for trial license for valid reasons to make best use of it.
Installing Burp Suite:
Burp Suite can be run on any operating system (OS) if the OS supports the specific java version installed as it is a java application & available in a JAR format to launch & use the tool.
We are using Burp Suite Pro v2020.2.1 & it requires minimum Java version 8 to install / run the tool.
Configuring Burp Suite:
Before we can use Burp suite, we need to configure it with our client so we can intercept requests/responses. Follow the sections 1,2,3 below to configure
Section 1, Configure browser with Burp Suite
open Burp —> proxy —> Options—> Add Proxy Listener
By Default burp suite runs on 8080 port. so the default proxy listener is localhost:8080. We need to set this proxy listener in our browser to intercept requests/responses.
open Firefox —> Preferences —> Network settings —> set Manual proxy configuration to localhost:8080
Section 2, Install Burp root CA certificate
This is required to intercept encrypted traffic.
open Burp —> proxy —> Options—> click import/export CA certificate to export the certificate
After the certificate is exported, now open Firefox —> Preferences —> certificates —> Import certificate
Section 3, set Upstream proxy server
In some corporate networks, there is a proxy configured to connect to internet. To access external sites hosted outside the corporate network or to connect to internet we are required to set the upstream proxy.
to set this, open Burp —> User Options —> Add Upstream Proxy Servers
Burp Suite Integrated toolsets:
Repeater : It is used to replay the base request with altered/manipulated request parameters & observe the response from server. This feature helps to confirm the existence of a vulnerability as we can replay & observe responses. It becomes a bit easier to check for access control violations with the use of repeater as we will need to alter specific id’s or resources of a user with another user
Intruder : It is used to target specific request parameters with a list of custom payloads & observe the responses for each of the payloads/manipulated requests.
Sequencer : It is used to check for the strength of the tokens such as session cookies , forgot password tokens or user invited tokens etc.,
Decoder : It is used to decode/encode data in to specific formats such as base64, url encode/decode, hex format etc.,
Comparer : It is used to compare two requests or responses to check for any variations.
we can use key board short cuts to traverse between various sections/tabs of the tools. It can configured from user options —> Misc —> Hot keys
Burp Suite Introduction Pdf
on MacOs, some hot key examples are
command+shift+R —> Repeater tab
command+shift+T —> Target tab
command+shift+I —> Intruder tab
Spidering / Crawling :
Burp Suite Free Download
Crawl is an interesting feature as the tool automatically crawls a target website to discover all traversable links, parameters, resources etc.,It is recommended to set the scope of the spider to ensure only target site is crawled & consider setting specific crawl parameters to ensure the scanner isn’t overloaded with unrealistic crawl settings
for example : Unique location discovered : should be a realistic/appropriate value
During this phase the scanner doesn’t actual send any malicious requests on its own to the server, it simply observes all intercepted requests / responses & reports if there are any missing security header settings , secure cookie settings , sensitive tokens in GET request , other passive checks etc.,
some of the passive checks are applied as soon as the requests/responses are intercepted. To do a passive scan to cover all passive rules, we need to add the target site to scope & right click the target site to choose, passively scan this host
During this phase the scanner sends malicious requests on its own to the server from the initial or baseline intercepted requests , observes the responses from the server for each of this malicious requests to identify & report vulnerabilities such as SQL Injection, XSS , etc.,
To do an active scan, we need to add the target site to scope & right click the target site to choose, Actively scan this host
Burp suite has an menu option, Extender. Most of the extensions are either developed in python, java or Ruby. For this reason, we need to set the environment settings under Options section of Extender Tab. Generally to set the java environment settings, we need to point to the location of the java JRE bin installed path, like wise for python, we need to set the location of Jythonstandalone.jar file present in our machine.
After the environment settings are completed, we can add extensions in two different ways. The easiest way to add an extension is go to BApp Store under the Extender tab & choose a extension from the list that you may want to add & use as per your need. Just click install from the right pane to install the extension. To successfully install a extension, the relevant environment setting is a must. Some extensions are available for community version but some are available for only professional version of the tool.
Burp Suite BAppStore has a limited set of extensions, there are lot more extensions available from other resources, such as github, we recommend that you use only extensions that are required & to avoid overloads. Some extensions will fall part of the default scanner to look for vulnerabilities but some will need to be used in a manual way.
Disable Extensions :
There are couple of ways to disable extensions, to disable all extensions, we can tick the checkbox “Disable extensions” while launching burp.
To disable a specific extension, go to Extender tab —> Extensions —> uncheck a specific extension that you do not wish to use.
Configurations & settings apply to the current project hacking session
Burp Suite Community Edition
(Macros, session Handling rules, cookie jar etc.,)
Project options —> HTTP —> Redirections
some useful project options
Project Options—> Misc —> Scheduled Tasks, Burp Collaborator Server
Project Options —> sessions —> Session Handling Rules / Cookie Jar / Macros
Configurations & settings that apply to Burp suite
(proxy listener,upstream proxy, hotkeys etc.,)
some useful user options:
User Options —> Display —-> User Interface / HTTP Message Display
User Options —> Misc —> Proxy Interception
Burp Suite Community Download
Saving Options for Future Use
Engagement Tools — Search / Find Comments / Find Scripts / Find References / Analyse Target / Simulate Manual Testing
Search : Used to search for specific strings or to search & look for sensitive information disclosure such as API keys, credentials etc.,
Find Comments : When used shows all comments left over by developers in target site resources
Find References: When used shows the reference of the target site in various places of the intercepted requests / responses
Analyze Target: when used displays, number of dynamic urls, static urls,parameters, unique parameter names
Simulate Manual Testing: Let’s you take a break while the tool automatically sends requests to the target site to avoid session timeouts.