Skip to content

Burp Suite The Basics

What is Burp Suite?

  • Integrated platform for web application security testing.
  • Tools for scanning, fuzzing, intercepting, and analyzing web traffic.
  • Used by security professionals to find and exploit vulnerabilities.

What is a Proxy Server?

  • Gateway between users and the internet.
  • Helps prevent cyberattacks on private networks.
  • "Intermediary" between end-users and web pages.

Burp Suite's Core Functionality:

  • Captures and allows manipulation of HTTP/HTTPS traffic between browser and web server.

Burp Community Edition Features:

  • Burp Proxy: Intercept and modify requests/responses.
  • Repeater: Capture, modify, and resend requests repeatedly. Useful for crafting payloads (SQLi) or testing endpoints.
  • Intruder: Spray endpoints with requests. Used for brute-force or fuzzing.
  • Decoder: Encode/decode data.
  • Comparer: Compare two pieces of data (word or byte level).
  • Sequencer: Assess randomness of tokens (session cookies, CSRF tokens).

Burp Suite Options:

  • Global Settings: Affect the entire Burp Suite installation.
  • Project Settings: Specific to the current project (not saved in Community Edition).

Burp Proxy:

  • Intercepts requests and holds them back from the server.
  • Requests appear in the Proxy tab for further action (forward, drop, edit, send to other modules).
  • "Intercept is on" button toggles interception.
  • Captures and logs requests even when interception is off.
  • Captures and logs WebSocket communication.
  • Captured requests viewable in HTTP history and WebSockets history.
  • "Intercept responses based on the following rules" allows flexible response interception.
  • "Match and Replace" uses regex to modify requests/responses (e.g., user agent, cookies).

screenshot

Site Map and Issue Definitions:

  • Site Map: Tree structure of targeted web applications. Automatically generated by browsing with the proxy enabled. Useful for mapping APIs.
  • Issue Definitions: Extensive list of web vulnerabilities with descriptions and references.

Scope Settings:

  • Controls the target scope.
  • Includes/excludes domains/IPs.
  • Focuses testing on specific web applications.

Burp Suite Browser:

  • May encounter sandbox errors when running as root (Linux).
  • Solutions:
    1. Create a new user and run Burp Suite under a low-privilege account.
    2. Disable sandbox in Settings -> Tools -> Burp's browser. Caution: Disabling the sandbox can be a security risk.

Scoping and Targeting:

  • Define what gets proxied and logged.
  • Target tab -> right-click -> Add To Scope.
  • Disable logging for out-of-scope traffic.
  • In Proxy settings, "Intercept Client Requests" -> And URL Is in target scope.

screenshot

Proxying HTTPS:

  • May encounter certificate errors with HTTPS sites.
  • Solution: Add the PortSwigger CA certificate to the browser's trusted authorities.

screenshot