Burp or Burp Suite is a collection of multiple tools built in Java used for penetration testing of web applications. It is developed by Portswigger web security. Burp Suite is a graphical tool which aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps.
Burp Suite is the most popular tool among professional web app security researchers and bug bounty hunters. Kali Linux has a free community version of Burp Suite pre-installed.
Burp suite has various products, such as Spider, Proxy, Intruder, Repeater, Sequencer, Decoder, Extender, Scanner. Let we know about a little bit about the tools used in Burp, then we go for the practices.
Proxy: Burp suite has an intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. It also help the user to end the request or response under monitoring to another tool in Burp suite, it removes the copy-paste process. The proxy server can be run on a specific loop-back IP and a port. The proxy in Burp suite also can be configured to filter out specific types of request-response pairs.
Intruder: Intruder is a tool that allow us to perform various types of attacks that can be used to find all types of vulnerabilities. Intruder used to run a set of values through an input point. Those values are run and the output is observed for success or failure and content length. Generally, an anomaly result in a change in response code or content length of the response. Some of the most common attacks that can be used with Intruder as follows:
Sequencer: Burp Sequencer is a tool for analyzing the quality of randomness in an
application's session tokens and other important data items that are
intended to be unpredictable. This is an entropy checker that checks for the randomness of tokens generated by the targeted web server. These tokens are generally used for authentication in sensitive operations like cookies and anti-CSRF tokens.Burp Suite is the most popular tool among professional web app security researchers and bug bounty hunters. Kali Linux has a free community version of Burp Suite pre-installed.
Burp suite has various products, such as Spider, Proxy, Intruder, Repeater, Sequencer, Decoder, Extender, Scanner. Let we know about a little bit about the tools used in Burp, then we go for the practices.
Some tools in Burp Suite
Spider: Spider is a web spider/crawler that is used to make a map of the target website or web application. The mapping can give us a list of endpoints so that their functionality can be observed and potential vulnerabilities can be found. Spidering or crawling is done for a simple reason that the more endpoints we gather during our recon process, the more attack surfaces we possess during our actual testing.Proxy: Burp suite has an intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. It also help the user to end the request or response under monitoring to another tool in Burp suite, it removes the copy-paste process. The proxy server can be run on a specific loop-back IP and a port. The proxy in Burp suite also can be configured to filter out specific types of request-response pairs.
Intruder: Intruder is a tool that allow us to perform various types of attacks that can be used to find all types of vulnerabilities. Intruder used to run a set of values through an input point. Those values are run and the output is observed for success or failure and content length. Generally, an anomaly result in a change in response code or content length of the response. Some of the most common attacks that can be used with Intruder as follows:
- Brutef-orcing
- Fuzzing
- Enumeration
- Application layer DoS
- Verify that the user supplied values are being verified.
- If the values are verified then, how well is it being done?
- What values in the server expecting in an input parameter or request header.
- How the server handle with the unexpected values.
Admirably, these tokens must be generated in a fully random manner so that the probability of appearance of each possible character at a position is distributed uniformly. This should be achieved both bit-wise and character-wise. An entropy analyzer tests this hypothesis for being true. It works like this initially, it is assumed that the tokens are random. Then the tokens are tested on certain parameters for certain characteristics.
Using Burp Sequencer may result in unexpected effects in some applications. Until we are fully familiar with its functionality and settings, we should only use Burp Sequencer against non-production systems.Decoder: Decoder lists the commonly used encoding methods like URL, HTML, Base64, Hex, etc. Decoder comes handy when looking for chunks of data in values of parameters. It is also used for payload construction for different vulnerability classes. It is used to uncover session hijacking.
Extender: Extender allows us to load various extensions that can be used to make penetration testing even more efficient. These extensions are called BApps. These work just like browser extensions. These can be viewed, modified, installed, uninstalled in the Extender tab.
Scanner: Scanner automatically scans for many common vulnerabilities in target web application. It updates frequently and add many lesser known vulnerabilities with the updates.
How to use the Burp Suite
Let we take a look how we can use the Burp suite effectively.Kali already has a free community version of Burp suite, but we will need to buy a full version Burp to fully use its features. So we open Burp from the menu.
![]() | ||||||
Burp Suite in Kali |
Then we click on Start Burp and we will see the Burp load up:
Before we start penetration testing or hunting for bugs, we first install some extensions that will may help us. So we go to the BApp Store from the Extender menu.
- J2EEScan
- Wsdler
- Java Deserialization Scanner
- HeartBleed
When the extensions are all set, we prepare for scanning. We fire up a browser (Firefox) and go to its preferences.
In the Network settings (last in the General Settings), we add our HTTP Proxy, IP and Port as showing in following screenshot.
![]() |
Configuring Browser for Burp Suite |
Click on the Intercept is on to start intercepting the requests.
Then we browse the website we need to scan.
Whenever all request are captured, we can just go to Target and select our domain.
To perform a scan, we can select individual requests and send them for an active scan.
Even, we also can select the entire domain to send for a scan.
After sending requests on Scanner, we go to the Scanner tab and choose the Options. Here we can basically tell the scanner what actually we want to scan in our target domain.
After started scan we can see the progress in the Scan queue tab.
We can see the Scan queue tab in the following screenshot.
Now the following screenshot shows much more details of the Scan queue tab.
For this example tutorial we use only a few extensions, but we also can use the whole extension list and choose our own extensions also. Extensions are very easy to set up. We can learn it by simply googling it.
This is how BurpSuite works on Kali Linux. This is an basic tutorial.
Liked our tutorials then visit our website regularly and for the quick updates follow us on Twitter and GitHub. Join our community on Telegram to get in touch with us.
Liked our tutorials then visit our website regularly and for the quick updates follow us on Twitter and GitHub. Join our community on Telegram to get in touch with us.
For anything please comment down in the comment section. We always reply.