Burp Suite -- Web Application Security, Testing & Scanning

Burp or Burp Suite is a collection of multiple tools built in Java used for penetration testing of web applications. It is developed by Portswigger web security. Burp Suite is a graphical tool which aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps.

Burp Suite is the most popular tool among professional web app security researchers and bug bounty hunters. Kali Linux has a free community version of Burp Suite pre-installed.

burpsuite in Kali Linux

Burp suite has various products, such as Spider, Proxy, Intruder, Repeater, Sequencer, Decoder, Extender, Scanner. Let we know about a little bit about the tools used in Burp, then we go for the practices.

Some tools in Burp Suite

Spider: Spider is a web spider/crawler that is used to make a map of the target website or web application. The mapping can give us a list of endpoints so that their functionality can be observed and potential vulnerabilities can be found. Spidering or crawling is done for a simple reason that the more endpoints we gather during our recon process, the more attack surfaces we possess during our actual testing.

Proxy: Burp suite has an intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. It also help the user to end the request or response under monitoring to another tool in Burp suite, it removes the copy-paste process. The proxy server can be run on a specific loop-back IP and a port. The proxy in Burp suite also can be configured to filter out specific types of request-response pairs.

Intruder: Intruder is a tool that allow us to perform various types of attacks that can be used to find all types of vulnerabilities. Intruder used to run a set of values through an input point. Those values are run and the output is observed for success or failure and content length. Generally, an anomaly result in a change in response code or content length of the response. Some of the most common attacks that can be used with Intruder as follows:
  • Brutef-orcing
  • Fuzzing
  • Enumeration
  • Application layer DoS
Repeater: This is a very simple tool for manually manipulating and reissuing individual HTTP and WebSocket messages, and analyzing the web application's responses. It is used for
  • Verify that the user supplied values are being verified.
  • If the values are verified then, how well is it being done?
  • What values in the server expecting in an input parameter or request header.
  • How the server handle with the unexpected values.
Sequencer: Burp Sequencer is a tool for analyzing the quality of randomness in an application's session tokens and other important data items that are intended to be unpredictable. This is an entropy checker that checks for the randomness of tokens generated by the targeted web server. These tokens are generally used for authentication in sensitive operations like cookies and anti-CSRF tokens.

Admirably, these tokens must be generated in a fully random manner so that the probability of appearance of each possible character at a position is distributed uniformly. This should be achieved both bit-wise and character-wise. An entropy analyzer tests this hypothesis for being true. It works like this initially, it is assumed that the tokens are random. Then the tokens are tested on certain parameters for certain characteristics.

Using Burp Sequencer may result in unexpected effects in some applications. Until we are fully familiar with its functionality and settings, we should only use Burp Sequencer against non-production systems. 

Decoder: Decoder lists the commonly used encoding methods like URL, HTML, Base64, Hex, etc. Decoder comes handy when looking for chunks of data in values of parameters. It is also used for payload construction for different vulnerability classes. It is used to uncover session hijacking.

Extender: Extender allows us to load various extensions that can be used to make penetration testing even more efficient. These extensions are called BApps. These work just like browser extensions. These can be viewed, modified, installed, uninstalled in the Extender tab.

Scanner: Scanner automatically scans for many common vulnerabilities in target web application. It updates frequently and add many lesser known vulnerabilities with the updates.

How to use the Burp Suite

Let we take a look how we can use the Burp suite effectively.

Kali already has a free community version of Burp suite, but we will need to buy a full version Burp to fully use its features. So we open Burp from the menu.

Burp suit in Kali Linux
Burp Suite in Kali





After opening Burp we can see Burp's window as following screenshot:

burpsuite full verrsion

Then we click on Start Burp and we will see the Burp load up:

burp suite main menu

Before we start penetration testing or hunting for bugs, we first install some extensions that will may help us. So we go to the BApp Store from the Extender menu.
extensions in bapp store


Here we will see a list of all available extensions. Some of the extensions we will have to install are as following:
  1. J2EEScan
  2. Wsdler
  3. Java Deserialization Scanner
  4. HeartBleed
We select these and click on Install to install extensions.

When the extensions are all set, we prepare for scanning. We fire up a browser (Firefox) and go to its preferences.

In the Network settings (last in the General Settings), we add our HTTP Proxy, IP and Port as showing in following screenshot.

configuring browser for burp
Configuring Browser for Burp Suite

We can verify this with Burp's Options tab under the proxy menu.


Click on the Intercept is on to start intercepting the requests.

incercept in burp suit kali linux

Then we browse the website we need to scan.

Whenever all request are captured, we can just go to Target and select our domain.

To perform a scan, we can select individual requests and send them for an active scan.

preparing for an active scan

Even, we also can select the entire domain to send for a scan.

scanning a whole domain in burp suite

After sending requests on Scanner, we go to the Scanner tab and choose the Options. Here we can basically tell the scanner what actually we want to scan in our target domain.

scanners options in burpsuite in Kali Linux

After started scan we can see the progress in the Scan queue tab.

scanning in burp

We can see the Scan queue tab in the following screenshot.

Scan queue tab ib burp

Now the following screenshot shows much more details of the Scan queue tab.

full scan queue tab in Kali Linux's Burp Suite

For this example tutorial we use only a few extensions, but we also can use the whole extension list and choose our own extensions also. Extensions are very easy to set up.

If you like our tutorial or got an issue regarding this post please comment down, we always be happy to respond. If you liked our tutorials then visit our website regularly and for the quick updates follow us on Twitter and Medium.

1 comment:

Please do not spam here. It is comment box not a spambox. Promotional links are not allowed.

Powered by Blogger.