©2019 Security Unleashed | New Delhi

  • Animesh Gupta

What is Burp Suite?

Updated: Aug 1, 2018



Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.


In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed. Penetration testers can pause, manipulate and replay individual HTTP requests in order to analyze potential parameters or injection points. Injection points can be specified for manual as well as automated fuzzing attacks to discover potentially unintended application behaviors, crashes and error messages.


Glancing Blow



Proxy - where it starts


A proxy is a piece of software (it could be hardware)

• It sits between one thing and another and behaves as the middleman

• Example

– You are at your browser communicating with a web app

– You decide you want a proxy sitting between your browser and the app

– So, you start a proxy server running and then you tell your browser to send

requests to the proxy

– The proxy receives requests from the browser and forwards them to the web

app

– When responses come back, the proxy routes them to you.



Proxy – Why Would You Do This?


Because the proxy provides a service you want

– Encryption of traffic

– Anti-virus scanning

– Keeping track of sites visited

– Stopping you from reaching some sites

– Giving you control over what goes on

– Allowing you to see what is going on in the exchange

– Providing services to make your job easier


The proxy can make your life much simple


Getting Burp Suite


There are two versions

– Professional, about $300/year

– Not so professional, free, and missing some cool stuff


Download it from http://portswigger.net

• It's Java App, so you just download the jar file

• Put it somewhere convenient – /home/opt/BurpSuite or C:/opt/BurpSuite or whatever

• To start it, use – java –jar Burploader.jar

• To run burp in background mode , use – java –jar Burploader.jar &


Using Burp Proxy


Open Burp Suite


Goto Proxy -> Intercept


Goto Proxy -> Options




Configure Burp to run with browser you are using below link.


https://support.portswigger.net/customer/portal/articles/1783055-configuring-your-browser-to-work-with-burp


History Tab


Request Headers



Response

Response Header


Submit Request Parameters



Pop Up Menu


This how you can pass a particular URL to one of the Burp Suite tool.

– Repeater

– Spider

– Active Scan

– Passive Scan

– Intruder