What is Burp Suite?
Updated: Aug 1, 2018
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.
In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed. Penetration testers can pause, manipulate and replay individual HTTP requests in order to analyze potential parameters or injection points. Injection points can be specified for manual as well as automated fuzzing attacks to discover potentially unintended application behaviors, crashes and error messages.
Proxy - where it starts
• A proxy is a piece of software (it could be hardware)
• It sits between one thing and another and behaves as the middleman
– You are at your browser communicating with a web app
– You decide you want a proxy sitting between your browser and the app
– So, you start a proxy server running and then you tell your browser to send
requests to the proxy
– The proxy receives requests from the browser and forwards them to the web
– When responses come back, the proxy routes them to you.
Proxy – Why Would You Do This?
Because the proxy provides a service you want
– Encryption of traffic
– Anti-virus scanning
– Keeping track of sites visited
– Stopping you from reaching some sites
– Giving you control over what goes on
– Allowing you to see what is going on in the exchange
– Providing services to make your job easier
The proxy can make your life much simple
Getting Burp Suite
There are two versions
– Professional, about $300/year
– Not so professional, free, and missing some cool stuff
Download it from http://portswigger.net
• It's Java App, so you just download the jar file
• Put it somewhere convenient – /home/opt/BurpSuite or C:/opt/BurpSuite or whatever
• To start it, use – java –jar Burploader.jar
• To run burp in background mode , use – java –jar Burploader.jar &
Using Burp Proxy
Open Burp Suite
Goto Proxy -> Intercept
Goto Proxy -> Options
Configure Burp to run with browser you are using below link.
Submit Request Parameters
Pop Up Menu
This how you can pass a particular URL to one of the Burp Suite tool.
– Active Scan
– Passive Scan