A Burp Suite Tutorial: Learn the Basics

burp suite tutorialBurp Suite is an integration of tools that work together to perform security tests on web applications. It is also a platform for attacking applications on the web. Burp Suite contains all the Burp interfaces and tools made for speeding up and facilitating the process of application attacks. Every Burp Suite tool contains the same robust framework for extensibility, alerting, logging, upstream proxies, authentication, persistence and HTTP requests.

With Burp Suite, you are allowed to combine automated and manual techniques to attack, scan, analyze, exploit and enumerate applications on the web just as you learn with this penetration test course. The various tools of Burp work together seamlessly to allow identified findings and share information within one of the tools to form the foundation of attacks using a different tool.

When putting a web application to the test, Burp Suite helps the penetration tester through the process starting from identifying vulnerabilities all the way to the mapping and exploitation phase. Understanding the framework of Burp Suite will help you know when to use which feature with what scenario. You can begin to familiarize yourself with penetration testing even further with this course on basic penetration testing.

Enable the Burp Suite Proxy

You can start using the Burp Suite to test your web applications. To do this, configure your web application to use Burp Suite as one of the proxies. By default, the proxy of Burp Suite will then use the 8080 port but this can be changed. Here is how to do a Firefox configuration to use the Burp Suite as one of the proxies:

burp1 

When you open the proxy of Burp Suite you can check that it runs by clicking the tab for options:

burp2

Here, you will see that the default port is being used by the proxy:

burp3

You can now use the proxy. You will see that in the options tab, there are some items you can start configuring to meet your test needs. You will now have to log into the Burp Suite for the responses and requests that pass through each of the proxies. You can browse to the log on page and see that the proxy of Burp Suite has captured the response and request:

burp4

Now that you have configured Burp Suite properly, you can log in to access the main page. When conducting this, Burp might inquire what actions you want when it discovers a field for forms. You can select ignore form when this happens.

burp 5

Once you get to the main page called DVWA, you can proceed to begin maximizing Burp Suite and start navigating to the Target Tab. If things go as they should, there should be a lot of content populating this page.

burp 6

Tools that Make Up Burp Suite

  • Spider Scan

In the figure above, you will also see passive spider scan results. On the left side, the tree pane shows the host target in black font. In grey highlights, the web address and links are found in the website targeted. On the top right, the pane shows the pages available for navigation by users.

In this case, you can see that there is an available setup.php. This example shows you a potential configuration error that can be exploited by an attacker. When running penetration testing for clients, it is a good idea to gather as much info as you can about the target. In other words, leaving no stone unturned holds true in this case, as it does in this white hat hacking course as well.

  • Comparer

Burp Comparer is one tool that visually compares 2 different data items. Typically, this requirement arises when you want to identify the difference between 2 responses of applications quickly in the context of applications on the web. This tool is used to identify the differences between failed log in responses using invalid and valid usernames. It can also be used to identify the difference between 2 requests for applications, 2 received responses in the course of an attack by Burp intruder or for when you want to identify the different parameter requests that give rise to varied behavior.

  • Decoder

Burp decoder is a basic tool that transforms raw data in various hashed and encoded forms and transforms data that’s been encoded into a canonical version. With the use of heuristic techniques, it has the capacity of recognizing many different code formats.

  • Sequencer

Burp sequencer is used to analyze the degree of an application session token’s randomness or other items in which the application’s unpredictability is dependent for its security.

  • Repeater

Burp Repeater used for manually reissuing and modifying individual requests of HTTP and making an analysis of the response. This is ideally used together with other tools in Burp Suite. For instance, you can send requests to Repeater from the site map target from the Burp intruder attack results or from browsing history of Burp proxy. You can then adjust the requests manually to probe for vulnerability or to fine tune an attack.

  • Intruder

Burp Intruder is one of the tools that automates customized attacks versus applications on the web.

  • Scanner

Burp scanner is a tool that performs automated security discovery of web application vulnerability. It is created for use by penetrating tests to closely fit with the existing methodology and techniques for performing semi-automated and manual penetration tests of applications on the web.

  • Spider

Burp Spider is a tool for web application mapping. It uses various techniques of intelligence to generate comprehensive inventories of an application’s functionality and content.

  • Proxy

Burp proxy is an HTTP/S interactive proxy server for testing and attacking applications on the web. It operates as the middle-man between the target web server and the end browser. This allowed users to modify, inspect and intercept the raw traffic that passes in either direction.

Burp tool will take time to learn as it is quite complex. You can begin playing around with it after downloading as this will help you get the hang of it after a few trials. For more on developing penetration testing expertise, here is a course you might want to take.