🤖

Intro to Burp Suite

Owner Md. Mehedi Hasan

Tags Guides and Processes

What is Burp Suite?
Features of Burp Suite
Getting a Burp Suite Trial
Starting a Project
Configuring Proxy

Getting ready

How it works
The Simpler Way
Using FoxyProxy Browser Extension
Setting Burp Suite CA certificate

What is Burp Suite?

Burp Suite is a web application penetration testing tool. Though it is a web
application penetration testing tool, we can use it for API and Mobile Application
penetration testing also.

Intro to Burp Suite 1

 There are 3 versions to Burpsuite :

Burp Suite Community: Free for everyone’s usage. Has limited features but
sufficient for basic Pentesting.

Burp Suite Professional: It is a Paid Version and very useful for Penetration
Testing. You can check out all the features
here:- https://portswigger.net/burp/pro/features.

Burp Suite Enterprise: Unlike the community and professional versions, Burp
Enterprise is used for continuous scanning. It provides an automated scanner
that can periodically scan web apps for vulnerabilities.

Features of Burp Suite

Proxy: Burp Suite Proxy is a tool that lets you see and change the traffic between
your browser and the website you’re testing. You can also use it to test HTTPS
websites.

Repeater: Burp Suite Repeater lets us grab a request, change it however we want,
and send it again and again. This can be super useful, especially when we have to
guess a payload by trying different things (like in SQLi) or when we want to see if
an endpoint has any bugs.

Intruder: Burp Suite Intruder is a tool that lets us fuzz, brute force an endpoint
with requests. We can use it to bruteforce passwords or to fuzz endpoints. One
downside to it is, it is highly rate limited in Burp Suite Community version.

Decoder: Burp Suite Decoder is a tool that helps us to decode encoded data, or to
encode a payload before we send it to the website. It’s not as popular as the other
tools, but it can be very handy. We don’t have to use other services to do the

Intro to Burp Suite 2

 same thing, we can do it right in Burp Suite ( A popular alternative is Cyberchef
(https://gchq.github.io/CyberChef/) which is much more versatile).

Comparer: Burp Suite Comparer is a tool that lets us see the difference between
two requests. We can compare them by words or by bytes.

Sequencer: Burp Suite Sequencer is used when assessing the randomness or

entropy of tokens such as session cookie values or other supposedly random
generated data. If the algorithm is not generating secure random values, then this
could open up some devastating avenues for attack.

Now lets get Hands-On with these.

Getting a Burp Suite Trial

1. Go to https://portswigger.net/burp/pro/trial

2. Enter your student email (.edu) or business email and go next.

3. Enter your name and go next.

4. Tell them why you need burp suite and go next.

5. Select the options that suitable for you and go next.

6. You will get an email regarding the trial within few hours. If you are lucky
enough you may get a trial. To download the license, login to your portswigger
account, dowload the Burp Suite tool and license.

7. Install the Burp Suite. When it asks for license, load the license file and
activate it.

Starting a Project
To start a project in Burp Suite, we need to start Burp Suite first. After starting
Burp Suite we will get 3 options:

Intro to Burp Suite 3

 1. Temporary Project in Memory: We should use this option, if want to do some
quick work on a website and don’t want to save the project.

2. New Project on Disk: This option is useful when we want to save a project. By
saving a project, we can use the project file later. For example: You are
engaged in penetration testing of a website. After completing the testing, you
send your feedback to the developer. After some time, the developer fixes the
vulnerabilities and sends it back to you for retesting. Would you start from the
beginning? The answer is no. You could simply save the project when you
initially started it. So when the developer sends it for retesting, you can simply
load the saved project and start working on it.

3. Open Existing Project: You can open saved project by choosing this option.

Intro to Burp Suite 4

 After naming your project, click next > Start Burp

Configuring Proxy

Penetration testers use intercepting proxies to capture traffic flowing between a

web browser and a
web application for analysis and manipulation. Intercepting proxies, such as Burp,
allow testers to intercept both HTTP requests and HTTP responses. This allows a
tester to observe the behavior of the web application under different conditions.
And, as we shall see, sometimes the behaviors are unintended, deviating from
what the original developer expected.

To see Burp Suite in action, you need to configure your Firefox browser’s Network
Settings so that
they point to your running instance of Burp. This enables Burp to capture all HTTP
traffic that is
flowing between your browser and the target web application.

Getting ready

We will configure the Firefox browser to allow Burp to listen to all HTTP traffic
flowing between the
browser and the website. This will allow the proxy service within Burp to capture
traffic
for testing purposes. Instructions for this are available on PortSwigger at
https://portswigger.net/burp/documentation/desktop/external-browser-config

We will step through this process in this-

Follow these steps to start listening to all HTTP traffic using Burp:

1. Go to Burp Suite Proxy and then Proxy Settings

Intro to Burp Suite 5

 2. You can now see the proxy IP and port. If you want, you can add new proxy
ass well by clicking ‘Add’ button and then binding a port.

3. Open the Firefox browser and go to Options.

4. In the General tab, scroll down to the Network Proxy section and then click
Settings.

5. In the Connection Settings window, select Manual proxy configuration and

type in an IP
address of 127.0.0.1 with the port set to 8080. Select the Use this proxy server
for all
protocols checkbox. Make sure the No proxy for text box is blank, as shown in
the following screenshot, and then click OK:

Intro to Burp Suite 6

 6. Now browse to the website you want to test.

7. If you don’t happen to see any traffic, check whether Proxy > Intercept is
holding up the request. If the button labeled Intercept is on is depressed, as
shown in the following screenshot, then click the button again to disable the

Intro to Burp Suite 7

 interception. After doing so, the traffic should flow freely into Burp, as follows:

Intercept is on

Intercept is off

8. If everything is working properly, you will see traffic in your Target > Site map
tab and Proxy > HTTP history tab, similar to what is shown in the following
screenshot. You may have more items shown within your Site map area.

Intro to Burp Suite 8

 Website that I visited using Burp Suite.

HTTP history

Intro to Burp Suite 9

 The Target > Site map tab
Congratulations! You now have Burp.

How it works

The Burp Proxy service is listening on 127.0.0.1 at port 8080. Either of these
settings can be
changed so that you can listen on an alternative IP address or port number.
However, for learning
purposes, we will use the default settings.

The Simpler Way

As a simpler alternative, you can use the browser built into Burp. To access this,
go to Proxy from the top menu, choose the Intercept sub-menu, and then click the
Open browser button:

Intro to Burp Suite 10

 Using FoxyProxy Browser Extension
We can use an extension named FoxyProxy to setup the proxy in the browser
without using browser settings.
After installing FoxyProxy, click on FoxyProxy > Options

Intro to Burp Suite 11

 Then go to Proxies > Add

Intro to Burp Suite 12

 Then enter proxy name, IP and port and save.

Now to use the proxy from FroxyProxy, you need to select the proxy from
FoxyProxy.

Intro to Burp Suite 13

 Setting Burp Suite CA certificate
To capture https traffic in Burp Suite, we need to set up the CA certificate. If we
use the ‘Burp Suite’ default browser (mentioned in The Simpler Way), then we
don’t need to do this.

1. After setting burp suite proxy in browser (or froxyproxy), you need to select
the proxy first.

2. Then visit http://burp

Intro to Burp Suite 14

 3. Click on ‘CA Certificate’. The CA certificate will be downloaded.

4. Go to browser settings, search ‘Certificate’. Click on ‘View Certificate’.

5. Go to ‘Authorities’ Tab and Click on ‘Import’

Intro to Burp Suite 15

 6. Select your certificate (The CA certificate you downloaded from http://burp)

7. Mark ‘Trust this CA to identify websites’ and click OK.

Intro to Burp Suite 16

 8. Click ok again.

More at - https://portswigger.net/burp/documentation/desktop/external-browser-
config/certificate

Intro to Burp Suite 17