Scribd
Upload
4 views

D332

Burp Suite is a Java-based tool used for penetration testing of web and mobile applications, known for its ability to capture and manipulate traffic. Key features include a proxy for intercepting traffic, a repeater for sending manipulated requests, and an intruder for conducting brute force attacks. The tool is widely recognized as an industry standard for web application security assessments and allows for extensions to enhance its functionality.

Uploaded by

zxcvasdfqwerrewq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views

D332

Burp Suite is a Java-based tool used for penetration testing of web and mobile applications, known for its ability to capture and manipulate traffic. Key features include a proxy for intercepting traffic, a repeater for sending manipulated requests, and an intruder for conducting brute force attacks. The tool is widely recognized as an industry standard for web application security assessments and allows for extensions to enhance its functionality.

Uploaded by

zxcvasdfqwerrewq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Penetration Testing Tools

Burp Suite: The Basics

What is Burp Suite?

 A tool, written in Java, for web application and mobile application penetration testing.
o A web application is a piece of software that can be accessed from a browser.
o A web server can host multiple web applications. A web server is a network application
listening on some port.
o The browser one uses to access a web server/web application is the web client/user
agent.
o For a web client to communicate with a web server, they must use the same protocol
(often HTTP or HTTPS with web client-to-web server communications). In computing,
protocol means a set of rules governing the exchange or transmission of data between
devices.
 Tryhackme claims Burp Suite is “very much the Industry Standard for hands-on web app security
assessments.”
 The purpose of Burp Suite is to test the security of web applications and mobile applications.
 At the core of Burp Suite is its ability to capture, view, and manipulate all traffic between an
attacker and a web server.

Features of Burp Suite Community

 Proxy
o Most well-known feature: provides intercept, view, and manipulate traffic capability
 Repeater
o Second most well-known feature: enables you to send manipulated traffic to the web
application after intercepting, viewing, and manipulating it.
 Intruder
o Enables you to “spray” an endpoint with requests: enables bruteforce attacks against or
“fuzzing” of endpoints.
 Fuzzing is a way to test the security of software. It involves sending invalid,
malformed, or unexpected input to a computer program in order to discover
defects or vulnerabilities of the program.
 Decoder. Can decode data or encode a payload.
o Encoding and decoding involve changing the format of content for optimal transmission
or storage.
o In computing, encoding is the process of putting a sequence of characters (letters,
numbers, punctuation, and certain symbols) into a specialized format for efficient
transmission or storage. Decoding is the opposite process -- the conversion of an
encoded format back into the original sequence of characters.
 Comparer. Enables you to compare data at the word or byte level.
 Sequencer. Assesses the randomness of tokens.
 Burp Suite allows extensions to be added to it for additional features. The Burp Suite “Extender”
module enables the addition of such extensions.

Installation

 https://portswigger.net/ has made installation easy.

The Dashboard

Navigation

Introduction to the Burp Proxy

 Most important Burp Suite tool.


 The default keybind for forwarding intercepted traffic is ctrl+f

Connecting through the proxy (foxyproxy)

 The Burp Proxy works by opening a web interface on 127.0.0.1:8080 (by default). As implied by
the fact that this is a "proxy", we need to redirect all of our browser traffic through this port
before we can start intercepting it with Burp. We can do this by altering our browser settings or,
more commonly, by using a Firefox browser extension called FoxyProxy. FoxyProxy allows us to
save proxy profiles, meaning we can quickly and easily switch to our "Burp Suite" profile in a
matter of clicks, then disable the proxy just as easily.
o Note: All instructions will be given with Firefox in mind, as this is the default browser for
both Kali Linux and the TryHackMe AttackBox. If you are using another browser locally
then you are advised to use the AttackBox, or you may otherwise need to find
alternative methods to those presented in this task. If you can't get the proxy working in
your local browser and do not want to use the AttackBox, then you may wish to skip
ahead to the Burp Suite Browser task.

Proxy

 Scoping and targeting. This helps you select which traffic you want to intercept, instead of
intercepting all traffic. Scoping is the solution for the problem of intercepting all traffic.
o Scope. The extent of the area or subject matter that something deals with or to which it
is relevant.
o Parameter. A limit or boundary which defines the scope of a particular process or
activity.

Practical

 In a real-world web app pentest, we would test this for a variety of things: one of which would
be Cross-Site Scripting (or XSS). If you have not yet encountered XSS, it can be thought of as
injecting a client-side script (usually in Javascript) into a webpage in such a way that it executes.
There are various kinds of XSS -- the type that we are using here is referred to as "Reflected" XSS
as it only affects the person making the web request.
Application-based vulnerabilities
OWASP Top 10

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy