All in One Guide to Burp Suite: Hands-On
What is Burp Suite ?
It is basically a framework written in Java that is probably the most complete tool available for Web Application Pentesting.
Now, what does Burp Suite do? In simple words, it is used to capture web requests and responses and manipulate them in a way which helps in Penetration Testing.
There are 3 versions to Burpsuite :
- Burp Suite Community- Free for everyone’s usage. Has limited features but sufficient for basic Pentesting.
- Burp Suite Professional- It is a Paid Version and very useful for Bug Bounty. You can check out all the features here:- https://portswigger.net/burp/pro/features.
- Burp Suite Enterprise- Unlike the community and professional versions, Burp Enterprise is used for continuous scanning. It provides an automated scanner that can periodically scan webapps for vulnerabilities.
Burp Suite Installation
Burp Suite comes pre-packaged with Kali Linux, so you should not need to install it there. If, for some reason, Burp is missing from your Kali installation, you can easily install it from the Kali apt repositories.
For other Operating Systems, you can download installers from the Burp Suite Downloads page.
Alternatively, you can watch the video here to learn about installing Burp Suite.
Next you need to install FoxyProxy extension and CA Certificate. This will help you do that.
Now, that we have Burp Suite installed, lets talk about some features of the Community ( Free ) version.
- Proxy: Burp Suite Proxy is a tool that lets you see and change the traffic between your browser and the website you’re testing. You can also use it to test HTTPS websites.
- Repeater: Burp Suite Repeater lets us grab a request, change it however we want, and send it again and again. This can be super useful, especially when we have to guess a payload by trying different things (like in SQLi) or when we want to see if an endpoint has any bugs.
- Intruder: Burp Suite Intruder is a tool that lets us spam an endpoint with requests. We can use it to bruteforce passwords or to fuzz endpoints. One downside to it is, it is highly rate limited in Burp Suite Community version.
- Decoder: Burp Suite Decoder is a tool that helps us change data in different ways. We can use it to decode what we captured, or to encode a payload before we send it to the website. It’s not as popular as the other tools, but it can be very handy. We don’t have to use other services to do the same thing, we can do it right in Burp Suite ( A popular alternative is Cyberchef which is much more versatile).
- Comparer: Burp Suite Comparer is a tool that lets us see the difference between two pieces of data. We can compare them by words or by bytes.
- Sequencer: Burp Suite Sequencer is used when assessing the randomness or entropy of tokens such as session cookie values or other supposedly random generated data. If the algorithm is not generating secure random values, then this could open up some devastating avenues for attack.
Now lets get Hands-On with these.
Burp Suite Proxy
All we need to do is turn on Foxy Proxy after configuring it and turn on “intercept” in Burp Suite under the Proxy tab. Now we are ready to capture requests.
Just load up any website and you can see the request that is being sent from our computer to the website server.
For demonstration purposes, I am using a random http test login form.
Now lets try to login using the given username and password below and capture the request on Burp.
The request has been captured. We can see the headers here in the request and also see the username and password that have been passed into parameters below.
We can even try to edit the request to see how the website responds to it. Usually, we start off by changing the request method to see the change in website response ( From GET to POST, etc.).
In this case, lets capture the request from the server to our request.
Right-click on the request and select “do intercept” -> “response to this request.” And then forward the current request.
We got a 200 OK. That means we have successfully logged in.
Forward the response and we can see, I’ve logged in succesfully.
Like this, it is possible to capture multiple requests and manipulate them in various ways to make the website misbehave and expose bugs.
Lets demonstrate request manipulation here. I found a page in the same website where I can write comments.
Lets capture the request to this.
Now lets change the name to “RequestManipulation”
Now lets forward the request.
The website responded with this -
Hence the manipulation was successful.
This is another example of request manipulation.
You can also perform response manipulation to OTP bypass and even to the heights of account takeover.
Burp Suite Repeater
Burp Suite Repeater allows us to capture a request in the Proxy, modify it, and resend the same request as often as we want.
Usually we simply capture a request in the Proxy, then send that through to Repeater for editing/resending.
Now lets send that request to Repeater from Proxy.
Now we can send the request multiple times and see how the website responds in split view.
Lets try sending the request unchanged and see the response.
Now lets change the Connection Header to “open” in the request and notice the difference in the response.
You can see, the Connection Header in the response changes from close to keep-alive.
Like this you can do multiple experiments on both Request and Response Headers.
Burp Suite Repeater can be very instrumental in finding SQLI.
Burp Suite Intruder
We can use this tool to send lots of different requests based on a single initial request. We just need to capture the example request in the Proxy and then tweak some values in Intruder before sending them out automatically.
Now, there are 4 attack types in Intruder:-
- Sniper
- Battering Ram
- Pitchfork
- Cluster-Bomb
You can read about the 4 attack types here.
We choose the attack-type in accordance to our requirements.
Lets see now how Burp Suite Intruder can be used to bruteforce login credentials.
This is the login form we are going to bruteforce.
Lets enter a random value in the username and password field and capture that request in Burp Suite Proxy first.
Now send that request to Burp Suite Intruder.
In the Payloads section, we put silcrows (§) around the positions we need to bruteforce. For example, in this scenario, around the username and password values.
For this Bruteforce attempt we are going to use Pitchfork attack type.
Next we go to the payloads tab to select the username and password list.
1 is for usernames and 2 is for passwords in this scenario.
Now lets start the attack.
It can be seen that every result has 673 length but request number 50 has 592 length. Hence that must be the correct credentials. Lets try them out.
Successfully logged in!!
Lets see now how Burp Suite Intruder can be used to fuzz website endpoints.
Now, I am going to fuzz from 1 to 100 to find a valid ticket number.
Lets send the request to Intruder and for this we are going to use Sniper attack type. Then we select the “1” in silcrows.
Next we go to the payloads tab and paste in 1 to 100.
Now we start the attack.
We can see every other request has length as 3304 but request number 6 has 4846 as their length.
Lets see the ticket available.
Burp Suite Decoder
Decoder helps in encoding and decoding data and also making hash values.
Lets see how that works.
This is the Burp Suite Decoder interface:-
Lets encode “Hello” in base64.
Now lets decode the encoded value given.
We can see, we got “Hello” back.
Now lets try to make hash values.
Hashing is a one-way process, unlike decoding and encoding, that is used to transform data into a unique signature.
MD4 hash of “hello”-
Burp Suite Comparer
Comparer allows to compare two pieces of data, either by ASCII words or by bytes.
Burp Suite Comparer interface:-
We load in two pieces of data and Comparer colour codes the differences for us.
There are many situations where being able to quickly compare two (potentially very large) pieces of data can come in handy.
For example, when performing a login bruteforce or credential stuffing attack with Intruder, you may wish to compare two responses with different lengths to see where the differences lie and whether the differences indicate a successful login.
Burp Suite Sequencer
Burp Suite Sequencer is a tool that helps you check how random some data is. For example, you can use it to test if the session tokens that a website gives you are hard to guess or not. Session tokens are like passwords that websites use to remember who you are and what you can do. If they are not random enough, someone might be able to steal them and pretend to be you. Burp Suite Sequencer runs different tests on a sample of tokens and tells you how good or bad they are.
Lets try it on this request:-
Now lets send it to Sequencer and select FormField option. Then select live capture.
After enough tokens are captured, we can analyse them.
Just click on analyze now.
The summary gives us an overall result; the effective entropy; an analysis of the reliability of the results; and a summary of the sample taken.
Collectively, these will often be enough to determine whether the token is generated safely or not; however, in some instances, we may need to have a look at the test results directly — this can be done in the “Character-level analysis” and “Bit-level analysis” tabs.
Conclusion
So you can see how Burp Suite can be a Bug Hunter’s Gold Mine if used properly. Mainly, the Proxy, the Repeater and the Intruder tabs are used but there exists some cases where we might need to use the other tabs too. That being said, if you’re looking to practice Burp Suite or your web-app pentesting skills (or Both ), then you can go practice the Portswigger Labs.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Connect with me on LinkedIn :)
