Hello, friend so today my topic after the previous post of How To Setup Burp so now I will cover all other useful parts within Burp Suite itself so let’s get started.
Also Read: How to Setup Burp Suite the Easy way
Burp Suite is a web application penetration testers Dream tool and the most powerful tool out there on the internet can it can be used to cover everything fully in-depth that you ever wanted. So i will be my best to thoroughly explain all the details as there are a lot of things to cover. Here is a quick list of Burp Suite components:
- Intercepting Proxy – This part of Burp lets to inspect and modify all the requests and responses that your browser makes to the target application.
- Spider – It is a very handy tool for listing out all the directories and files on the server and its functionality.
- Web Scanner* – The important part as it detects a list of vulnerabilities present in the site.
- Intruder – This is used to create and perform customized attacks to find and exploit unexpected errors.
- Repeater – Modify and re-send any individual requests.
- Sequencer – to test the randomness of the tokens (CSRF, authenticity_token, etc )
- Extensions* – Allow you to write and add you own custom-designed plugin or download pre-made plugins, to performs complex and fully customized attacks.
* Donates those features which are only available in the pro version
Introduction To Burp:-
The intercepting proxy is the first step and leads the foundation of any web application penetration test you are conducting. Burp Suite proxy syncs well with all other tools present within it. The first step of using the intercepting proxy is to set up the proxy listener (Found under proxy -> Options). I have mine set to the default setting which is localhost (127.0.0.1) and port 8080:
you can always change it by clicking on the listener then click on “Edit” or by adding a new one. Once you have it set up just go to the browser network setting and manually configure the proxy settings:
Now you can start your testing and you can view all the requests that are being sent by the target application. Go to Proxy > Intercept and double-check that “Intercept is on” and now you can tarp all the requests:
Now you can modify the request and forward it to the target application and also there is a lot of more options under Action which you can use to further testing.
If you want to go back and want to check all the requests made to the target server you can see all that in Proxy > HTTP history tab can you can check all the details about that.
Burp Suite’s spider tools are really great and helpful when you are doing your starting tests for the web application. It will create a full list of the URLs found on the site HTML responses as you navigate your way around. To use it go to Target tab then click on the domain and Add to Scope :
All the domains which you will add to the scope you can see them in Target > Scope and in here you can also add domains manually or modify previously added domains or all those domains which need to exclude from the test (for example, if you want to avoid running automated tests against an ‘About Us’ form):
If you want to check the controls of Spider go to Spider tab and the Control in here you can see that there are some URLs that have been Queued by the spider. And it will only run against the domains in the scope:
Now back in the Site Map, we can see a list of all URLs. A black URL means that we have successfully navigated to that page or the spider has found that on the site and has confirmed it as valid. And a gray URL means that the spider has found it in site the HTML code of the response but is still nor confirmed as valid :
And to the coolest tool present in Bur Suite and my personal favorite. The intruder is a very useful and flexible tool for harvesting data form web applications. We can use it for Brute-forcing, enumeration, Vulnerability fuzzing or whatever you can think of in your heart’s desires and collect data from the results.
I’ll use a basic example to walk you through the setup. We will try to use a brute force attack to hack into an admin panel on the login screen taking into consideration that there are no account lockouts in place. First of all, got the HTTP history and right-click on the request we want to test and select “Send to Intruder”:
Now in the Intruder tab and prepare our attack vector of the site. The Target tab will automate the whole process for us under the Positions tab we can see the request we’ve selected and set the position for our attack. You can do it by highlighting the value of the parameter and then clicking on Add on the right hand and you can also choose more than one position at a time:
At the top you will see the type of attack. For example, we will leave it as a sniper, but each attack type has a specific use :
- Sniper – This uses a single payload set. It targets each payload position in turn and places each payload in that place in turn. This attack type is use full for fuzzing attacks to find common vulnerabilities. The total number of requests generated in the attack is the product of the number of positions and the number of payloads in the payload set.
- Battering Ram– This uses a single set of payloads. It iterates through the payload and places the same payload in the other positions present in the request for testing. This is use full when the attacker is testing single payload in different positions in the request.
- Pitchfork – This uses multiple sets of payloads. There is a completely different set of payloads for every defined position. And this attack goes through all payload sets simultaneously and place the single payload into each defined position. This attack type is useful where an attack requires different but related input to be Used in Different places within the request. The total number of requests generated in the attack is the number of payloads in the smallest payload set.
- Cluster bomb – This uses multiple payload sets. There is a different payload set for each defined position. The attack iterates through each payload set in turn so that all permutations of payload combinations are tested. This attack type is useful where an attack requires different and unrelated or unknown input to be inserted in multiple places within the request. The total number of requests generated in the attack is the product of the number of payloads in all defined payload sets.
Now that the positions are set, we can start and to do that move to the Payload tab and set what data will be used during the attack process. On the top, you will see the payload set.
Below we can set the payload options each payload type has different options which can be modified for your test as here we are going with the password list.
Now what you have to do is click on start attack by clicking on the “Start Attack” button in the top right. A new window will open with the intruder session running on it.
Note: The free version of Burp Suite severely throttles intruder. The pro version is significantly faster.
Repeater, decoder, and comparer are also very helpful tools to have. They’re very simple to use, just right-click on your request or highlighted portion of the request and select “Send To”. PortSwigger did an amazing job of making this suite of tools very intuitive, I don’t think I need to cover those.
I hope you enjoyed, stay tuned for more tutorials!