BurpSuite is one of the best tools for testing Web applications. Its various features can help us execute various tasks. request interception and modification, scanning web application vulnerabilities, brute force cracking of login forms, and executing various random checks such as session tokens. This article will conduct a fully positive drill of the Burp Suite, mainly discussing its following features.
1. The proxy-Burp Suite has a proxy that runs on port 8080 by default. With this proxy, we can intercept and modify the data packets from the client to the web application.
2. the Spider (Spider)-Burp Suite's Spider function is used to capture links and content of Web applications. It automatically submits the login form (through user-defined input. burp Suite crawlers can scan all links on the website and scan these links to discover Web application vulnerabilities.
3. Scanner-it is used to scan Web application vulnerabilities. Some false positives may occur during testing. It is important to remember that the results of automatic scanner scanning cannot be completely 100% accurate.
4. Intruder (intrusion)-This function can be used for multiple purposes, such as exploiting vulnerabilities, fuzzy testing of Web applications, and brute force guesses.
5. Repeater-this function is used to modify and send the same number of requests according to different situations and analyze them.
6. Sequencer-this function is used to check the randomness of session tokens provided by Web applications and perform various tests.
7. Decoder-this function can be used to decode and encrypt data to retrieve the original data format.
8. Comparer-this function is used to execute any two requests, response, or comparison between any other forms of data.
1) Proxy)
The proxy feature allows us to intercept and modify requests. To intercept and operate requests, we must configure our browser through Burp Suite.
Open the alerts tab and you can see that the Proxy is running on port 8080. We can modify this configuration in Proxy-> options.
Here we can edit the port on which the proxy is listening, or even add a new proxy listener. burp also has the option to submit a certificate to the SSL protection website. by default, Burp is installed immediately after creating a self-signed certificate. after the "generate CA-signed per-host certificates" option is selected, the Burp certificate function will generate a specific host for signing the certificate that we can link. the only thing we care about here is that when a user links to an SSL-protected website, it can reduce the number of website warnings.
If the "listen on loopback interface only" option is not selected, the Burp Proxy can be used as a Proxy for other systems on the network. This means that any computer in the same network can use the Burp Proxy function to become a Proxy and relay the traffic through it.
The "support invisible proxying for non-proxy-aware client" option is used when the client does not know that they are using a proxy. this means that the proxy settings are not set in the browser, but sometimes in the hosts file. in this case, unlike setting proxy options in the browser itself, Burp needs to know that it receives traffic from a non-proxy client. the "redirect to host" and "redirect to port" options redirect the client to the host and port we set after this option.
Here we have an option to modify the html webpage received from the response. We can cancel hidden form fields and delete javascript fields. Another option is to replace the specific pattern found with a custom string. We need to use a specified regular expression. Burp parses the request or response to expect this pattern and replaces it with a custom string.
A warning pop-up window will pop up. Let's "add item to scope (add project to scope)". Click "Yes". A range will be defined on the test target we run.
Go to the Scope tag and we can see that the DVWA application has been added to the Scope.
Another important option is "application login (application login )". once the Burp Spider submits a login form, it begins crawling (crawling ). it can automatically submit the certificate we provide to it. we can also set admin/password creden.. After setting them, they will be used as creden. in DVWA. therefore, the Burp Spider can automatically submit the information creden. and maintain the crawling status to obtain more new information. you can also modify the number of threads in the thread item.
In this way, the Burp Spider will be started. Under The Spider control label, we will see the request being made. We can also customize a range for the Burp Spider.
3) Intruder (intrusion)
Burp Intruder can be used to exploit vulnerabilities, perform fuzzy testing, and perform brute force guesses. In this case, we will use the Intruder of Burp Suite to launch a brute force cracking attack on DVWA. browse to DVWA, click "Burp Force (brute Force cracking)", and enter username and password to ensure that "intercept is on (listener is on)" on the Burp Suite )". then click login.
The above operation will send the request information to the intruder function. enter the intruder tag and configure the Burp Suite to launch a brute-force cracking attack. under the target tag, you can see that the target for the request attack has been set.
Click the clear button on the right to delete all important information displayed in different colors. next, we need to configure Burp to take the user name and password as the parameter in this attack. select the username in this request (in this example, the username refers to "infosecgateure") and click "Add (Add )". similarly, add the password in this request. after this operation, the user name and password will become the first and second parameters. once the operation is complete, the output is shown in the following figure:
Next, we need to set the attack type for this attack. The default attack type is "Sniper (Sniper)". In this example, we will use "Cluster Bomb (Cluster Bomb) attack type. there are four attack types: singer, battering ram, pitchfork, and cluster bomb. as shown in the following figure, our attack type is "Cluster Bomb'
Go to the payload label and make sure that the value of "payload set" is 1. Click "load" to load a file containing the user name. In this example, we use a small file for demonstration. After loading, the user name in the user name file will be shown in the following figure.
Set "payload set" to 2 and click "load" to load a password dictionary file.
Go to the options tab and make sure that "store requests" and "store responses" under results are selected.
Burp Suite usage details
Click "Intruder" in the upper left corner to start the attack. A windows window is displayed, showing all the requests we have made.
How can we determine which login request is successful? A successful request has a different response status than a successful request. in this case, the response length of the username "admin" and password "password" is different from that of other requests.
Click "request" based on different response requests ". if you click the "response" option, the text "welcome the password protected area admin" appears in the response, which means that the username/password used in this request is correct.
Burp intrusion is one of the most powerful functions of Burp Suite. We need to carefully learn how to use it.
4) Repeater (relay forwarding)
With the Burp Repeater function, we can manually modify a request and send it out to analyze the returned response. we need to send requests to the Burp Repeater from different places, such as intruders and proxies. to send a request to Repeater, right-click "send to Repeater ".
Open the Repeater tag and you will see the request. You can also see three tags named 1, 2, and 3.
We can also see requestparams, header, hex and raw requests. Before sending the request, we can modify any of them.
Modify the username = admin, password = password in the Params request and click go to send the request.
We can analyze the response returned by response.
Some other functions have not been translated. Due to the lack of English proficiency and work experience, many professional words may not be translated very accurately. You can refer to the original article URL for reference.