Burp Suite uses a detailed

Source: Internet
Author: User

burp Suite is one of the best tools for Web application testing, with a variety of features that can help us perform a variety of tasks. Request interception and modification, scan Web application vulnerabilities to brute force login forms, perform session tokens and many other random checks. This article will be a complete walkthrough of Burp Suite, which mainly discusses the following features.
1. The proxy –burp suite comes with an agent that runs on the default port 8080, and using this proxy, we can intercept and modify the packets from the client to the Web application.

The spider feature of the 2.Spider (spider) –burp Suite is used to crawl Web application links and content, and it automatically submits the login form (via user-defined input). Burp Suite spiders can crawl through all the links on the site to discover vulnerabilities in Web applications through a detailed scan of those links.

3.Scanner (Scanner) – it is used to scan Web application vulnerabilities. Some false positives may occur during the test. It is important to remember that the results of automatic scanner scanning cannot be exactly 100% accurate.

4.Intruder (Intrusion) – This feature can be used for a variety of purposes, such as exploiting vulnerabilities, Web application blur testing, and brute force guessing.

5.Repeater (Repeater) – This feature is used to modify and send the same number of requests and analysis according to different circumstances.

6.sequencer– This feature is primarily used to check the randomness of the session tokens provided by the Web application. and perform various tests.

7.Decoder (decoding) – This feature can be used to decode data back to the original data form, or to encode and encrypt data.

8.comparer– This feature is used to perform any comparison between two requests, responses, or any other form of data.

1) proxy (proxy)

The proxy feature enables us to intercept and modify requests. To intercept the request and manipulate it, we must configure our browser through Burp suite.

Once set up on the browser, open burp Suite, go to proxy for intercept (truncate), need to make sure intercept is on.

Open the Alerts tab and you can see that the agent is running on port 8080. We can modify this configuration in Proxy–>options.

Open the Options tab under Proxy

Here we can edit the port that the agent is listening on, and even add a new agent listener. Burp also has the option to submit certificates to the SSL protection Web site. By default, Burp creates a self-signed certificate immediately after it is installed. " Generate ca-signed per-host Certificates " Option selected after the BURP certificate feature will generate a specific host that we can link to sign the certificate. The only thing we care about here is the number of times a user can reduce a site's warning prompt when they link to an SSL-protected website.

If we do not select the "Listen on loopback interface only" option, it means that burp Proxy can act as a proxy for other systems on the network. This means that any computer on the same network can use the Burp proxy feature as a proxy and relay traffic through it.

"Support invisible proxying for non-proxy-aware client" The options are for clients that do not know that they are using a proxy case. This means that proxy settings are not set in the browser, and sometimes are set in the Hosts file. In this case, and the proxy option set in the browser itself is different burp need to know that it is receiving traffic from a non-proxy client. " The redirect to host and redirect to Port options redirect the client to the host and port that we set after this option.

Again, we can intercept the request and return the response based on the rules we specify.


Here is an option to modify the HTML page received from the response. We can remove hidden form fields, delete JavaScript, and so on. There is also an option to replace the specific pattern you are looking for with a custom string. We need to specify a regular expression. Burp will parse the request or response to expect to find this pattern, and it will replace it with a custom string.

2) Spider (crawl)

The Burp spider is used to map Web applications. It automatically grabs a link to the Web application, submits all the landing forms it finds, and analyzes the entire application in detail. These links are passed to burp Scanner for a detailed scan. In this case, We will use the DVWA (Damn vulnerable Web application). Just need to DVMA use your browser, make sure burp on the suite is on, and get the inerrcept intercept request, right-click on the intercepted request, select The "Send to Spider" is sent to the spider.

Next, a warning pop-up pops up to let us "Add item to scope (add project to Scope)". Click "Yes". A range will be defined on the test target we are running.

We can see in the site Map–>target tag that a URL has been added to the scope. We can also see that some other targets have been added to the target list. Burp will automatically use the proxy to browse our defined target pages. We can use right-click –> "Add Item to scope (add project to scope) "Add any item to our scope."

Entering the Scope tab, we are able to see that the Dvwa app has been added to the scope.

Next we go to the Spider tab and click on "Options", we can set various options when running the burp detection application. I'm not allowed Burp to check the Robotx.txt file (check for the robots.txt), It will try to grab a directory where the site administrator does not allow search engines to index. Another important option is "passively spider as you browse" (Passive spider browsing). Basically the Burp spider can run in both passive and active mode, and choosing this requires the Burp spider to keep new content and links scanned because we used the Burp proxy when we browsed the application.

Another important option is "Application Login". Once the Burp spider submits a landing form, it crawls (crawls). It can automatically submit the certificate we provide to it. We can also set the admin/ Password vouchers, set up, they will be the credentials in the Dvwa. So the Burp spider can automatically submit those credentials and keep the crawl state in order to get more new information. You can also modify the thread count on the thread (thread) item.

Burp Suite Usage Tutorials

Need to start crawling to grab the Web application, just right click on the target to expand the target. Then right-click on the expanded Dvwa key to select "Spider this Brach"

This will start the Burp spider, and we will see the request being made under the Spider Control tab, and we can also customize a range for the Burp spider.


Once the run is complete, we'll see a lot of new URLs on the DVWA branch that provide us with a lot of information about the Web credit program. Then we can send these links to burp scanner for a vulnerability scan. burp Scanner only has this feature on the pro version.

3) Intruder (invasion)

Burp Intruder can be used for exploiting vulnerabilities, fuzzy testing, brute force guessing, and so on. In this case, we will use Burp Suite's intruder to attack the DVWA with brute force. Browse to DVWA, click on "Burp Force (Brute)", enter username and password, and make sure Burp suite " Intercept is on (listening is turned on). then click Login.

Login request will be intercepted by Burp Suite listener, then right-click on "Send to intruder (sent to intruder feature)"

The above operation sends the request information to the Intruder feature. Enter the Intruder tab and configure Burp suite to launch a brute-force guess attack. Under the Target tab, you can see that the targets that are set to request an attack


Enter the positions (option) tab and we can see the previous request sent to intruder. Some important information is displayed in other colors. Basically, the Burp suite is guessing to figure out what's going on in these requests for brute force guessing. In this case only the user and password are constantly changing. We need the appropriate configuration burp.

Clicking the "Clear" button on the right will remove all important information that is presented in different colors. Next we need to configure BURP to only use the username and password as parameters in this attack. Select the username in this request (the user name in this example refers to "infosecinstiture" And then click Add. The password of this request is also added. After doing so, the user name and password will be the first and second parameters. Once you are done, the output should look like the following:

Next we need to set the attack type of this attack, the attack type by default is "Sniper (Sniper)", in this case we will use "Cluster Bomb (Cluster bomb)" attack type. There are four types of attacks, namely singer,battering RAM, The type of attack we see in Pitchfork,cluster bomb is "cluster bomb"


Go to the Payload tab and make sure the value of "payload set" is 1 and click "Load" to load a file containing the user's name. In this example, we use a very small file to demonstrate. The user name in the user name file after the load is displayed as shown in


Also set the value of "payload set" to 2 and click "Load" to load a password dictionary file.


Go to the "Options" tab and make sure "store requests" and "Store Responses" are selected under results.

Burp Suite Usage

Click on "Intruder" in the upper left corner to start the attack, you will see a Windows window pops up with all the requests we made.

How do we determine which landing request is successful? A successful request is a different response state than the unsuccessful one. In this case, we see the user name "admin" and the password "password" response length compared to other requests, different.

Depending on the response request, click "Request". If you click on the "Response" option, we see the text "Welcome the password protected Area Admin" out of the current response, which means the username used in this request The/password is correct.


Burp's intrusion feature is one of the most powerful features of Burp suite. We should study its use carefully.

4) Repeater (relay forwarding)

With the Burp Repeater feature, we can manually modify a request and send it out to parse the returned response. We need to send requests from different places to burp Repeater, such as intruders, proxies, etc. send a request to Repeater, just right click " Send to Repeater ".


Click on the Repeater tab and you'll see the request, and you'll see 3 tags called "three".

We can also see REQUESTPARAMS,HEADER,HEX and RAW format requests, and we can modify any one of them before sending the request.

Just modify the Username=admin,password=password under the params request, click Go, and the request will be sent.

We can analyze the response returned by the response section.

There are several parts of the function is not translated, due to the English level and lack of work experience, many professional vocabulary may be translated is not very accurate, paste the original URL, can be compared to read.

This article by Adema translation from the foreign website, please respect the labor result, reprint annotated source

Original address: http://resources.infosecinstitute.com/burp-suite-walkthrough/

Burp Suite uses a detailed

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.