Burpsuite — Basics and Initial Set-up

7 min readFeb 7, 2021

Burpsuite

Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is developed by the company named Portswigger, which is also the alias of its founder Dafydd Stuttard. BurpSuite aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps. It is the most popular tool among professional web app security researchers and bug bounty hunters.

When Burp Suite is used as a proxy server, it allows the user to manipulate the traffic that passes through it, i.e. between the web browser client and the webserver. This is typically referred to as a Man-in-the-middle (MITM) type attack architecture. Burp uses tables (which is a user-friendly method of making changes to web traffic), to manipulate data before it is sent to the webserver. With this functionality, exception situations can be reproduced, allowing any bugs and vulnerabilities present on the webserver to be accurately pinpointed.

First of all, open the burp suite

The following options are displayed; if u want to create a temporary project, create a new project on disk and open the existing project.

Select according to your choice.

Now choose “use burp defaults” and click on “Start Burp”.

The following screen will be displayed

There are a bunch of tools offered by Burpsite.

Spider

It is a web spider/crawler that is used to map the target web application. The objective of the mapping is to get a list of endpoints so that their functionality can be observed and potential vulnerabilities can be found. Spidering is done for a simple reason that the more endpoints you gather during your recon process, the more attack surfaces you possess during your actual testing.

2. Proxy

BurpSuite contains an intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. It also lets the user send the request/response under monitoring to another relevant tool in BurpSuite, removing the burden of copy-paste. The proxy server can be adjusted to run on a specific loop-back IP and a port. The proxy can also be configured to filter out specific types of request-response pairs.

3. Intruder

It is a fuzzer. This is used to run a set of values through an input point. The values are run and the output is observed for success/failure and content length. Usually, an anomaly results in a change in response code or content length of the response. BurpSuite allows brute-force, dictionary file and single values for its payload position. The intruder is used for:

Brute-force attacks on password forms, pin forms, and other such forms.
The dictionary attack on password forms, fields that are suspected of being vulnerable to XSS or SQL injection.
Testing and attacking rate limiting on the web-app.

4. Repeater: Repeater lets a user send requests repeatedly with manual modification. It is used for:

Verifying whether the user-supplied values are being verified.
If user-supplied values are being verified, how well is it being done?
What values is the server expecting in an input parameter/request header?
How does the server handle unexpected values?
Is input sanitation being applied by the server?
How well the server sanitizes the user-supplied inputs?
What is the sanitation style being used by the server?
Among all the cookies present, which one is the actual session cookie.
How is CSRF protection being implemented and if there is a way to bypass it?

5. Sequencer: The sequencer is an entropy checker that checks for the randomness of tokens generated by the webserver. These tokens are generally used for authentication in sensitive operations: cookies and anti-CSRF tokens are examples of such tokens. Ideally, these tokens must be generated in a fully random manner so that the probability of appearance of each possible character at a position is distributed uniformly. This should be achieved both bit-wise and character-wise. An entropy analyzer tests this hypothesis for being true. It works like this: initially, it is assumed that the tokens are random. Then the tokens are tested on certain parameters for certain characteristics. A term significance level is defined as a minimum value of probability that the token will exhibit for a characteristic, such that if the token has a characteristics probability below significance level, the hypothesis that the token is random will be rejected. This tool can be used to find out the weak tokens and enumerate their construction.

6. Decoder: Decoder lists the common encoding methods like URL, HTML, Base64, Hex, etc. This tool comes handy when looking for chunks of data in values of parameters or headers. It is also used for payload construction for various vulnerability classes. It is used to uncover primary cases of IDOR and session hijacking.

7. Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data. Some common uses for Burp Comparer are as follows:

When looking for username enumeration conditions, you can compare responses to failed logins using valid and invalid usernames, looking for subtle differences in the responses.
When an Intruder attack has resulted in some very large responses with different lengths than the base response, you can compare these to quickly see where the differences lie.
When comparing the site maps or Proxy history entries generated by different types of users, you can compare pairs of similar requests to see where the differences lie that give rise to different application behaviour.
When testing for blind SQL injection bugs using Boolean condition injection and other similar tests, you can compare two responses to see whether injecting different conditions has resulted in a relevant difference in responses.

8. Extender: BurpSuite supports external components to be integrated into the tools suite to enhance its capabilities. These external components are called BApps. These work just like browser extensions. These can be viewed, modified, installed, uninstalled in the Extender window. Some of them are supported on the community version, but some require the paid professional version.

Setting up Burpsuite

Go to intruder → target

Make sure that target options contain the localhost 127.0.0.1 and port 80.

Then go to proxy → options and make the following selections

Configuring Firefox to work with Burp

To configure Firefox so that you can use it for testing with Burp, you need to perform the following configuration steps.

In Firefox, go to the Firefox Menu and select “Preferences” / “Options”.

Select the “General” tab and scroll to the “Network Proxy” settings. Click the “Settings” button.

Select the “Manual proxy configuration” option.

Enter your Burp Proxy listener address in the “HTTP Proxy” field (by default this is set to 127.0.0.1).

Next, enter your Burp Proxy listener port in the “Port” field (by default, 8080). Make sure the “Use this proxy server for all protocols” box is checked.