Burp Suite Configuration - Tutorial

https://github.com/quickemu-project/quickemu

Burp Suite

What is Burp Suite?

Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is developed by the company named Portswigger, which is also the alias of its founder Dafydd Stuttard. BurpSuite aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps.

Burp Suitehttps://portswigger.net/burp https://www.kali.org/tools/burpsuite/ https://tryhackme.com/room/burpsuitebasics

Download Burp Suite

It was usually pre-installed into *nix distribution like as Kali Linux.

wget "https://portswigger.net/burp/releases/startdownload?product=community&version=2023.12.1.5&type=Jar" -O burpsuite.jar

Start Burp Suite

_JAVA_AWT_WM_NONREPARENTING=1 java -jar burpsuite.jar >/dev/null 2>&1 &

or we can run it using GUI mode.

Burp Suite Configuration

Firefox + Foxy Proxy Extension

We can instrade browser traffic to Burp Suite configuring Browser settings or installing and configuring a browser extension:

Configuring Firefox to work with Burp SuiteBurp_Suite

Foxy Proxy

FoxyProxy - Home

Use Burp & FoxyProxy to Easily Switch Between Proxy SettingsWonderHowTo

Chromium

The following configurations permits to configure Burp for Chromium, use a dedicated IP:Port, instrade traffic for PT web activities and ignore certificates errors:

chromium \
    --user-data-dir=pt-activity \
    --proxy-server=127.0.0.1:8080 \
    --ignore-certificate-errors \
    --proxy-bypass-list="<-loopback>" \
    >/dev/null 2>&1 &

Add certificate to Chromium

Download certificates going to burp default page: localhost:8080 and click on CA Certificate to download cacert.der file, or download it directly on Burp Suite app using tab Tools -> Proxy -> Proxy Listeners -> Import/Export CA Certificate

and import it in the dedicated certificates setting Chromium section:

chrome://settings/certificates

---

Burp Suite Features

​SiteMap​

Site map shows the information that Burp collects as you explore your target application. It builds a hierarchical representation of the content from a number of sources. These include information from scans, and the URLs you discover as you browse the target manually. You can also see:

• A list of the contents.

• Full requests and responses for individual items.

• Full information about any security issues that Burp discovers.

Target site mapBurp_Suite

​Intruder​

Burp Intruder is a tool for automating customized attacks against web applications. It enables you to configure attacks that send the same HTTP request over and over again, inserting different payloads into predefined positions each time.

Burp IntruderBurp_Suite

​Decoder​

Decoder enables you to transform data using common encoding and decoding formats. You can use Decoder to:

• Manually decode data.

• Automatically identify and decode recognizable encoding formats, such as URL-encoding.

• Transform raw data into various encoded and hashed formats.

Decoder enables you to apply layers of transformations to the same data. This enables you to unpack or apply complex encoding schemes. For example, to generate modified data in the correct format for an attack, you could:

1. Apply URL-decoding, then HTML-decoding.

2. Edit the decoded data.

3. Reapply the HTML-encoding, then the URL-encoding.

​Repeater

Burp Repeater is a tool that enables you to modify and send an interesting HTTP or WebSocket message over and over.

You can use Repeater for all kinds of purposes, for example to:

• Send a request with varying parameter values to test for input-based vulnerabilities.

• Send a series of HTTP requests in a specific sequence to test for vulnerabilities in multi-step processes, or vulnerabilities that rely on manipulating the connection state.

• Manually verify issues reported by Burp Scanner.

---

Others References

What is Burp Suite? - GeeksforGeeksGeeksforGeeks

yt-en/src/2024-02-18-web-exploitation-burpsuite/content/notes.org at main · LeonardoE95/yt-enGitHub

---

Documentation

This documentation describes the functionality of all editions of Burp Suite and related components. Use the links below to get started:

• Burp Suite Professional and Community editions
• Burp Suite Enterprise Edition
• Dastardly, from Burp Suite
• Burp Scanner
• Burp Collaborator
• Full documentation contents

Like any security testing software, Burp Suite / Dastardly contains functionality that can damage target systems. Testing for security flaws inherently involves interacting with targets in non-standard ways that can cause problems in some vulnerable targets. You should take due care when using Burp / Dastardly, read all documentation before use, back up target systems before testing, and not use Burp / Dastardly against any systems for which you are not authorized by the system owner, or for which the risk of damage is not accepted by you and the system owner.