search
HomeGitHubPortfolioTwitter/XMediumCont@ct

chart-networkBurp Suite Configuration - Tutorial

https://github.com/quickemu-project/quickemu

hashtag
Burp Suite

chevron-rightWhat is Burp Suite?hashtag

Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is developed by the company named Portswigger, which is also the alias of its founder Dafydd Stuttard. BurpSuite aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps.

🟧Burp Suitechevron-right

hashtag
Download Burp Suite

It was usually pre-installed into *nix distribution like as Kali Linux.

wget "https://portswigger.net/burp/releases/startdownload?product=community&version=2023.12.1.5&type=Jar" -O burpsuite.jar

hashtag
Start Burp Suite

_JAVA_AWT_WM_NONREPARENTING=1 java -jar burpsuite.jar >/dev/null 2>&1 &

or we can run it using GUI mode.

hashtag
Burp Suite Configuration

hashtag
Firefox + Foxy Proxy Extension

We can instrade browser traffic to Burp Suite configuring Browser settings or installing and configuring a browser extension:

LogoConfiguring Firefox to work with Burp Suite - PortSwiggerBurp_Suitechevron-right

hashtag
Foxy Proxyarrow-up-right

LogoFoxyProxy - Homegetfoxyproxy.orgchevron-right
LogoHow to Use Burp & FoxyProxy to Easily Switch Between Proxy SettingsNull Bytechevron-right

hashtag
Chromium

The following configurations permits to configure Burp for Chromium, use a dedicated IP:Port, instrade traffic for PT web activities and ignore certificates errors:

hashtag
Add certificate to Chromium

Download certificates going to burp default page: localhost:8080 and click on CA Certificate to download cacert.der file, or download it directly on Burp Suite app using tab Tools -> Proxy -> Proxy Listeners -> Import/Export CA Certificate

and import it in the dedicated certificates setting Chromium section:

hashtag
Burp Suite Features

hashtag
​SiteMaparrow-up-right​

Site map shows the information that Burp collects as you explore your target application. It builds a hierarchical representation of the content from a number of sources. These include information from scans, and the URLs you discover as you browse the target manually. You can also see:

  • A list of the contents.

  • Full requests and responses for individual items.

  • Full information about any security issues that Burp discovers.

LogoSite map - PortSwiggerBurp_Suitechevron-right

hashtag
​Intruderarrow-up-right​

Burp Intruder is a tool for automating customized attacks against web applications. It enables you to configure attacks that send the same HTTP request over and over again, inserting different payloads into predefined positions each time.

LogoBurp Intruder - PortSwiggerBurp_Suitechevron-right

hashtag
​Decoderarrow-up-right​

Decoder enables you to transform data using common encoding and decoding formats. You can use Decoder to:

  • Manually decode data.

  • Automatically identify and decode recognizable encoding formats, such as URL-encoding.

  • Transform raw data into various encoded and hashed formats.

Decoder enables you to apply layers of transformations to the same data. This enables you to unpack or apply complex encoding schemes. For example, to generate modified data in the correct format for an attack, you could:

  1. Apply URL-decoding, then HTML-decoding.

  2. Edit the decoded data.

  3. Reapply the HTML-encoding, then the URL-encoding.

hashtag
​Repeaterarrow-up-right

Burp Repeater is a tool that enables you to modify and send an interesting HTTP or WebSocket message over and over.

You can use Repeater for all kinds of purposes, for example to:

  • Send a request with varying parameter values to test for input-based vulnerabilities.

  • Send a series of HTTP requests in a specific sequence to test for vulnerabilities in multi-step processes, or vulnerabilities that rely on manipulating the connection state.

  • Manually verify issues reported by Burp Scannerarrow-up-right.

hashtag
Others References

LogoWhat is Burp Suite? - GeeksforGeeksGeeksforGeekschevron-right
Logoyt-en/src/2024-02-18-web-exploitation-burpsuite/content/notes.org at main Β· LeonardoE95/yt-enGitHubchevron-right

hashtag
Documentation

This documentation describes the functionality of all editions of Burp Suite and related components. Use the links below to get started:

circle-info

Like any security testing software, Burp Suite / Dastardly contains functionality that can damage target systems. Testing for security flaws inherently involves interacting with targets in non-standard ways that can cause problems in some vulnerable targets. You should take due care when using Burp / Dastardly, read all documentation before use, back up target systems before testing, and not use Burp / Dastardly against any systems for which you are not authorized by the system owner, or for which the risk of damage is not accepted by you and the system owner.

Last updated