3.1 Burp Suite

Burp Suite

What is Burp Suite?

OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner and proxy developed by the Open Web Application Security Project (OWASP). It is designed for testing web applications for security vulnerabilities during development and before deployment.

OWASP ZAP provides a wide range of features for both manual and automated testing of web applications. Some of its key features include:

1. Intercepting and modifying HTTP/HTTPS requests and responses for testing purposes.

2. Spidering functionality to automatically discover and map out the structure of a web application.

3. Active and passive scanning for identifying common security vulnerabilities such as cross-site scripting (XSS), SQL injection, and more.

4. Fuzzer tools for automated testing of input validation and error handling.

5. Support for scripting and automation through APIs and add-ons.

6. Reporting capabilities to generate detailed reports of security findings.

Burp SuitePractical Ethical Hacker (CEH) Tools

Burp Suite Configuration

We can instrade browser traffic to Burp Suite configuring Browser settings or installing and configuring a browser extension:

Configuring Firefox to work with Burp SuiteBurp_Suite

Foxy Proxy

https://getfoxyproxy.org/

Use Burp & FoxyProxy to Easily Switch Between Proxy SettingsWonderHowTo

Burp Suite Features

SiteMap

The site map shows the information that Burp collects as you explore your target application. It builds a hierarchical representation of the content from a number of sources. These include information from scans, and the URLs you discover as you browse the target manually. You can also see:

• A list of the contents.

• Full requests and responses for individual items.

• Full information about any security issues that Burp discovers.

Target site mapBurp_Suite

Intruder

Burp Intruder is a tool for automating customized attacks against web applications. It enables you to configure attacks that send the same HTTP request over and over again, inserting different payloads into predefined positions each time.

Burp IntruderBurp_Suite

Decoder

Burp Decoder enables you to transform data using common encoding and decoding formats. You can use Decoder to:

• Manually decode data.

• Automatically identify and decode recognizable encoding formats, such as URL-encoding.

• Transform raw data into various encoded and hashed formats.

Decoder enables you to apply layers of transformations to the same data. This enables you to unpack or apply complex encoding schemes. For example, to generate modified data in the correct format for an attack, you could:

1. Apply URL-decoding, then HTML-decoding.

2. Edit the decoded data.

3. Reapply the HTML-encoding, then the URL-encoding.

Burp DecoderBurp_Suite

Repeater

Burp Repeater is a tool that enables you to modify and send an interesting HTTP or WebSocket message over and over.

You can use Repeater for all kinds of purposes, for example to:

• Send a request with varying parameter values to test for input-based vulnerabilities.

• Send a series of HTTP requests in a specific sequence to test for vulnerabilities in multi-step processes, or vulnerabilities that rely on manipulating the connection state.

• Manually verify issues reported by Burp Scanner.

Burp RepeaterBurp_Suite