Burp Suite Tool — Overview and Usage
Burp Suite is an intercepting tool which can be used to capture and manipulate all of the data traffic between Client and Server. This tool is very useful for testing Web and Mobile based application.
Web application uses HTTP protocol for communication. Hypertext Transfer Protocol (HTTP) protocol specifies how a web browser and a web server communicate. Burp suite has the capability to test web application having HTTP and HTTPS.
Important Burp Suite features are –
Proxy: Burp Proxy allows user to intercept and modify requests/responses while interacting with web applications. User can navigate to HTTP History tab to check all logged request/response.
Repeater: It allows user to capture, modify, then resend the same request numerous times. This feature can be used to craft a payload through trial and error (e.g. in SQLi, XSS etc.) or when testing the functionality of an endpoint for flaws.
Intruder: This is used for bruteforce attacks or fuzzing endpoints.
Decoder: This is used for transforming data i.e. either in terms of decoding captured data or encoding a payload prior to sending it to the target application.
Comparer: It allows user to compare two pieces of data i.e. requests or responses at either word or byte level to check difference.
Sequencer: User can use Sequencer to check the randomness of tokens such as session cookie values or any other randomly generated data.
Burp Dashboard: Major parts of Dashboard section are -
1. The Tasks menu allows user to keep track of background tasks that are running in Burp Suite while testing or scanning application.
2. The Event log tracks current ongoing activities in Burp Suite tool such as proxy running status, runtime error message etc.
3. The Issue Activity section is useful in Burp Suite Pro, which will list all of the vulnerabilities found by the automated scanner.
4. The Advisory section gives more information such Issue details and suggested remediation about the vulnerabilities found by the automated scanner.
Burp Target: We can restrict Burp Suite to only target the URL/web application that we want to test. To do this go to the “Target” tab and right-click on required target/URL from list on the left and choose “Add To Scope”. Burp will then ask us whether we want to stop logging anything which isn’t in scope to which we can select YES.
We need to perform similar setting in Proxy tab to avoid requests/responses from undesirable URL/application. To turn this off, go into the Proxy Options sub-tab and select “And URL Is in target scope” from the Intercept Client Requests section.
User might face problems while capturing request of TLS enabled site for example https://www.google.com/. In such cases, we need to configure Burp CA certificate to our list of trusted certificate authorities in browser.
To do that configure Burp Suite tool with browser and open the URL http://burp/cert to download cacert.der file. Import this file in certificate tab of browser and in the menu that pops up, select “Trust this CA to identify websites”, then click Ok. Now we should be able to visit any TLS enabled sites using Burp Suite tool.