This is a burp suite tutorial, burp suite can be the best way to get into web app security testing. It is a field that few are proficient in which means there are lots of opportunities to become an expert. People often ask what is Burp Suite? What are Burp Suite alternatives? What is the use of Burp Suite?
Table of Contents
What is burp suite?
Burp Suite is cybersecurity software from PortSwigger. It is a powerful platform for security testing of web applications.
PortSwigger actually offers free online web security training.
Burp is a proxy. This means that you forward all your browser’s web traffic – such as viewing a vulnerable web app – to it and can manipulate requests to the site you are viewing. You can send the Gettysburg Address to the web app you are visiting if you want to it does not matter.
Burp like a pro with Foxy Proxy
All that is required is to get the FireFox Foxy Proxy Standard free addon and install it.
FoxyProxy is an advanced proxy management tool that completely replaces Firefox’s limited proxying capabilities.
addons.mozilla.org
You will want to click on Add New Proxy and go to the settings panel. From here give the proxy details of Burp in my case it is an ip address of 127.0.0.1 and port 8080.
So what now? FoxyProxy has an enabled proxy on localhost 127.0.0.1 but there is nothing listening on that address. That means it is time to turn on Burp Suite.
Just to make sure nothing is already binding to that address locally.
netstat -ano | grep 8080
tcp6 0 0 127.0.0.1:8080 :::* LISTEN off (0.00/0/0)Now start Burp Suite and make sure that in the intercept tab that the intercept is on button is selected.
Burp Repeater
When your Burp intercept tab detects web traffic by your browser it will display and prompt for you to Forward or Deny the traffic.
From here you can send the request to another handy Burp tool – Burp Suite is a full web testing platform remember – called Repeater. Send it by doing a ctrl + R shortcut and you will notice the Repeater tab has turned orange indicating the key shortcut worked successfully.
Burp in action – Test a web app
Let’s put Burp into action with DVWA – Damn Vulnerable Web App – that is after changing the security setting to low otherwise the local file inclusion vulnerability is no longer present on the server.
Going to the File Inclusion page and viewing the page source we can see the vulnerable code displayed.
$file = $_GET['page'];Local file inclusion vulnerability
DVWA is vulnerable to local file inclusion meaning that any visitor to the page can view files that are on the server locally.
192.168.56.103/dvwa/vulnerabilites/fi/?page=../../../../../../etc/passwd
OR
192.168.56.103/dvwa/vulnerabilites/fi/?page=etc/passwd%00
Enter the special URL we crafted in your browser and go to the Intercept tab in Burp to see the traffic come into Burp.
Now send the request to Repeater using ctrl + R and watch as the response contains the contents of the /etc/passwd file on the Linux server.
Burp testing tutorial – brute force
Burp also has brute forcing capabilities in the form of another tool, Intruder. To get started we will go to the DVWA brute force page and enter a test username and password with our FoxyProxy {proxyname} on. The web traffic from your browser will appear under the Proxy tab and from here we will send the request to Intruder.
Now send the request to Intruder using Action > Send to intruder or by using the shortcut keys ctrl + I and notice how the Intruder tab turns bright orange.
The attack type will be cluster bomb which will allow the use of username and password combinations.
For payload set #1 – you do have to select each drop down set number to set the payload – choose some common usernames.
For payload set #2 – you do have to select each drop down set number to set the payload – choose some common passwords.
For payload set #3 – you do have to select each drop down set number to set the payload – we are going to keep the payload parameter of $login$ which Burp autodetected after we first sent the request to Intruder.
Now run the attack and notice how the response status code is 200 meaning that the login was successful.
Since the security setting is still low on DVWA any and all credentials will work for the brute force page to login with. But this gives you an idea of how you can use Burp to brute force login forms on web pages.
Keep in mind that Burp free version is throttled and you will likely run into performance issues when running a large list of payload parameters such as usernames and passwords.