# Burp 101 ###### tags: `web app pentesting` `burp` `burpsuite` Burpsuite is a framework of web app pentesting tools. You can get it [here](https://portswigger.net/burp/communitydownload) Note that you need to install the Burp CA certificate in order to be able to load things with SSL You can find this by navigating to local host once burp is running and you've channeled traffic to run through it. ## Burp Suite... A suite of: * **Proxy**: lets you redirect web traffic to Burp for analysis * **Target**: where we set the scope of the project, can also be used to generate a site map * **Intruder**: does field fuzzing, credential stuffing etc * **Repeater**: lets us repeat previously made requests with or without modification. Typically a precursor step to fuzzing * **Sequencer**: Analyzes the randomness in variable parts of web pages e.g session cookies * **Decoder**: for decoding / encoding to various bases or for URL encoding * **Comparer**: for comparing different response or data like site maps or proxy histories - similar to the linux diff tool * **Extender**: for adding modifications * **Scanner**: Automated web vulnerability scanner. Only in the pro version ## Hey foxy, got that **Proxy**? A proxy lets you relay web traffic through an alternative route to the internet. When web app pentesting, using a proxy allows for viewing and modifying of inline traffic at a granular level. When the burp proxy is active: * Requests will require your authorization to be sent * You can modify requests in line just like in a MITM attack * You can drop requests you do not want to be sent * You can send these requests to tools like repeater and intruder for modification and manipulation to utilize vulnerabilities By default, the burp suite proxy listens on 127.0.0.1:8080 To send requests to **repeater ctrl R** To send requests to **intruder ctrl I** History of requests sent through the proxy can be found in the **HTTP History tab** This is useful for **proof of concept** or when you want to **modify and resend an earlier request** The **WebSockets History tab** stores the history for the **low latency communication protocol that does not require HTTP encapsulation**. This protocol is commonly used in **collaborative apps** that **require real-time updates** e.g Google docs The **options** section of the proxy tab allows for fine-tuning e.g within the Intercept client requests tab the rule **AND** with match type **URL** and relationship **Is in target scope** allows us to leave intercept on permanently as it will not disturb sites that are outside our scope. more on proxy can be found [here](https://portswigger.net/burp/documentation/desktop/tools/proxy) ## Shots on **Target** Here we * define our scope * view a site map * specify issue definitions, comes in handy for reporting and scanning The start of a web test usually comes with: * the app url * list of different user roles in the app * various test accounts and associated credentials * list of parts of the app that are out of scope and should therefore, be avoided Scoping is crucial when we intend to perform automated testing. Scoping is typically done in a tiered approach where we work our way up from the least privileged account (including anonymous / unauthenticated access) browsing the site as a normal user would. This is the happy path. Following the happy path we can remove the following items from our scope: * items designated as out of scope * items whose automated exploitation would result in a huge mess * items whose automated exploitation would lead to crashing the app more on target can be found [here](https://portswigger.net/burp/documentation/desktop/tools/target) ## Play it on **Repeat**..**er** Allows us to repeat requests we have already made either as-is or with modifications. Used for experimentation / fine-tuned exploitation where automation may not be desired. more about repeater can be found [here](https://portswigger.net/burp/documentation/desktop/tools/repeater) When you attempt to login you send a POST request, so when you look through the history tab, you are looking for a post request. ## **Intruder** Alert! At its core, Intuder is meant for one thing: **automation** Intruder is meant for repeat testing once a poc has been established through experimentation in repeater. The most common use cases for intruder are: * **Enumerating** identifiers such as usernames, cycling through predictable session / password recovery tokens, and attempt simple password guessing * **Harvesting** useful data from user profiles, or other pages of interest through grepping our responses * **Fuzzing** for vulnerabilities e.g SQLi, XSS, file path traversal Intruder has 4 different attack types: ### Sniper * The most popular attack type * **Cycles** through our **selected positions putting** the next available payload, **item from our wordlist**, in each position **in turn**. * It uses only one set of payloads i.e one wordlist ### Battering Ram * Like Sniper, it uses only one set of payloads. * Unlike Sniper, it **puts every payload into the selected position** * Like a battering ram, makes contact across a large surface with a single surface. ### PitchFork * Allows us to **use multiple payload sets**, **one per position selected**, and **iterate through both payload sets simultaneously**. * This results in a total number of combinations equalling the smallest payload set provided. * For instance: provided a username and password payload set of 5000 names and 3000 passwords respectively, the total number of combinations would be 3000. ### Clusterbomb * Allows the **use of multiple payload sets**, **one per position selected**, and **iterate through all combinations of the payload lists provided**. * This results in a total number of combinations equalling the product of the payload sets provided * For instance: provided a user name and password payload set of 5000 names and 3000 passwords respectively, the total number of combinations would be 5000 * 3000 * This might be a bit of a pain to run on the community edition of burp more on intruder [here](https://portswigger.net/burp/documentation/desktop/tools/intruder/) ## Commencing **Sequencer** Is a tool for **analyzing the quality of randomness** in an application's sessions tokens and other important data items that are otherwise intended to be unpredictable. Commonly analyzed items are: * Session Tokens * Anti-CSRF tokens * Password Reset tokens Note that bit-level tests are more powerful than character-level tests. To enable bit-level analysis, **each token is converted into a set of bits**, with the total number of bits determined by the size of the character set at each character position. more on sequencer [here](https://portswigger.net/burp/documentation/desktop/tools/sequencer) ## Decoder and Comparer Decoder automatically attempts to decode the input given if you use the **smart decode** button. Comparer lets you do a word or byte level comparison between different data. The word option lets you examine the loaded data as is while the byte option breaks the data down into bytes. ## Mods with **Extender** Extender allows us to add components such as tool integrations, additional scan definitions etc Documentation for extender can be found [here](https://portswigger.net/burp/documentation/desktop/tools/extender) Top 10 mods can be found [here](https://portswigger.net/solutions/penetration-testing/penetration-testing-tools) Personally I think [this](https://github.com/Static-Flow/BurpSuite-Team-Extension) one is really cool You could also check out this [logger extension](https://github.com/portswigger/logger-plus-plus) ***That's all for Burp101, till next time: Happy hacking :)***