This tutorial is an in-depth review of the popular web application security and penetration testing tool Burp Suite. Also, learn about the system requirements and installation steps:
Burp Suite is a tool designed to save time spent by every organization’s application security team trying to secure their application by providing a faster approach to software security through an automated scanning of their portfolios.
It is a tool designed to support and speed up efficiency in penetration testing, CI/CD integration in DevOps with a proper reporting system that captures all issues with appropriate remediation for all issues.
It is a very useful tool for testing different applications. The application has features like repeater, intruder, intercept which are very important features for any penetration testing tool.
Table of Contents:
What Is Burp Suite
It is an important tool for everyone from the cybersecurity angle. Most especially the penetration tester and those that participate in bug bounty programs. This tool supports the integration of third-party plugins to carry out any other additional task which may not be initially included with the Burp Suite, you can easily customize these plugins to the Burp Suite.
Suggested Reading =>> Web Application Penetration Testing
Enterprise Edition
If you have a very large software team and will need super-fast feedback and wants to achieve DevSecOps then your option will be the Burp Suite Enterprise edition. This tool will help you achieve full visibility of your total security exposure in your enterprise environment.
The tool has the capacity to empower your DevSecOps by reducing security risk with minimal cost. The deployment of this application is very easy with a simplified reporting system.
Professional Edition
If you want to always test, find and exploit vulnerabilities from your application then your option will be Burp Suite Professional Edition. It is not expensive to acquire and you can even request one month trial to use the professional edition.
This automated tool will always save you time and help you optimize your workflow in the CI/CD pipeline, it is designed to test for vulnerabilities on different web applications with the valid results obtained and minimize false positives.
Community Edition
If you need just a limited set of manual tools for exploring web security and Intercepting web traffic for penetration purposes, then your option will be the Burp Suite Community edition.
Community Edition vs Professional Edition vs Enterprise Edition
The below table explains the differences:
Burp Suite Community Edition | Burp Suite Professional Edition | Burp Suite Enterprise Edition |
---|---|---|
The features are limited and it is a manual tool for researchers. | This is a number one tool for penetration testers and bug bounty hunters | This is an automated protection tool for organizations and development teams |
Web vulnerability scanner is not available | Web vulnerability scanner is available | Web vulnerability scanner is available |
There is no scanner | You cannot schedule or repeat scans | Ability to Scheduled and repeat your scan |
This does not scale | This does not Scale | Unlimited Scalability |
This cannot be integrated to CI/CD | This cannot be integrated to CI/CD | It has the ability to integrate to CI/CD |
Not an advanced manual tool | It is an advanced manual tool | Not an advanced manual tool |
It is an essential manual tool | Not an essential manual tool | Not an essential manual tool |
It is free to use | The Plan start from $399 per year | The Plan start from $5595 per year |
Installing Burp Suite
Installing the tool is a straightforward process by simply running the installer and if it’s Burp Suite Enterprise edition or Burp Suite Professional edition, you need to insert the license key that will be provided to you.
If you don’t want to use the Community Edition, you can request one month trial to use the Professional Edition.
=> Click here to Download Burp Suite Community Edition
=> Click here to try Burp Suite Professional Edition for free
=> Click here to try Burp Suite Enterprise Edition for free
System Requirement For Installing Burp Suite
To install Burp Suite, we recommend you to have a system with the configuration of at least 8 GB of memory and 2 CPU. But if you will perform very large amounts of web application penetration testing, then you may need more memory and if possible increase your CPU strength.
The Burp Suite Community edition is very suitable to test the running capacity that your system can handle before upgrading your edition.
Follow these steps to start using this tool:
#1) Selecting a Burp Suite Project
Immediately after completing the installation and activation, the next thing is the startup wizard page that explains how to kick start the program each time you start Burp Suite.
The first thing on the wizard is to select or create a project to work with.
Select one of the following options:
- Temporary project: Select this option if you only want to do a quick task and do not want to save your work. All working data is held in memory and is removed immediately after you close the tool.
- New project on disk: Select this option if you intend to start a new project which will store its data in a Burp Suite project file. This file will continue to hold all the data and configuration settings for the project. The saved data increment as you work on Burp Suite.
- Open existing project: Select this option if you want to reopen an existing project from a Burp Suite project file. You will see all the recently opened projects displayed for your selection.
#2) Confirm that your Burp Suite’s proxy listener is Active and Running
The Burp Suite proxy listener intercepts incoming traffic from your web browser when configured properly. The main work this proxy does is the monitoring and intercepting of all web requests and responses from your browser.
Confirm that the listener is very much active and running by clicking on the Proxy tab and then click on the Options tab.
On the Proxy listener interface, you will see the default local IP and port number which is 127.0.0.1:8080 you can decide to Add, Edit, or Remove. Whenever you see the Running check box selected, it confirms the listener is running.
#3) Proxy Setting Configuration
If you do not want to go through the stress of configuring proxy settings on an external browser, then you can just use the embedded browser which is already pre-configured to work with Burp Suite Proxy.
Click the Proxy tab and click Intercept tab, you will see Burp’s embedded browser, click Open Browser.
The following steps are only needed if you want to use an external browser for manual testing with Burp Suite.
a) Configuring Burp Suite with Firefox
It is very important to configure the Firefox browser in order to use it for testing with Burp Suite.
Follow the below steps to configure your Firefox network settings:
- Open the Firefox browser and open the Firefox menu, scroll down and select Options.
- Click on the General menu and go to the Network Settings section and click the Settings button.
- From the connection settings section, select the Manual proxy configuration.
- Input the Burp Suite Proxy listener address which has the default 127.0.0.1 into the HTTP Proxy field.
- Input the Burp Suite Proxy listener port which has the default 8080 into the Port field and check the Also use this proxy for FTP and HTTPS check box.
b) Configuring Burp Suite with Chrome
Follow below configuration of Chrome with Burp Suite was done on Windows 10 system:
- Open Chrome and go to the menu.
- In the menu, select Settings, scroll down and click on Advance and click on Open your computer’s proxy settings.
- Input the Burp Suite Proxy listener address which has the default 127.0.0.1 into the Address field.
- Input the Burp Suite Proxy listener port which has the default 8080 into the Port field.
- Turn the Use a Proxy Server to ON.
#4) Configuring FoxyProxy with Burp Suite
FoxyProxy is an Extension that removes the painstaking task of configuring proxy settings on a system each time there is a need for it. This small but mighty proxy extension grants access to a very large number of proxies in Firefox and Chrome browsers. What is required from you is to activate this extension in your toolbar and you are set to use proxy on Burp Suite.
#5) What to do after browser configuration on Burp Suite
a) Make sure you are certain that the proxy listener is active.
b) Confirm that Burp Suite is running. Open the browser that you configured and go to any HTTP URL do not use HTTPS yet. You will notice that your browser will keep rolling or shows that it’s trying to load your requested page.
The reason for this is that Burp Suite has intercepted the HTTP request the browser is trying to send.
c) Inside Burp Suite click on the Proxy tab and also click on the Intercept tab under the main tabs. Make sure the two tabs are highlighted and you will start seeing all the intercepted requests dropping into the Raw panel.
d) Another thing that you need to do on the Burp Suite is making sure that the Intercept is on button is highlighted before any web request can be intercepted. If the Intercept is off button is clicked the request will be released from Burp Suite.
e) If you check your browser after the intercept is off button is clicked. You will see that the requested page will now load to the screen.
By following the above steps, you get to know the configuration steps for using an external browser with Burp Suite.
Note: Currently, you can only test web applications that are HTTP. If you make an effort to test an HTTPS application, you will observe that the connection is blocked. Therefore, we will advise you that before testing HTTPS applications you install the Burp Suite CA certificate first.
Burp Suite: Good Tool For Vulnerability Scanning
This is one good tool that you can use to carry out vulnerability scanning on your web applications or websites.
This is an automation process that helps the pen-tester to finish a testing task because sometimes the pen-tester may not have enough time to test all parameters of a web request. This will invariably make the pen-tester to be effective and efficient in achieving his target after going through a rigorous process of penetration testing.
It has the capacity to analyze every detail during the scanning process and it will notify you when a vulnerability has been discovered. It will also help you through the process of remediation by providing you with how to resolve it.
Frequently Asked Questions
Q #1) What is Burp Suite used for?
Answer: It is an application that can act as a proxy server to intercept web requests. It is the most popular web application security and penetration tool in the world.
Also Read =>> Security Testing of Web Applications
Q #2) Is Burp Suite A vulnerability scanner?
Answer: Yes, both burp suite enterprise edition and Burp suite professional can be used to scan for vulnerabilities in an application or website.
Q #3) What is Burp testing?
Answer: Burp Suite Professional is one of the most recognized and acceptable penetration testing tools in the world. It is the number one tool for penetration testers and bug bounty hunters.
Conclusion
In this tutorial, we have discussed the different editions of Burp Suite and how you can integrate any of the editions to achieve your purpose.
We have also learned how these editions compare to each other and the system requirements and process of installing Burp Suite.
We have also analyzed few steps to kick-starting the use of Burp Suite. I will advise every security professional who has never used this security automation tool before to start using it because of its global acceptance.
Further reading => How to use Burp Suite for Web Application Security Testing