This tutorial explains how to Use Burp Suite for Web Application Security Testing and its different tabs like the intruder, repeater, target, etc.:
In the previous tutorial, we learned about Burp Suite and its different editions. We explained all the different features that exist within and the comparison between the editions. Learned how to go about installing this tool and start using it immediately.
We also covered starting a Burp Suite project, configuring proxy settings with any browser of your choice, and how to intercept requests with Burp Suite.
We will continue the tutorial on the use of this security tool by discussing how to install certificate authority, how to use the intruder tool, how to use the repeater tool, how to use the target tool, how to configure the scanning setting, and how to generate your scan report.
What You Will Learn:
How To Use Burp Suite
Installing Burp Suite CA Certificate
The reason for installing the Burp Suite CA certificate is to authenticate any source sending traffic into the webserver and thus prevent any unsecured website from communicating with your browser.
The process for installing Burp Suite Certificate Authority depends on the kind of web browser you are using. Here, we will explain how to install the Burp Suite CA certificate on the Firefox and Chrome browser.
#1) Launch Burp Suite and visit http://burpsuite on your Firefox and Chrome. The next page will state Welcome to Burp Suite professional.
#2) Check the top-right corner of the page and click CA Certificate and start downloading the certificate authority into your system. Please note where the installation files dropped.
#3) In Firefox, open the menu and click Preferences or Options.
#4) From the left navigation bar select the Privacy and Security settings.
#5) In the Certificates area click the View certificates button.
#6) In the next dialog box, click on the Authorities tab and click the Import button. Navigate to the location you downloaded the Burp Suite Certificate Authority and click Open.
#7) On the next page, you will see the message “You have been asked to trust a new Certificate Authority (CA)”. Select the “Trust this CA to identify websites” check box.
#8) After doing this close and restart Firefox. Then open your Burp Suite that is still running and try to send an HTTPS request and check if there is no security warning page on the screen and the request is intercepted.
#1) If you want to do the same in Chrome, just open the menu and click Settings > Security > Manage certificate.
#2) Open the Certificates dialog box and go ahead to click on the Trusted Root Certification Authorities tab, and click the Import button.
#3) Click on the Browse button and select the cacert.der from the location the file was downloaded.
#4) Click the Next button.
#5) From the two options, select the first one Place all certificates in the following store and click on browse to Trusted Root Certification Authorities.
#6) Click on the Next button and if you see a pop-up message asking you if you want to install this certificate please click Yes. A message will display saying that the import was successful.
#7) Close the Chrome and restart it and confirm Burp Suite is still running, go ahead and browse any HTTPS application and observe the response. By now, you should no longer be receiving a page with a security notification.
Suggested Reading =>> Open Source Security Testing Tools
Burp Suite Intruder Tab
This is a very powerful tool and can be used to carry out different attacks on web applications. It is very easy to configure and you can use it to carry out several testing tasks faster and very effectively. It is a perfect tool that can be used for a brute-force attack and also carry out very difficult blind SQL injection operations.
Burp Suite Intruder mode of operation is usually through HTTP request and modify this request to your taste. This tool can be used for the analysis of the application responses to requests.
There is a need for you to specify some payloads on every attack and the exact location in the base request where the payloads are to be released or placed. We have different ways of building or generating your payloads today. We have payloads like a simple list, username generator, numbers, brute forcer, runtime file, bit flipper, and many.
The Burp Suite intruder has different algorithms that help in the placement of these payloads into their exact location.
Burp Suite intruders can be used to enumerate identifiers, extracting useful data, and performing fuzzing operations for vulnerabilities.
To carry out a successful attack using Burp suite Intruder follow these steps:
- Find the identifier which most times is highlighted inside the request and also the response confirming the validity.
- Then configure a single payload position that is enough to carry out the attack.
Use the Payload type drop-down to generate all identifiers needed to test, using the correct format.
Let us assume you want to brute force the password to an application using Burp Suite Intruder then you can load a simple list of numbers, text, or alphanumeric and save it as a text file or add the payload one after the other.
After entering some of these important details to carry out an attack, you can click on the Start attack button. The next pop-up page will be the result page, which you will need to analyze.
If you check the below image, you can see that one identifier returns a different HTTP status code or response length, the one that returns different status and length from others is actually the correct password, if you go ahead and use that you will be able to log in.
You can also brute force username and password at the same time if you do not have an idea of both login credentials.
When you want to perform fuzzing operations for vulnerabilities, test all requests using the same payloads. Through the Intruder menu, you can configure the New tab behavior, either by copying the configuration from the first tab or the last tab.
You will not need to keep setting the configuration because every other request will automatically use the previous configuration that is within their tab.
If you want to perform multiple fuzz requests, send all requests to the intruder and click on the Start attack button.
Burp Suite Repeater Tab
Burp Suite Repeater is designed to manually manipulate and re-send individual HTTP requests, and thus the response can further be analyzed. It is a multi-task tool for adjusting parameter details to test for input-based issues. This tool issue requests in a manner to test for business logic flaws.
The Burp Suite Repeater is designed to allow you to work on several requests at the same time with different request tabs. Whenever you send a request to a Repeater, it opened each request on a separate numbered tab.
Using Burp Repeater With HTTP request
If you want to make use of Burp Suite Repeater with an HTTP request, you only need to right-click on the request and select Send to Repeater. There is an immediate creation of a new request tab in the Repeater and you will also see all the relevant details on the message editor for further manipulation. You can also open a new Repeater tab manually and select the HTTP option.
Sending HTTP Requests
After making all the necessary manipulation to your request it is ready to send, just click the Send or Go button to send it to the server. The response is displayed on the response panel by the right-hand side. You will also notice that the response message is not editable.
Burp Suite Target tab
Target Site Map
The Burp Suite Target tab > Site map tool will help you with an overview of all your target application’s content and functionality. The left-hand side is in form of a tree view that arranges the content of a URL in a hierarchical order, they are split into domains, directories, folders, and files.
The tree branches can be expanded to allow you to see more details and you can select an item that you need information about, all relevant details about the selected item on the left-hand-side view will be displayed on the right-hand side view.
You can manually map your target application by launching the Burp suite browser either internal browser or the external browser and make sure the proxy interception is turned OFF while you browse the entire application manually.
This manual mapping process will populate all the target applications in the site map and any other related links to the main application. It will supply you with enough details about the application and help you to familiarize yourself with the application.
In some other instances, you may use Burp Suite automated crawler instead of a manual mapping process. The automated crawler captures the navigational paths in the application.
With manual mapping, you are able to control the process, avoid some dangerous functionality. So the choice remains yours to determine whether you will be applying a manual or automated process which solely depends on the application and your intended purpose for the result.
You can configure your target scope by selecting any branch on the Site map.
Select Add to scope or Remove from the scope from the menu. You can configure your Site map display filters to show what you want to view and what you want to delete.
The right-hand side view of the target map will display the details of your selection on the left-hand side and the issues pertaining to the selected items.
You can launch a new Site map window by clicking on the Show new site map window option on the shortcut menu. You can also use the new window to show and manage any other different selection.
Burp Suite Scanning
Burp Suite Scanner is one good tool for performing automated scans of websites and web applications in other to find and remediate vulnerabilities.
This scanning involves two phases:
- Crawling for contents: This is when the scanner navigates the whole of the application, the links, submission of forms, and log in with necessary login credentials to catalog the content of the application and navigation paths.
- Auditing for vulnerabilities: This depends on what the scan configuration is which will involve the sending of many requests to the application. It will analyze the application’s traffic and behavior and use it to identify any vulnerabilities within the application.
You can launch your Scans in any of the following ways:
#1) Scan from specific URLs or Websites: This performs a scan by crawling all the contents that exist in one or more URLs that are configured for scanning and you can also decide to audit the crawled content.
Open the Burp Suite Dashboard and click the New scan button. The New scan page opens, this is where you configure all necessary details needed for the scan.
#2) Scan selected URL: When you go through this route you will perform an audit-only scan with no crawling of specific HTTP requests.
You can decide to select over one request anywhere in the Burp Suite and select Scan from the shortcut menu. This will then launch the scan launcher where you can then configure all your scanning details.
#3) Live scanning: This can scan requests that are processed by other Burp Suite tools like the Proxy, Repeater, or Intruder tools. You will be the one to decide which request needs to be processed and whether it’s necessary for it to be scanned and to identify all the contents that can be scanned or audit for vulnerabilities.
Launch the Burp Suite Dashboard, and click the New live task button. This will open the New live task page where you can configure all scanning details.
#4) Instant scanning: With this, you can easily and instantly launch Active or Passive scans from the shortcut menu and this allows you to quickly check for vulnerabilities within an application even without going through the New live scan or New scan.
Select any request and right-click on it, click on Do passive scan or Do active scan and you can configure your scanning details.
How To Generate Report In HTML And XML Format
After the full scanning of your application, you can generate reports of the outcome in HTML or XML format.
To export your report generated by the Burp Suite after scanning, select all the issues in the Issues view of the Site map or the issue activity log and choose Report selected issues from the shortcut menu. You will see the Burp Scanner reporting wizard that will guide you on your options for your report, as described below.
Burp Suite Report format
- HTML: With this format, you can export your report in HTML that you can view or print via a browser.
- XML: With this format, you can export your report in XML which is also good for importing into other Burp Suite tools or reporting.
Choosing details you want on your Burp Suite report.
- Issue background: This shows the standard description of the current issue.
- Remediation background: This shows the normal remediation advice for the current issue.
- Issue detail: This shows information about a particular issue.
- Remediation detail: This shows remediation advice, what you need to do to resolve the issue, and a mitigation plan for future occurrences.
- Vulnerability classifications: This shows each vulnerability classification, mapping to the list of related Common Weakness Enumeration (CWE).
You can also select how you want the HTTP request messages should appear in the report.
You can select the types of issues to include in your scan report. The purpose of the wizard is to list every issue that was part of your selection and you also can remove any issue that you do not want to be part of your scan report.
This comes very handy if you have selected a huge number of issues just by selecting the application host and you need to remove any issues that are not important or not in scan focus.
You can give the scan report file a name and specify the location you want to save it on your system.
Specify the details below for HTML Report:
- Report title
- Issues reported should be organized either by type or severity.
- You can state the table of contents levels for your report.
- You can add the severities of issues either through the summary table and bar chart.
Frequently Asked Questions
Q #1) What types of vulnerability can the Burp Suite detect?
Answer: These include:
- SQL Injection
- Cross-Site Scripting
- Brute Force
- Broken Authentication
- Session Management
- Security Misconfiguration
- Sensitive Data Exposure
Q #2) How do I scan a website with a burp suite?
Answer: All you need to do is to insert the URL of the website in the scan launcher page and click on scan or you can intercept the website request. Select it and right-click and select Scan. This will launch the page where you can configure the scanning information.
Q #3) How do you perform security testing with Burp Suite?
Answer: You can use the Burp Suite community edition as a manual tool for security penetration testing but it’s limited in feature. The professional edition can be used for penetration testing and bug bounty program. The enterprise edition is for a large organization that produces enterprise products.
Also Read =>> Security Testing of Web Applications
This article explained how we can configure proxy on our chosen browser or using the external proxy application, we now know the importance of certificate authority and how to install it.
We have also discussed different tools on the Burp Suite like an intruder, repeater, and target and how to use them to successfully carry out our security task. We talked about how to scan our applications and how to format the reports the way we want them to be displayed.
Whether you are a rookie or an expert in web application testing, there is a Burp Suite edition that fits your level.
Also read =>> Top alternatives to Burp Suite