BurpSuite – Swiss Knife for penetration testers

November 21, 2017

Welcome back everyone to this very new blog post. There are so many different tools and applications for pentesters but did you ever think which is the most loved one amongst them? Yes, there are so many like Nmap, Zap, Hydra, Nessus, and many others. Any guesses? If you are thinking, what we are thinking and you have also seen the title of the post, there can possibly be only one final conclusion and that is BurpSuite.

Why BurpSuite?

There have been several discussions and debates among security researchers and the one thing that has been concluded after that is BurpSuite is the most famous tool for web application pentesting as it provides most of the features that are required for a pentest. It’s an all in one toolbox. You can only know this after you have installed it and spent some time playing with it. It can work as a scanner, as a proxy server or an encoding/decoding tool. You just need one application instead of using 3 for each case.

What is BurpSuite?

Burpsuite is actually a tool for Web Application security testing.
It comes in two versions, one is the Free version and the other is the Pro version. Pro option has some of the more advanced features like Scanner, saving and restoring files, target analyzer, and many others. But if you are a beginner, we would strongly suggest you go with BurpSuite Free Edition because the Pro edition is not so pocket-friendly and Free edition can do most of the works which you require at the beginning.

Different features in BurpSuite

When you first open BurpSuite, you can find a lot of options at the top. A brand new installation will look something like this:

Let’s go through the most important ones one by one:

  • Target:
    The Target option will show all the domains and URLs which we have visited in the browser or a request has been generated for. Here you can also choose a domain as the scope of your penetration test.
  • Proxy:
    Proxy is just as it sounds. The proxy feature in BurpSuite acts as a man in the middle between the browser and the destination web server. That means you can intercept the requests sent from the browser to the web server and modify them as per your wish and observe the responses. The same is true for responses. You can intercept the Responses sent from the Web server and modify them before they reach the user’s browser. For this, you have to play around with the different options for Proxy.
    See this page for configuring the proxy . It’s the most important part.
  • Scanner:
    The scanner feature only comes with the Pro version of BurpSuite. There are two types of scans available, Active and Passive scans. The Burp scanner is quite easy to operate and it mainly checks for all the OWASP Top 10 vulnerabilities. The most awesome feature is the detailed reports we get after scanning.
    If you want to read more about the scanner, check out the official page here.
  • Intruder:
    It is used for automation of customized web application attacks against the web application. As the official website describes:
  • “It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities.”
  • Check this page for more details.
  • Repeater:
    This is the tool which we use the most and we guess most of the pen testers will agree with me. You can send the intercepted request to Repeater and see the responses live on the right side of the panel. You can test for different vulnerabilities manually using this tool.
    Check this awesome page for learning how to use the repeater.
  • Comparer:
    By this, you can mainly see the difference between two sets of data. Just copy and paste two different responses or requests or anything and click the “Compare” button and it will visually show the difference.
    Learn more about Comparer here.
  • Decoder:
    This tool is used for encoding and decoding of data. Let’s suppose you want to insert a payload and want it in the URL encoded form.
    For this, you can just use the URL encoding option and it will give the expected output. It’s quite helpful. Take a look at this official page from Portswigger.

There are some other options also, but these are basically the most important ones which you will be mostly working with.

Important points:

  • We will highly recommend you to go to the official site here and have a look at the documentation.
  • You can’t learn without practicing. Download the free version from here and start using it.
  • If you don’t know how to get started or need visual instructions for setting the whole thing up, we at ENCIPHERS have created a basic video for starters. Check out the video here.

Even though when you are starting, it won’t take you much time to get acquainted with BurpSuite. So if you are a web application pentester or want to be one, do check out this great tool.

If you are having any problems with the setup, or can’t understand something, feel free to comment below and we will get back to you asap.
Till then, Keep learning and Happy Hacking..:)