BurpSuite is an integration of tools that work together to perform security tests on web applications. It is also a platform for attacking applications on the web. BurpSuite contains all the Burp interfaces and tools made for speeding up and facilitating the process of application attacks. Every BurpSuite tool contains the same robust framework for extensibility, alerting, logging, upstream proxies, authentication, persistence and HTTP requests.
With BurpSuite, you are allowed to combine automated and manual techniques to attack, scan, analyze, exploit and enumerate applications on the web just as you learn with this penetration test course. The various tools of Burp work together seamlessly to allow identified findings and share information within one of the tools to form the foundation of attacks using a different tool.
When putting a web application to the test, BurpSuite helps the penetration tester through the process starting from identifying vulnerabilities all the way to the mapping and exploitation phase. Understanding the framework of BurpSuite will help you know when to use which feature with what scenario.
Tools that Make Up BurpSuite
Burp Spider is a tool for mapping web applications. It automates the laborious task of cataloging an application’s content and functionality, and lets you:
- Work manually via your browser, by passively inspecting traffic passing through Burp Proxy and cataloging everything that this identifies.
- Actively crawl the application, by automatically following links, submitting forms, and parsing responses for new content.
- Browse a detailed site map of discovered content, in tree and table form.
- Retain full control of all spidering actions, with fine-grained scope definition, automatic or user-guided submission of forms, and detailed configuration of the spidering engine.
- Send interesting items to other Burp Suite tools with a single click.
- Deal with complex applications, with automatic handling of login credentials and session cookies, and detection of custom “not found” responses.
- Save all of your work, and resume working later.
When you run Burp, the Spider runs by default in passive mode, and builds up a detailed site map of your target application, by recording all of the requests that you make via Burp Proxy, and parsing all of the responses for new links and functionality. After browsing the whole application, you can use Burp’s site map to review the content you have discovered. You can then use the active spidering function to map out any areas you may have missed, or you can select individual items or branches within the site map, and send these to other Burp tools for further manual or automated attacks.
Burp Comparer is one tool that visually compares 2 different data items. Typically, this requirement arises when you want to identify the difference between 2 responses of applications quickly in the context of applications on the web. This tool is used to identify the differences between failed log in responses using invalid and valid usernames. It can also be used to identify the difference between 2 requests for applications, 2 received responses in the course of an attack by Burp intruder or for when you want to identify the different parameter requests that give rise to varied behavior.
Burp decoder is a basic tool that transforms raw data in various hashed and encoded forms and transforms data that’s been encoded into a canonical version. With the use of heuristic techniques, it has the capacity of recognizing many different code formats.
Burp sequencer is used to analyze the degree of an application session token’s randomness or other items in which the application’s unpredictability is dependent for its security.
Burp Repeater used for manually reissuing and modifying individual requests of HTTP and making an analysis of the response. This is ideally used together with other tools in Burp Suite. For instance, you can send requests to Repeater from the site map target from the Burp intruder attack results or from browsing history of Burp proxy. You can then adjust the requests manually to probe for vulnerability or to fine tune an attack.
Burp Intruder is one of the tools that automates customized attacks versus applications on the web.
Burp scanner is a tool that performs automated security discovery of web application vulnerability. It is created for use by penetrating tests to closely fit with the existing methodology and techniques for performing semi-automated and manual penetration tests of applications on the web.
Burp Spider is a tool for web application mapping. It uses various techniques of intelligence to generate comprehensive inventories of an application’s functionality and content.
Burp proxy is an HTTP/S interactive proxy server for testing and attacking applications on the web. It operates as the middle-man between the target web server and the end browser. This allowed users to modify, inspect and intercept the raw traffic that passes in either direction.
Firstly,Configure BurpSuite Proxy Options: Set interface 127.0.0.1:8080 Now, Configure Proxy in Browser as follows: Now, Visit any URL in Browser, In Example we have taken http://google.com/ It's the Output:
For More Video Tutorials : https://portswigger.net/burp/tutorials/