burp web penetration testing guide

Introduction

It's important to remember that Burp Suite is a software suite, and that's why a whole series was needed to cover even just the basics. Because it is a suite, there are also more tools bundled in that work in conjunction with one another and the proxy that you're already familiar with. These tools can make testing any number of aspects of a web application much simpler.

This guide isn't going to go into every tool, and it isn't going into too much depth. Some of the tools in Burp Suite are only available with the paid version of the suite. Others generally aren't used as frequently. As a result, some of the more commonly used ones were selected to give you the best practical overview possible.

All of these tools can be found on the top row of tabs in Burp Suite. Like the proxy, many of them has sub-tabs and sub-menus. Feel free to explore before getting into the individual tools.

Target

Target isn't much of a tool. It's really more of an alternative view for the traffic collected through the Burp Suite proxy. Target displays all traffic by domain in the form of a collapsible list. You will probably notice some domains in the list that you definitely don't remember visiting. That's because those domains are usually places where assets like CSS, fonts, or JavaScript were stored on a page you visited, or they are the origin of ads that were displayed on the page. It can be useful to see where all of the traffic on a single page request is going to.

The Target tool on Burp Suite

Under each domain in the list is a list of all of the pages that data was requested from within that domain. Below that could be specific requests for assets and information about specific requests.

When you select a request, you can see the information collected about the request displayed to the side of the collapsible list. That information is the same as the information that you were able to view in the HTTP History section of the proxy, and it's formatted the same way. Target gives you a different way to organize and access it.

Repeater

The repeater is, like the name suggests, a tool that allows you to repeat and alter a captured request. You can send a request over to the repeater and repeat the request as it was, or you can manually modify parts of the request to gather more information on how the target server handles requests.

Find your failed login request in your HTTP History. Right click on the request and select "Send to Repeater." The Repeater tab will highlight. Click on it, and you'll see your request in the left box. Just like in the HTTP History tab, you will be able to view the request in several different forms. Click on "Go" to send the request again.

The Repeater tool on Burp Suite

The response from the server will appear in the right box. This will also be just like the original response that you received from the server the first time you sent the request.

Click on the "Params" tab for the request. Try editing the params and sending the request to see what you get in return. You can change your login information or even other parts of the request that may produce new types of errors. In a real scenario, you could use the repeater to probe around and see how a server responds to different parameters or the lack thereof.

Intruder

The intruder tool is very similar to a brute force application like Hydra from the last guide. The intruder tool does offer some different ways to launch a test attack, but it is also limited in its capabilities in the free version of Burp Suite. As a result, it's still probably a better idea to use a tool like Hydra for a full brute force attack. However, the intruder tool can be used for smaller tests and can give you an idea of how a server will respond to a larger test.

The "Target" tab is exactly what it seems like. Enter the name or IP of a target to test and the port that you wish to test on.

The Target tab of the Intruder tool on Burp Suite

The "Positions" tab allows you to select the areas of the request that Burp Suite will substitute in variables from a wordlist into. By default, Burp Suite will choose areas that would commonly be tested. You can adjust this manually with the controls on the side. Clear will remove all variables, and variables can be added and removed manually by highlighting them and clicking "Add" or "Remove."

The Positions tab of the Intruder tool on Burp Suite

The "Positions" tab also allows you to select how Burp Suite will test those variables. Sniper will run through each variable at a time. Battering Ram will run through them all using the same word at the same time. Pitchfork and Cluster Bomb are similar to the previous two, but use multiple different wordlists.

The "Payloads" tab allows you to create or load a wordlist for testing with the intruder tool.
The Payload tab of the Intruder tool on Burp Suite

Comparer

The last tool that this guide is going to cover is "Comparer." Once again, the aptly named compare tool compares two requests side-by-side, so you can more easily see differences between them.

Go back and find the unsuccessful login request that you sent to WordPress. Right click it and select "Send to Compare." Then find the successful one and do the same.

The Comparer tool on Burp Suite

They should appear under the "Comparer" tab, one above the other. In the bottom right corner of the screen is a label that reads, "Compare..." with two buttons below it. Click the "Words" button.

A new window will open with the requests next to each other and all of the tabbed controls that you had in the HTTP History for formatting their data. You can easily line them up and compare sets of data like the headers or parameters without having to flip back and forth between the requests.

Closing Thoughts

That's it! You've made it through all four parts of this Burp Suite overview. By now, you have a strong enough understanding to use and experiment with Burp suite on your own and use it in your own penetration tests for web applications.