Okay, so today we are going to be one step closer to the web applications security system. So, today we are going to study the functionality and features of the wholesome web application system called Burp Suite. Burp Suite is a security assessment tool which works as the proxy between your browser and target. Moreover, it is packed with numerous pen testing tools such as spidering functionality, web scanning for vulnerabilities etc.
Burp Suite is a java application, that’s why to install it you required the latest version of java. With the Kali, burp suite comes pre-installed, you can access it from the Web Application Analysis Category. To use burp, you have to configure your browsers proxy setting. Burp understands the 127.0.0.1:8080 proxy.
You can manually change your proxy setting, but we recommend you to use a browser add-on like FoxyProxy to setup proxy. If you want to work Burp with HTTP, then you have to get CA certification. To download the CA certification to your computer, go to http://burp/ and download the certificate.
Components of Burp Suite
The real power of the burp lies in the different components of its tool. So, let’s overview all the components of the Burp Suite.
You can view the information of your target here. The sitemap represents the hierarchical information of the target. The items requested are shown in black and burp links are shown in the grey. As you browse with the proxy on, burp will keep on creating a sitemap. You can configure the scope of your target from the Scope Tab. You can also add filters to your target.
This is the tool which enables you to intercept and modify the request between your browser and target. From the Intercept Tab, you can inspect all the requests, modify them or can send to the other tool. The history tab keeps a record of HTTP and Woonsocket messages. In the Options tab, you have a plethora of configuration options for your Proxy. Take special note of the Response Modification options, which you can use to automatically modify the responses HTML to remove client-side logic and controls, or perform SSL stripping.
Burp’s spider enables you to crawl to the web browser of the target. Once you have manually browser application, right click on the URL of the website who’s sitemap, you want to crawl. Then, you will see a number of requests made in the control Tab. You can customize the spider from the other options. Whereas passive spidering is enabled by the default.
It has an automatic vulnerability scanner uncontrolled drooling which has received great reviews from the users. But, it the automatic vulnerability scanner comes in the pro version of Burp only. If you open the issue detection tab, then you will see the list of vulnerabilities detected by the Burp.
Using Burp intruder you can perform high-quality attacks against your target such as brute force, fuzzing, enumeration etc. Normally, you have to select the request and send it to the intruder. You can check the position of the placeholder.
The function of this tool is simple, just sending a request to the target again and again.
With this tool, you can detect the randomness in the data token collected by the target. If the number of tokens will be large, then the authenticity of randomness detection will be better.
This tool performs the function of coding and decoding of numerous formats. Like, HTML, URL, Base64, ASCII hex, Hex, Octal, Binary, Gzip, and it also has hashing functionality for MD2, SHA-224, MD5, SHA1, SHA-384, SHA, SHA-512, and SHA-256.
If you want to compare the different response, then this tool gives you the best opportunity to do so word for word.
Using this tool you can add more functional extensions to the Burp as per your request.
Burp even have tool for the clickjacking attack.
Well, so here we are done with the main components of the Burp Suite and its introduction. But, burp has numerous other features also that we will share with you all some other time. Meanwhile, keep showering us with your love.