What is BurpSuite?
When it comes to the field of securing web applications, BurpSuite arises shiningly. PortSwigger Security is the responsible company of producing BurpSuite developed in Java programming language. In fact, there are two versions of this important security tool:
- A free version which is up for any free downloads online. It is named as the Free Edition.
- And there is the other version which is of course not free and referred to as the Professional Edition. It is usually purchased after having a period of the free trial.
The purpose of BurpSuite was to have a complete web application solution for the entire checking and solution process related to the web application. One of the most interesting issues about BurpSuite is that a mobile application was developed having the same tools as the desktop versions to be utilized on new IOS versions.
What are the tools that BurpSuite offers?
Let’s now have a look at the tools which BurpSuite provides its users with. Actually, there are several tools offered by Burp Suite. They facilitate the penetration testing to establish the security of a web application.
- It could work as an HTTP proxy: A web proxy server is offered by BurpSuite, This is in order to get the man-in-the-middle attack performed between a client using his/her own browser and a web server at the other end of the connection. Following this, any raw traffic running between the two ends could then be simply inspected and modified afterward.
- It offers a great Scanner. A scanner which scans for the web application’s vulnerabilities is also offered by BurpSuite. It has the capability to make such scans automated for finding such vulnerabilities. This is considered as a very important aspect regarding web application’s penetration testing and security.
- Intruder – The importance of such a tool lies in the fact that it has the ability to launch attacks on a vulnerable web application. There are in fact several methods to perform such attacks through the Intruder tool. They include SQL Injections, Cross Site Scripting, parameter manipulation and vulnerabilities susceptible brute-force attacks. Such tool searches for such attackable vulnerabilities and whenever detected, then the attack is up for the launching. A configurable algorithm is provided to this tool’s user in order to get HTTP requests generated then.
- Spider – If it is manual mapping that is to be used, such tool makes it easy and really fast for its user to map the content of an application with its functionalities. A web application can be crawled by this tool in fact.
- Repeater – A user can get an application tested by such tool. To elaborate, the methodology to do such testing is that the server gets a modified request from the tool, then another request reaches the application. The results are observed thereby to understand the behavior.
- Decoder – Such tool is very interesting especially when it comes to encoded data. It has the ability to recognize and detect different types of formats used for the encoding purposes, depending on some exciting techniques. Encoded data can get back to its canonical format in this manner. This could happen the other way around such that raw data gets transformed into forms that are hashed and encoded.
- Comparer – Such tool has the ability to compare between two pieces of data and detect any differences between both of them.
- Extender – The interesting point about this tool is that it allows for the Burp Suite to get utilized by a third-party code or security testers afterward. This way, extensions of Burp Suite can get loaded for more security functionalities.
- Sequencer – Such tool helps with the process of getting the quality of randomness analyzed and measured inside a sample of data items. In this way, session tokens or other data which is to be secured and not able to get precited becomes predicted on the other hand.
Examples of such vital tokens are anti-CSRF tokens, password reset tokens, and
others. They are definitely set to never get detected and discovered.
Let’s now get started with Burp Suite
How to launch BurpSuite?
- It is important to note that the software is written in Java programming language. The extension in which such software is an extension of .jar which is, in fact, a standalone Java extension.
- Browse the website of PortSwigger.net and get the free edition downloaded from there.
- In case you are however a professional user, you should then get logged in with your credentials and get the Professional Edition downloaded now.
- For the jar file to work, a Java environment is required, which is at the end of the day a replacement of the necessity for any contents of such file to get unpacked.
- Make sure that Java is installed before beginning to use Burp Suite.
- Get the command prompt opened using different methods according to your operating system:
- If you are a Windows user, then the start button should be pressed on then “cmd” should be typed into the search box. Then the program should be clicked on to get open now.
- If you happen to be a user of Mac OS X, then you should press “Applications” which is in fact inside the system dock. Now, click on “Utilities” from which “Terminal app” should be chosen.
- However, if you are a user of Linux system, then the “Console” or the “Shell” should be chosen under the lists of applications.
- Inside the command prompt, you just opened, type the following command now “java –version”
- In case that Java is already installed on the machine which is used, then the message which is to appear is the following message: “java version “1.6.0_21”. It is important to note that the needed version of Java is at least 1.6
- Now, the .jar file of Burp can be clicked on in order to open the Burp file directly. However, launching Burp using the command line grants whoever doing so with the privilege of much controls and several utilities upon execution. Such controls are for example like specifying how much memory should be dedicated for the sake of running Burp Suite on the machine.
- Let’s try the following command for instance:
java -jar -Xmx1024m /path/to/burp.jar
This command will accordingly specify an amount of 1024 Mbs for Burp while the Burp file is located in /path/to/burp.jar
- Now, a splash screen should get displayed at the moment to indicate that it works perfectly.
Let’s get to select a project
There are actually three categories to choose between when it comes to opening a project or creating a new one:
- Temporary Project: If there is no necessity to get the data saved and used afterward, then this category works the best. All data is however saved on the volatile memory.
- New Project on Desk: For this option, a Burp project fie is required. A new project is created consequently and a name should be given to such a project.
- Open existing project:
This simply allows for opening an existing project. However, the tools of Spider and
Scanners are by default paused at such moment.