CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Use your own projects settings (burp Pro only)
  • Use your own users settings
  • Regex
  • Tips and tricks
  • Change body encoding
  • Choose dedicated RAM amount
  • Disable Web interface
  • Show help
  • Rename tab
  • Useful key shortcuts
  • Color lines
  • Match and replace rules
  • Export
  • Burp wordlist
  • Burp authentication failures
  • Auth failure because of TLS certificate not trusted
  • Burp confidence Level explained
  • Tool to optimize burp scan
  • Discover Content
  • More infos on discover content
  • Tips on specific attacks
  • Brute force Basic Authorization token
  • Extensions
  • wsdler
  • Jwteditor
  • Logger++
  • Hackvertor
  • Request minimizer
  • Paramalyzer
  • Auth Analyzer
  • Other useful burp Extensions
  • Resources
  • Blogs and references
  • Practice
  • Wordlists
  1. Tools

Burpsuite

PreviousMobile App Pentest ChecklistNextAndroid Studio

Last updated 1 year ago

Burp Suite is a web proxy tool that can be used to facilitate web Application pentest. It comes in a or a . It has features and extensions that allow you to customize it. This course is made from my notes of training (that I highly recommend if you have the opportunity) and notes from my practice.

Use your own projects settings (burp Pro only)

  • Launch burp

  • Create a new project and choose "New Project on disk"

  • Click Next and then select "Load from configuration file"

  • Choose your json file and click open

  • Check the box "Default to the above in future" (if you need this configuration for your other projects)

  • And then click start

Use your own users settings

Regex

Note: Burp uses Java regex.

Tips and tricks

Change body encoding

  • Possible to change the body encoder if you want to change a form to multipart. You just need to right clicj on the request and select "Change Body Encoding"

Choose dedicated RAM amount

  • You can do this in BurpSuitePro.vmoptions

# Enter one VM parameter per line
# For example, to adjust the maximum memory usage to 512 MB, uncomment the following line:
# -Xmx512m
# To include another file, uncomment the following line:
# -include-options [path to other .vmoption file]

-XX:MaxRAMPercentage=50
-include-options user.vmoptions

Disable Web interface

To be stealthier, you can disable the web interface (http://burp).

Show help

When you click on ? you can get the help dedicated to the feature you are currently using. This is also available if you are not connected to internet.

Rename tab

  • You can reaname your tabs. For example in the repeater, you just have to double click on it and you can rename it like this.

  • You can group tabs together

Useful key shortcuts

Some of these have to be set up, you can then keep a json file with your settings and export it.

  • Switch between top-level tabs Ctrl Shift (D|T|P|I|R|L|E)

  • Send to a tool, then switch to its tab Ctrl (R|I) then Ctrl Shift (R|I) (Here R is for repeater and I for intruder)

  • Cycle through 2nd-level tabs Ctrl Equals and Ctrl Right_Parenthesis

  • Close (and re-open) 2nd-level tabs Ctrl [Shift] W

  • URL encoding Ctrl [Shift] U

  • HTML encoding Ctrl [Shift] H

  • Base64 encoding Ctrl [Shift] B

  • Close pop-up Alt F4

  • Colorize (with the last color used) Ctrl K

  • Add a comment Ctrl Shift K

  • Copy request as URL Ctrl Shift C

  • Paste URL as request Ctrl Shift V

  • Cut | Copy | Paste Ctrl (X|C|V)

  • Undo | Redo Ctrl (Z|Y)

  • Select all Ctrl A

  • Search among 2nd-level tabs Ctrl Shift S (Repeater, Intruder and Collaborator)

  • Jump to the search field Ctrl Tab

  • Search for the highlighted text Ctrl S

  • Go to the (previous|next) match Ctrl (Left|Right)

  • Go to top [and extend selection] Ctrl [Shift] Home

  • Go to bottom [and extend selection] Ctrl [Shift] End

Repeater

  • Issue request Ctrl G

  • Paste URL as request Ctrl Shift V

  • Use the history Ctrl Shift (Left|Right)

Intruder

  • Start attack Ctrl Space

  • Add payload position marker Ctrl M

  • Clear all markers Ctrl Shift M

Scanner

  • Open scan launcher Ctrl Shift Space

  • Open launcher with selected insertion point Ctrl Shift Enter

Collaborator

  • Switch to Collaborator Ctrl Shift O

  • Insert unique Collaborator payload Ctrl O

Proxy Interception

  • Switch interception status Ctrl T

  • Drop message Ctrl D

  • Forward message Ctrl F

  • Forward request + intercept response Ctrl Shift F

Color lines

You can color line in the history just by clicking on the id and choosing which color

Match and replace rules

Possible use cases

  • Make authentication easier

  • Write XSS instead of the actual payload

  • Disable CSP reporting (useful for bug bounties)

304 NOT MODIFIED

  • You can check these in match replace rules to avoid 304 NOT MODIFIED

Fallback to XHR

"When initializing a WebSocket connection [...] the server will respond with a HTTP/1.1 101 header. Using Burp, you can use a match and replace rule in the proxy settings to change the response to a HTTP 500. This will trick the client into believing that the WebSocket connection is not supported and force it to fall back to XHR."

Sean de Regge quoted by Agarri_fr

Export

We can export just the repeater part of a burp project

Burp wordlist

In Burp's wordlist de burp there are placeholders like this {base} We have to change in payload processing and choose the value for the placeholder.

Burp authentication failures

If the application you are testing uses platform authentication (which normally shows as a popup login dialog within your browser), and you get authentication failure messages when your browser is configured to use Burp, then you need to configure Burp to handle the platform authentication instead of your browser. Go to the User options > Connections tab, and the Platform Authentication section. Add a new entry for each hostname used by your application, configuring the authentication type and your credentials. If you aren't sure of the authentication type, then first try NTLMv2, then NTLMv1, and then the other types. You may need to close all browser windows and open a new browser window, to prevent any browser caching from interfering with the authentication process. Check that you are not overriding these settings in the Project options > Connections tab.

Auth failure because of TLS certificate not trusted

Burp confidence Level explained

  • Certain: The issue is definitely present.

  • Firm: The issue is probably present, but this could be a false positive.

  • Tentative: The issue is potentially present but there is a high chance that this could be a false positive.

Tool to optimize burp scan

Discover Content

Go to Target -> Site map -> Right Click on target -> Engagement tools -> Discover content

It can be useful and less time consuming to select a specific endpoint and the root of the server.

Add the settings you wish (Make sure that this option is checked "Add discovered content to suite site map" ) and then click on "Session is not running".

More infos on discover content

Tips on specific attacks

Brute force Basic Authorization token

Basic Authorization tokens are based on token containing a user:password encoded in base64. To make a bruteforce attack on this token:

  1. Take a request with an auth token and send it to the intruder

  2. Decode the token from base64

  3. Add it as a variable

  4. Go to the payload tab. You can choose brute forcer or simple list or whichever you prefer to generate the password

  5. The most important thing is to first add a prefix through payload processing rules

  6. And then add another rule to encode the payload in base64

  7. Remove the = signe in the payload encoding

  8. Start the attack

Extensions

wsdler

If we have find a wsdl file we can parse it: right click (in the request) > wsdler > parse wsdl

Jwteditor

  • works like jwt.io

Logger++

  • Very convenient for API search

  • Grep Values

Hackvertor

  • Replacement of the built-in Decoder

  • You can set variable to gain time

  • You can accumulate multiple conversions using xml-like tags

Use variables

  • Creation

<@set_varname(false|true)>foobar<@/set_varname>

If the parameter is set to true , then the variable is global

  • Usage

<@get_varname/>

Request minimizer

Very useful for a report and CSRF. It is going to remove everything that does not alter the response

Paramalyzer

Very convenient for big scopes. You will get a lits of parameters

Auth Analyzer

  • One of my personal favorites :D

  • You set up a basic user for the extension

  • You connect with an admin user (this way you can access more things)

  • You browse

  • The extension will parallel browse and check if it can access everything you look at

  • It sets variables and you can also use a var for a csrf token this way you can check if it actually prevents csrf

  • It can also be useful to add a non authenticated user you just need to add a fake cookie like this

  • As the browing is done in parallel it is perfect to avoid generating too much traffic.

  • In the end we get results as below and we can compare which user can access what.

The original tab is the one with the traffic I generated and the others are for the other users

Other useful burp Extensions

Resources

Blogs and references

Practice

Wordlists

Regular expression are really convenient for burp customizations You can use to familiarize yourself with regex.

Check out this article that explains how to set up

If you get this error

You might need to set up owasp zap as upstream proxy. Check out to set it up.

is a tool to optimize your burp scan and make them focus on specific vulnerabilities

Source:

regex101
Source
ntlm authentication on burp
this article on nettitude labs
Source
Burp suite pro scan profiles
Burpsuite - Lisandre: scroll straight to "Spider / Discover Content (hidden pages or directories)"
How good is Burp’s API Scanning? - Chandrapal Badshah
whitelist1.com
SAML Raider
Retire.js
Backslash Powered Scanner
JSON Web Token Attacker
Autorize
Scan manual Insertion point
community free version
paid pro version
Agarri's
Tips and tricks for Burp Suite Pro - Agarri
LogoDetecting and annoying Burp users
Detecting and annoying Burp users by J. Voisin
LogoWeb Security Academy: Free Online Training from PortSwiggerWebSecAcademy
Web Security Academy - Portswiger
LogoAssetnote Wordlists
Assetnote Wordlists
New Project on disk
project settings
Default for projects
Change body encoding
Renamed tab
Group tabs
Disable CSP reporting
Match replace
Discover content
Send to intruder
Decode base64
Add variable
Payload type
Prefix
Encode
Remove =
Paramalyzer
Variables
fake cookie
results