Burpsuite

Burp Suite is a web proxy tool that can be used to facilitate web Application pentest. It comes in a community free version or a paid pro version. It has features and extensions that allow you to customize it. This course is made from my notes of Agarri's training (that I highly recommend if you have the opportunity) and notes from my practice.

Use your own projects settings (burp Pro only)

• Launch burp

• Create a new project and choose "New Project on disk"

New Project on disk

• Click Next and then select "Load from configuration file"

• Choose your json file and click open

project settings

• Check the box "Default to the above in future" (if you need this configuration for your other projects)

Default for projects

• And then click start

Use your own users settings

Regex

Regular expression are really convenient for burp customizations You can use regex101 to familiarize yourself with regex.

Note: Burp uses Java regex.

Tips and tricks

Change body encoding

• Possible to change the body encoder if you want to change a form to multipart. You just need to right clicj on the request and select "Change Body Encoding"

Change body encoding

Choose dedicated RAM amount

• You can do this in BurpSuitePro.vmoptions

# Enter one VM parameter per line
# For example, to adjust the maximum memory usage to 512 MB, uncomment the following line:
# -Xmx512m
# To include another file, uncomment the following line:
# -include-options [path to other .vmoption file]

-XX:MaxRAMPercentage=50
-include-options user.vmoptions

Disable Web interface

To be stealthier, you can disable the web interface (http://burp).

Show help

When you click on ? you can get the help dedicated to the feature you are currently using. This is also available if you are not connected to internet.

Rename tab

• You can reaname your tabs. For example in the repeater, you just have to double click on it and you can rename it like this.

Renamed tab

• You can group tabs together

Group tabs

Useful key shortcuts

Some of these have to be set up, you can then keep a json file with your settings and export it.

• Switch between top-level tabs Ctrl Shift (D|T|P|I|R|L|E)

• Send to a tool, then switch to its tab Ctrl (R|I) then Ctrl Shift (R|I) (Here R is for repeater and I for intruder)

• Cycle through 2nd-level tabs Ctrl Equals and Ctrl Right_Parenthesis

• Close (and re-open) 2nd-level tabs Ctrl [Shift] W

• URL encoding Ctrl [Shift] U

• HTML encoding Ctrl [Shift] H

• Base64 encoding Ctrl [Shift] B

• Close pop-up Alt F4

• Colorize (with the last color used) Ctrl K

• Add a comment Ctrl Shift K

• Copy request as URL Ctrl Shift C

• Paste URL as request Ctrl Shift V

• Cut | Copy | Paste Ctrl (X|C|V)

• Undo | Redo Ctrl (Z|Y)

• Select all Ctrl A

• Search among 2nd-level tabs Ctrl Shift S (Repeater, Intruder and Collaborator)

• Jump to the search field Ctrl Tab

• Search for the highlighted text Ctrl S

• Go to the (previous|next) match Ctrl (Left|Right)

• Go to top [and extend selection] Ctrl [Shift] Home

• Go to bottom [and extend selection] Ctrl [Shift] End

Repeater

• Issue request Ctrl G

• Paste URL as request Ctrl Shift V

• Use the history Ctrl Shift (Left|Right)

Intruder

• Start attack Ctrl Space

• Add payload position marker Ctrl M

• Clear all markers Ctrl Shift M

Scanner

• Open scan launcher Ctrl Shift Space

• Open launcher with selected insertion point Ctrl Shift Enter

Collaborator

• Switch to Collaborator Ctrl Shift O

• Insert unique Collaborator payload Ctrl O

Proxy Interception

• Switch interception status Ctrl T

• Drop message Ctrl D

• Forward message Ctrl F

• Forward request + intercept response Ctrl Shift F

Color lines

You can color line in the history just by clicking on the id and choosing which color

Match and replace rules

Possible use cases

• Make authentication easier

• Write XSS instead of the actual payload

• Disable CSP reporting (useful for bug bounties)

Disable CSP reporting

304 NOT MODIFIED

• You can check these in match replace rules to avoid 304 NOT MODIFIED

Match replace

Fallback to XHR

"When initializing a WebSocket connection [...] the server will respond with a HTTP/1.1 101 header. Using Burp, you can use a match and replace rule in the proxy settings to change the response to a HTTP 500. This will trick the client into believing that the WebSocket connection is not supported and force it to fall back to XHR."

Sean de Regge quoted by Agarri_fr

Export

We can export just the repeater part of a burp project

Burp wordlist

In Burp's wordlist de burp there are placeholders like this {base} We have to change in payload processing and choose the value for the placeholder.

Burp authentication failures

If the application you are testing uses platform authentication (which normally shows as a popup login dialog within your browser), and you get authentication failure messages when your browser is configured to use Burp, then you need to configure Burp to handle the platform authentication instead of your browser. Go to the User options > Connections tab, and the Platform Authentication section. Add a new entry for each hostname used by your application, configuring the authentication type and your credentials. If you aren't sure of the authentication type, then first try NTLMv2, then NTLMv1, and then the other types. You may need to close all browser windows and open a new browser window, to prevent any browser caching from interfering with the authentication process. Check that you are not overriding these settings in the Project options > Connections tab.

Source

Check out this article that explains how to set up ntlm authentication on burp

Auth failure because of TLS certificate not trusted

• If you get this error
• You might need to set up owasp zap as upstream proxy. Check out this article on nettitude labs to set it up.

Burp confidence Level explained

• Certain: The issue is definitely present.

• Firm: The issue is probably present, but this could be a false positive.

• Tentative: The issue is potentially present but there is a high chance that this could be a false positive.

• Source

Tool to optimize burp scan

• Burp suite pro scan profiles is a tool to optimize your burp scan and make them focus on specific vulnerabilities

Discover Content

Go to Target -> Site map -> Right Click on target -> Engagement tools -> Discover content

It can be useful and less time consuming to select a specific endpoint and the root of the server.

Discover content

Add the settings you wish (Make sure that this option is checked "Add discovered content to suite site map" ) and then click on "Session is not running".

More infos on discover content

• Burpsuite - Lisandre: scroll straight to "Spider / Discover Content (hidden pages or directories)"
• How good is Burp’s API Scanning? - Chandrapal Badshah

Tips on specific attacks

Brute force Basic Authorization token

Basic Authorization tokens are based on token containing a user:password encoded in base64. To make a bruteforce attack on this token:

1. Take a request with an auth token and send it to the intruder

   

   Send to intruder
2. Decode the token from base64

   

   Decode base64
3. Add it as a variable

   

   Add variable
4. Go to the payload tab. You can choose brute forcer or simple list or whichever you prefer to generate the password

   

   Payload type
5. The most important thing is to first add a prefix through payload processing rules

   

   Prefix
6. And then add another rule to encode the payload in base64

   

   Encode
7. Remove the = signe in the payload encoding

   

   Remove =
8. Start the attack

Source: whitelist1.com

Extensions

wsdler

If we have find a wsdl file we can parse it: right click (in the request) > wsdler > parse wsdl

Jwteditor

• works like jwt.io

Logger++

• Very convenient for API search

• Grep Values

Hackvertor

• Replacement of the built-in Decoder

• You can set variable to gain time

• You can accumulate multiple conversions using xml-like tags

Use variables

• Creation

<@set_varname(false|true)>foobar<@/set_varname>

If the parameter is set to true , then the variable is global

• Usage

<@get_varname/>

Request minimizer

Very useful for a report and CSRF. It is going to remove everything that does not alter the response

Paramalyzer

Very convenient for big scopes. You will get a lits of parameters

Paramalyzer

Auth Analyzer

• One of my personal favorites :D

• You set up a basic user for the extension

• You connect with an admin user (this way you can access more things)

• You browse

• The extension will parallel browse and check if it can access everything you look at

• It sets variables and you can also use a var for a csrf token this way you can check if it actually prevents csrf

Variables

• It can also be useful to add a non authenticated user you just need to add a fake cookie like this

fake cookie

• As the browing is done in parallel it is perfect to avoid generating too much traffic.

• In the end we get results as below and we can compare which user can access what.

results

The original tab is the one with the traffic I generated and the others are for the other users

Other useful burp Extensions

• SAML Raider
• Retire.js
• Backslash Powered Scanner
• JSON Web Token Attacker
• Autorize
• Scan manual Insertion point

Resources

Blogs and references

Tips and tricks for Burp Suite Pro - Agarri

Detecting and annoying Burp users

Detecting and annoying Burp users by J. Voisin

Practice

Web Security Academy: Free Online Training from PortSwiggerWebSecAcademy

Web Security Academy - Portswiger

Wordlists

Assetnote Wordlists

Assetnote Wordlists