, , , ,
burp suite

Day 026 #FromZeroToHacker – Burp Suite Basics

Burp Suite is the industry standard tool for web application hacking and is essential in any web penetration test.

Time to learn all we can do in today’s #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Burp Suite

Developed by PortSwigger, Burp Suite is a set of tools used for penetration testing of web applications. Not only is A set of tools but THE set of tools used for and against hacking.

What is Burp Suite?

Burp Suite is a framework that provides a one-stop shop for web application penetration testing. Today, it is the industry standard tool for hands-on web app security assessments. It is also commonly used when assessing mobile apps, as it can test the APIs (Application Programming Interfaces) that power most apps.

The core of the framework is to capture and manipulate all the traffic between an attacker and a web server. Instead of sending the requests from the user, it captures their requests and lets us manipulate them.

Burp Suite

You can download their Burp Suite Community version for free at their website. It is available for Linux, Windows and MacOS.

Features of Burp Suite Community version

While the free Burp Suite community is limited, we still have so many great tools available such as:

  • Proxy: The main feature of Burp Suite that allows us to intercept and modify requests and responses.
  • Repeater: The second most well-known Burp feature allows us to capture, modify, and then resend the same requests numerous times. This works especially well when we need to create a payload through trial and error (for example, while an SQLi attack).
  • Intruder: Intruder allows us to spray an endpoint with requests; an attack often used to brute-force our way in, or to fuzz endpoints.
  • Decoder: Decoder let us transform data (encoding and/or decoding captured information).
  • Comparer: As the name says, Comparer allows us to compare two pieces of data at word or byte level.
  • Sequencer: Used to assess the randomness of tokes such as session cookie values.

We don’t have only these tools: Extensions can be written in Python, Java or Ruby to enhance our experience by adding new tools to our personal Burp Suite installation.

The Dashboard

When we open Burp Suite, we are met with a window popup asking us to select the project type:

Burp Suite project

After clicking ‘Next’ and ‘Start burp’, if it is our first time opening Burp Suite, we’ll be presented with a set of training options. We will close it, but you can always (and it is recommended to!) read their Getting Started with Burp Suite tutorials.

After closing the window, we’ll get the Burp Dashboard (it may seem too much, but don’t worry):

![[day_026_dashboard.png]]

We can easily see four parts or windows of roughly the same size. We will review them from left to right, and from top to bottom.

  1. The Tasks window allows us to define background tasks that Burp Suite will run while we use the application. The default is set to “Live Passive Crawl” (that logs the pages we visit).
  2. The Event log tells us what Burp Suite is doing right now, as well as information about any connections we can make with Burp (warnings, error messages, etc.).
  3. The Issue activity section is only for the Burp Pro version, and it lists all the vulnerabilities found by the automated scanner, ranked by severity.
  4. The Advisory section gives us information about the vulnerabilities found. These can be exported into a report.

Navigation

Navigating around the Burp Suite GUI is done by using the top menu bars tabs:

![[day_026_navigation.png]]

Navigation tabs

These allow us to navigate between modules and sub-tabs.

We can also detach modules from the Burp Suite application if we want to view multiple tabs at the same time. Just click the Window menu, then choosing to Detach any tab:

Detach sections from Burp Suite

Options

At the end of the Navigation menu, we have a cog icon: This opens our Settings.

We have two options: Global (or User) Settings (that applies to the whole Burp Suite every time we open the application) and Project Settings (that only applies to the current project).

Burp Suite settings

Introduction to Burp Proxy

The Burp Proxy is the most fundamental of the tools in Burp Suite. It allows us to capture requests and responses between ourselves and our target. These can be manipulated or sent to other tools for further processing.

For example, if we make a request to https://www.website.com through the Burp Proxy, our request will be captured and won’t be allowed to continue until we manually allow it. We can do the same with the response from a server.

This gives us complete control over our web traffic.

Burp suite proxy example

Let’s intercept a request with Burp Suite proxy!

First, we open the Proxy tab, and the Intercept submenu:

Burp Suite Intercept settings

Click on the Intercept is off option to turn it on, then click on the orange button to Open our browser. Open any website. Instead of opening the website, Burp Suite stops the normal flow and displays this screen:

Intercepting

Here is the RAW version of the content sent. We can see that we have a few request headers, cookies and even attributes. The request is pending until we either choose to forward it or drop it. We can also send the request to other tools or modules.

Even with Intercept is off, it will list all the URLs visited on the HTTP history section.

HTTP History

Connecting through the Proxy (FoxyProxy)

We could use the embedded browser to capture our requests, but we can also configure our web browser of choice to proxy our traffic through Burp.

We can do this with, for example, a Firefox browser extension called FoxyProxy.

To install it, we can download FoxyProxy Basic here. Once installed, a button should appear at the top right of the screen:

Foxyproxy

Click the Options, then Add to add a configuration:

  • Title: Burp (or whatever you want)
  • Proxy IP: 127.0.0.1 (to redirect all of our browser traffic through this)
  • Port: 8080
FoxyProxy configuration

Click Save and you will have this new configuration available:

Foxy Proxy profiles

Select Burp and make sure the Intercept is on. Now it will work as it was before when we used the embedded browser.

Proxying HTTPS

Nice, we have set up our FoxyProxy to work with Burp Suite in Firefox (or the browser of your preference), time to intercept HTTP traffic and l- What?

Preventing firefox from safely connecting

Any website that uses TLS (most of them) give us that error, as the PortSwigger Certificate Authority (CA) isn’t authorised to secure the connection.

We need to get Firefox to trust the connections we make with PortSwigger certs, so we need to add manually the CA to our list of trusted certificate authorities.

First, with the proxy activated, go to http://burp/cert. This will download a file called cacert.der.

Then, type about:preferences into the Firefox search bar and press enter. On the certificates section, click on View Certificates.

Certificates

Press Import and select the file we just downloaded. In the menu that pops, select Trust this CA to identify websites, then Ok.

Trust

We are free to visit any website that has TLS enabled!

The Burp Suite browser

If we don’t want to configure a browser to use Burp Suite, we have the option to use a built-in Chromium browser, already pre-configured to use the proxy without any modifications.

This may seem easier but is not the default option as people tend to stick to their own browser, as it has more customization options. Despite that, both options are equally valid.

Burp Suite browser

Scoping and targeting

Let’s be frank: It gets extremely tedious having Burp capture all of our traffic. It logs everything: JavaScript files, images, but also cookies, API calls, and more. This pollutes our logs with rubbish we shouldn’t pay attention to.

The solution for that is Scoping.

Setting a Scope in a project allows us to define what gets proxied and logged, and more importantly, what does not. Restricting Burp Suite to only target the web application is easy to do.

Go to the Target tab, right-click the target from our list, and then choose Add to Scope. Click Yes to stop logging anything that isn’t in that scope.

Burp Suite Scoping
Burp suite log

This may disable logging for out-of-scope traffic, but the proxy still intercepts everything. To turn off, we need to go into the Proxy Options subtab and select And URL is in target scope from the Intercept Client Requests section.

Burp Suite Intercept client requests

Site Map and Issue Definitions

Control of the scope may be the most useful aspect of Target, but we have so much in this section. Under target, we have 3 sub-tabs:

  • Site map allows us to map out the apps we are targeting. It automatically generates a site map for the web pages we visit by simply just browsing around the web app.
  • Scope settings allow us to control Burp’s target scope for the project.
  • Issue definitions is a list of vulnerabilities that it has found.

Summary

Time for a recap. We have learned about:

  • What Burp Suite is
  • An overview of the available tools in the framework
  • Installing Burp Suite for yourself
  • Navigating and configuring Burp Suite.

Stats

From 145.744th to 139.010th. Now I am in the top 7% in TryHackMe!

Here is also the Skill Matrix:

Skill matrix

Resources

Path: Web Fundamentals

Introduction to Web Hacking

TryHackMe: Burp Suite Basics

Other resources

SQLi attacks
Download Burp Suite Community version
PortSwigger: Getting started with Burp Suite
FoxyProxy
Download FoxyProxy Basic here
SSL/TLS
Video: How to install and configure FoxyProxy with Firefox