On this page
Introduction
Burp Suite is a Java-based framework designed to serve as a comprehensive solution for conducting web application penetration testing.
Burp Suite captures and enables manipulation of all the HTTP/HTTPS traffic between a browser and a web server.
Different Editions of Burpsuite
Burpsuite Community
Burpsuite Professional
Burpsuite Enterprise
Burpsuite offers multiple features through the modules below.
Proxy
Repeater
Intruder
Decoder
Comparer
Sequencer
Extensions
Proxy
The Burp Proxy is the most renowned aspect of Burp Suite.
It enables interception and modification of requests.
Repeater
Repeater allows for capturing, modifying, and resending the same request multiple times.
Useful when crafting payloads through trial and error.
Send a request to repeater using Ctrl+R.
There are different views offered in repeater
Pretty - Formatted raw response. This is the default option.Raw - Unmodified response without formatting.Hex - Displays a byte-level representation. Useful in binary files.Render - Displays the page rendered as in the browser.
Inspector is a supplementary feature to the Request and Response views in the Repeater module.
It is also used to obtain a visually organized breakdown of requests and responses.
Inspector has the following attribute sections
Request Query Parameters
Request Body Parameters
Request Cookies
Request Headers
Response Headers
Intruder
Intruder allows for spraying endpoints with requests.
Commonly utilized for brute-force attacks or fuzzing endpoints.
Send a request to intruder using Ctrl+I.
Different subtabs within intruder
Positions
Payloads
Resource Pools
Settings
Positions
Enclose a string with § character to mark a position for intruder.
The following options are available in intruder for positions.
Payloads
Payload Sets: Allows us to choose the position for which we want to configure a payload set and select the type of payload we want to use.
Payload settings: Options specific to the selected payload type for the current payload set.
Payload Processing: Define rules to be applied to each payload in the set before it is sent to the target.
Payload Encoding: Allows us to customize the encoding options for our payloads.
Attack Types
Intruder has 4 different attack types.
Sniper
Default and most commonly used option.
It cycles through the payloads, inserting one payload at a time into each position in the request.
It is particularly effective for single-position attacks, such as password brute-force or fuzzing for API endpoints.
Consider a sniper attack, with the following setup
Request payload username=§pentester§&password=§Expl01ted§.
Wordlist with three words: burp, suite, and intruder.
Here, a total of 6 requests would be triggered.
username=burp&password=Expl01tedusername=suite&password=Expl01tedusername=intruder&password=Expl01tedusername=pentester&password=burpusername=pentester&password=suiteusername=pentester&password=intruder
Battering Ram
The Battering ram attack type in Burp Suite Intruder differs from Sniper in that it places the same payload in every position simultaneously, rather than substituting each payload into each position in turn.
This attack type is useful when testing for race conditions or when payloads need to be sent concurrently.
For the same attack setup, the battering ram would generate the following 3 requests .
username=burp&password=burpusername=suite&password=suiteusername=intruder&password=intruder
Pitchfork
The Pitchfork attack is similar to having multiple Sniper attacks running simultaneously.
While Sniper uses one payload set to test all positions simultaneously, Pitchfork utilises one payload set per position (up to a maximum of 20) and iterates through them all simultaneously.
Consider the following two wordlists instead of one in sniper.
The first wordlist contains usernames: joel, harriet, and alex.
The second wordlist contains passwords: J03l, Emma1815, and Sk1ll.
The pitch fork attack will generate 3 requests .
username=joel&password=J03lusername=harriet&password=Emma1815username=alex&password=Sk1ll
Cluster Bomb
The Cluster bomb attack type combines the Sniper and Pitchfork approaches.
It performs a Sniper-like attack on each position but simultaneously tests all payloads from each set.
With the same setup used in Pitchfork attack, the Clusterbomb would generate 9 requests .
username=joel&password=J03lusername=joel&password=Emma1815username=joel&password=Sk1llusername=harriet&password=J03lusername=harriet&password=Emma1815username=harriet&password=Sk1llusername=alex&password=J03lusername=alex&password=Emma1815username=alex&password=Sk1ll
Decoder
Decoder offers a valuable service for data transformation.
It can decode captured information or encode payloads before sending them to the target.
Decoder can decode from and to the following formats
Plain
URL
HTML
Base64
ASCII Hex
Hex, Octal, and Binary
Gzip
Smart decode can be used to identify unknown chunks of data. It is not a perfect reliable solution yet.
Comparer
Comparer enables the comparison of two pieces of data at either the word or byte level.
Sequencer
Sequencer is typically employed when assessing the randomness of tokens, such as session cookie values or other supposedly randomly generated data.
Extensions
The Burp Suite Extender module allows for quick and easy loading of extensions into the framework.
Extensions can be downloaded from the BApp Store tab inside Burpsuite.
To use python based extensions, Jython interpreter needs to be configured in Burpsuite.
Download Jython standalone jar file from https://www.jython.org/download .
Set the downloaded jar file location in Settings > Extensions > Python Environment.
Similarly for ruby based extensions, configure JRuby.
Burpsuite API allows to access to a wide range of API endpoints that allow you to create and integrate your modules with Burp Suite.
Read more about extension development https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension .