Module 4: Introduction to Burp Suite

Browser and Integration

Launching Burp Suite

Using Burp Suite's Built-in Browser

Integrating Burp Suite with Other Browsers

Proxy and Scope

Proxy

Scope

Options > Project > Scope.

Adding offsecwp to our target scope
Ignoring out-of-scope (OOS) items

Core Burp Suite Tools and Tabs

Repeater

Comparer

The Comparer tool
Loading two separate endpoins for comparison
Both Responses loaded into Comparer
Comparing the Responses of our Requests

Intruder

  • Sniper: Single field brute force.

  • Battering Ram: Bruteforce multiple fields with a wordlist.

  • Pitchfork: Bruteforce multiple fields with different wordlists.

  • Cluster Bomb: Bruteforce multiple fields with multiple wordlists.

Decoder

Decoder
A new box apperars after entering data
Telling Burp Suite to decode as Base64
Decoded string result

Professional Features

Burp Scanner, Active Scan, Collaborator, and Intruder

  • Burp Scanner: automated scanning on a domain, an endpoint, or even from a specific intercepted request.

  • Extensions like ActiveScan++

  • Collaborator tool: requests/payloads are sent additionally to the collaborator server. If there is interaction between the request made and its internal database, collaborate notifies the tester.

  • Intruder is no longer throttled.

  • CSRF PoC generator.

PreviousModule 3: Web Application Enumeration MethodologyNextModule 5: Cross-Site Scripting Introduction and Discovery

Last updated