search
githubEdit

Module 4: Introduction to Burp Suite

hashtag
Browser and Integration

hashtag
Launching Burp Suite

hashtag
Using Burp Suite's Built-in Browserarrow-up-right

hashtag
Integrating Burp Suite with Other Browsersarrow-up-right

hashtag
Proxy and Scope

hashtag
Proxyarrow-up-right

hashtag
Scope

Options > Project > Scope.

Adding offsecwp to our target scope
Ignoring out-of-scope (OOS) items

hashtag
Core Burp Suite Tools and Tabs

hashtag
Repeaterarrow-up-right

hashtag
Comparer

The Comparer tool
Loading two separate endpoins for comparison
Both Responses loaded into Comparer
Comparing the Responses of our Requests

hashtag
Intruderarrow-up-right

  • Sniper: Single field brute force.

  • Battering Ram: Bruteforce multiple fields with a wordlist.

  • Pitchfork: Bruteforce multiple fields with different wordlists.

  • Cluster Bomb: Bruteforce multiple fields with multiple wordlists.

hashtag
Decoder

Decoder
A new box apperars after entering data
Telling Burp Suite to decode as Base64
Decoded string result

hashtag
Professional Features

hashtag
Burp Scanner, Active Scan, Collaborator, and Intruder

  • Burp Scanner: automated scanning on a domain, an endpoint, or even from a specific intercepted request.

  • Extensions like ActiveScan++

  • Collaborator tool: requests/payloads are sent additionally to the collaborator server. If there is interaction between the request made and its internal database, collaborate notifies the tester.

  • Intruder is no longer throttled.

  • CSRF PoC generator.

PreviousModule 3: Web Application Enumeration MethodologyNextModule 5: Cross-Site Scripting Introduction and Discovery

Last updated