Open in app

Sign in

Write

Sign in

Burp Suite Tutorial

Ramsha Kamran
7 min readNov 5, 2019

--

What is burp suite?

Burp suite is one of the most popular security testing tool. Burp suite can be used in order to intercept HTTP requests which are going out through web browser.Burp suite falls into the category of proxy servers which means that it sits between the user’s browser and the web server that allows to observe and manipulate all the web traffic that’s being sent back and forward when a particular web application is used. The burp suite can let you test beneath the GUI which allows us to do more technical testing. Burp suite is a vulnerability scanner and it contains different functions such as proxy, intruder, scanner, decoder etc.

Proxy: Proxy is used for intercepting our requests and its proxy functions.
Intruder: Intruder contains different attacks which we can perform on a remote website like if you want to perform dictionary attack or brute force attack.
Scanner: Scanner is used for scanning particular website and its vulnerability.
Decoder: Decoder consist of different kind of functions which we can use in order to decode a particular thing like URL decode.

When to use Burp suite?

  1. To make sure hackers won’t be able intercept the calls.

Why to use Burp suite?

  1. To make the app/web more reliable and secure.
  2. By using this we can check the vulnerability of any websites or applications.

How to download and setup Burp Suite in Windows?

  1. Download burp suit from here.
  2. Install Burp Suite
  3. After running the installer, select “new temporary project”, followed by “use burp defaults”.

4. Click on Start Burp

Configure Burp suite

  1. Go to the “Proxy” tab, then the “Options” sub-tab, and look in the “Proxy Listeners” section.
  2. You should see an entry in the table with the checkbox ticked in the Running column, and “127.0.0.1:8080” showing in the Interface column.
  3. You will need to select the table entry, click “Edit”, and change the port number of the listener to a different number.

Configuring your Browser to work with Burp

Open Firefox and go to the Customize menu.
In the Customize menu, select Options, then click on “Settings” in the Network Section.

This will open the relevant configuration options for your host computer.
Now select Manual proxy configuration and enter the same HTTP Proxy and Port number that is entered on Burp suite.
Click on “OK” to save the settings.

SSL Certificates
If we went now and tried to go to a site configured with SSL (eg google.com) we would get an invalid ssl cert error,
So, following: https://support.portswigger.net/customer/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser we will install burp’s CA in our browser.
• goto http://burp in firefox
• click on ‘CA Certificate’ in the top menu bar

• click ‘save’
• Goto Firefox > Click on Options from side menu > Write Certificates in the search field

• click on “View Certificates” > authorities > import

• browse to where you downloaded the CA bundle.
• Tick all the options.
• click “OK”
• In the addressbar in firefox, enter “google.com” and switch over to burpsuite.
You may have a few captures for ‘firefox profile tracing’ — you can drop those by clicking the ‘drop’ button

In the burpsuite tabs you can see the http headers, http parameters and the hex values if you need to (similar to the firefox inspector, but prior to the request being filled by the server)
• at this point, nothing has been sent to the remote server!
• click ‘forward’
• the request is sent to the server
• You now have to switch to the ‘http history tab’

Configuring an iOS Device to Work With Burp

  • Go to Settings -> Wifi
  • find your network in the list, and tap it to connect. (Select the same network as it is connected in PC)
  • Tap on “i” (information) on the network
  • Tap on Configure proxy
  • Now enter server and port
  • Server should be fetched from cmd (Write ipconfig and copy the ivp4 address)
  • Port should be same as you enter in burp suite
  • Tap on “save”

Now open any browser in your IOS device.
Hit the following url http://burp and click the “CA Certificate” link.
Install burp certificate
You will be prompted with a message in the “Install Profile” window. Tap “Install”.
You will then be prompted with a warning message. Again, tap “Install”.
A further message will appear entitled “Install Profile”. Again, tap “Install”.
The Burp CA certificate should now be installed in your iOS device. Tap “Done”.
On some versions of iOS you may need to go to “Enable Full Trust for the PortSwigger CA”.
You can configure this setting at Settings > General > About > Certificate Trust Settings.

Performing an Attack on DVWA

Now you have configured both IOS and web browser. Its really easy and simple to intercept the calls. I am going to continue testing with web browser(Firefox). You just have to open burp suite and goto proxy > Intercept and make sure intercept is on.

  • Go to DVWA page in firefox
  • Type ‘admin’ into the username box and ‘login’ in the password box. press enter;
  • switch to burpsuite
  • Open the proxy > intercept tab
  • you’ll notice a request for dvwa with the parameter ‘username’ having a value of ‘admin
  • Now move to DVWA and and click on Brute Force

What is Brute Force?

A brute force attack consists of an attack just repeatedly trying to break a system. for example, by guessing various combination of usernames and passwords until a correct match is found. However, brute force attacks can be somewhat sophisticated and work at least some of the time.

  • Enter any incorrect username and password
  • Hit login button
  • Switch to Burp suite and observe the call
  • Right click -> Send to Intruder
  • Click on “Clear” button to clear all the
  • Now click on “Add” button and select only the fields that are required to brute force i.e username and password
  • We’re brute forcing only username and password
  • Select Attack Type: Cluster Bomb
  • Go to “payloads” sub-tab
  • By-default payload set is 1 means it is for the first parameter which is username
  • Now you can add list for username in Payload Option section
  • Now when you’re done with the username’s list, change the payload set to 2
  • There is another option to add list i.e adding a file
  • Create a list of passwords and save it in text file (.txt format)
  • Click on “Load” button
  • Select the required file and Click on “Open”
  • Select Intruder on top menu and click on “start attack”
  • Now the attack will start and it will check all the combination of usernames and passwords until a correct match is found.
  • After the attack, observe the length of all the requests.
  • The username and password who matched will result in different length.
  • Now login with that username and password

Now lets see a video how brute force works:

Conclusion:

Burp Suite is a Java based Web Penetration Testing framework. It is designed for performing security and vulnerability scanning.Burp Suite helps you identify vulnerabilities and verify attacks that are affecting the applications.

Ssl
Burpsuite
Security
Brute Force Attack

--

--

Ramsha Kamran

Written by Ramsha Kamran

15 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams