Cyber4People
Published in

Cyber4People

Setting up Burp Suite — Part 1

Swiss Knife to your Web/App Security Toolkit

What is website vulnerability scanning?

Everything is first scanned and then approached. In security field, the domain/vector/target is too large that is becomes difficult for a individual to scan the whole target manually.

To ease up the process in security world, specifically for scanning web application or mobile application we have vulnerability scanners. Website vulnerability scanning is the fastest way to find holes in a site’s security using known attack vector. Without vulnerability scanning, it can be very hard to keep up and stay compliant / avoid a data breach.

Vulnerability scanners are much more efficient than manual testing, and the best tools will flag all but the most exotic bugs. The vulnerability scanner at the heart of Burp Suite Professional and Burp Suite Enterprise Edition is one such tool.

What is Burp Suite ?

Burp Suite is widely used pen testing framework, created by PortSwigger Web Security, to perform security testing on web applications. The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender. “

The tool has two versions: a free version that can be downloaded free of charge (Free Edition) and a full version that can be purchased after a trial period (Professional Edition).

Download Burp Suite

Burp suite can be downloaded from the official website https://portswigger.net/burp

Community Download : https://portswigger.net/burp/communitydownload

For Enterprise and Enterprise : Purchase the license and then download

For this tutorial we will be using the Burp Suite Community Edition.

Launch Burp

After successful installation, from start menu , open burpsuite community edition (or if you can make it you can launch Burp Suite Pro ;-) _

Selecting a Project

There 3 options available :

  • Temporary project — This option is useful for quick tasks where your work doesn’t need to be saved. All data is held in memory, and is lost when Burp exits.
  • New project on disk — This creates a new project that will store its data in a Burp project file. This file will hold all of the data and configuration for the project, and data is saved incrementally as you work. You can also specify a name for the project.
  • Open existing project — This reopens an existing project from a Burp project file. A list of recently opened projects is shown for quick selection. When this option is selected, the Spider and Scanner tools will be automatically paused when the project reopens, to avoid sending any unintentional requests to existing configured targets. You can deselect this option if preferred.

Selecting a Configuration

Again we have 3 options available for configuration

  • Use Burp defaults — This will open the project using Burp’s default options.
  • Use options saved with project — This is only available when reopening an existing project, and will open the project using the options that were saved in the project file.
  • Load from configuration file — This will open the project using the options contained in the selected Burp configuration file. Note that only project-level options in the configuration file will be reloaded, and any user-level options will be ignored. A list of recently used configuration files is shown for quick selection.

Boom !!!!

Te first thing you will see is a dashboard (if you are using latest updated version i.e 2020.2

Burp Suite is getting a brand new dashboard, which lets you monitor and control its automated activity:

In community edition, the Tasks tab will start crawling all the website/requesting coming via proxy

The event log is monitor for alerts or other information. This information may be useful to troubleshoot network connection or other problems.

The issue activity panel shows details of issues as they are reported by all scanning tasks.

On clicking any issue, you can get detailed information about the vulnerability , the mitigation for it .

Target Tab

The target tab help you defined your target/vector/domain for the further scanning or assessment.

  1. The first section in extreme left is the target list. All the request /response are bundled into a tree structure
  2. If you click on any one target , the 2nd section will show all the request , methods, params etc in the section
  3. The 3rd section will show the exact request and the response sent to the server

Target Scope Tab

The target scope configuration lets you tell Burp, at a suite-wide level, exactly what hosts and URLs constitute the target for your current work. You can think of the target scope as, roughly, the items that you are currently interested in and willing to attack.This configuration affects the behavior of tools throughout the suite

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store