(BurpSuiteMastery) LabManualV3 1514182492549

BURP SUITE
MASTERY
LA B MANUAL
PRACTICAL HANDS-ON BURP

SUITE TRAINING COURSE
BY
Peritus Information
Security Services Private
Limited
Burp Suite Mastery Lab Manual 1
Contents
About 2
Copyright 2
Disclaimer 2
Prerequisites 3
Exercise 3
Prerequisites 3
Goals 3
Steps 3
Installation / Setup 4
Exercise 4
Prerequisites 4
Goals 4
Steps 4
Configuration 5
Exercise 5
Prerequisites 5
Goals 5
Steps 5
Burp Basics 6
Exercise 6
Prerequisites 6
Goals 6
Steps 6
Tools – I 7
Exercise 7
Prerequisites 7
Goals 7
Steps 7
Tools – II 10
Exercise 10
Prerequisites 10
Goals 10
Steps 10
Advance usage of Burp 12
Exercise 12
Prerequisites 12
Goals 12
@Copyright Peritus Information Security Services Private Limited. All rights reserved. The contents, or parts
thereof, may not be reproduced in any form for any purpose without the written permission of Peritus
Information Security Services Private Limited.
About
Peritus Information Security Services Private Limited is an Information Security Company located in
India which provides security consulting services and also specializes in providing information security
trainings all over the world. Contact: [email protected]
Copyright
Peritus Information Security Services Private Limited owns all rights, title and interest in these materials
and such materials are protected by copyright. All rights are reserved. These materials may only be
used for private, non-commercial use only. Any unauthorized use, reproduction, modification, transfer,
distribution of part or all of these materials is strictly prohibited. Nothing in these materials shall grant
you any rights in or to the intellectual property or proprietary rights of Peritus Information Security
Services Private Limited or any third party.
Disclaimer
All the material presented in this training course is strictly for educational purposes. Peritus
Information Security Services Private Limited is not responsible for any misuse of the material.
Prerequisites
Exercise
Setup your machine with Java Runtime Environment required to run Burp Suite and WebGoat.
Prerequisites
N/A
Goals
Learn how to setup JRE required for running Burp Suite and WebGoat.
Steps
Install JRE version >= 1.6
1. Install JRE on Windows / MacOS

http://www.oracle.com/technetwork/java/javase/downloads/
2. Install JRE on Linux (Ubuntu)
$ sudo apt install default-jre
Installation / Setup
Exercise
Install and Run WebGoat and Burp Suite.
Prerequisites
JRE version >= 1.6 installed.
Goals
Learn how to install and run WebGoat and Burp Suite.
Steps
1. Installing and running WebGoat
1. Download WebGoat from the link given below or the course material
https://github.com/WebGoat/WebGoat/releases/download/7.1/webgoat-
container-7.1-exec.jar
2. Running WebGoat
$ java -jar webgoat-container-7.1-exec.jar
3. See if the WebGoat is working by visiting
http://localhost:8080/WebGoat
2. Installing and running Burp Suite
1. Download Burp Suite

https://portswigger.net/burp
2. Open the downloaded file
Note: This training course uses Burp Suite Professional Edition but you are free to use Burp Suite
Community / Free Edition.
Configuration
Exercise
Configuring Burp Proxy and Browser.
Prerequisites
WebGoat and Burp Suite already running.
Goals
1. Learn how to setup Proxy.
2. Learn how to use extensions to ease the process of setting up Proxy.
3. Learn how to configure Burp Suite to work with HTTPS sites.
Steps
1. Setting up Proxy
1. Setup Burp Proxy Listener to listen at 127.0.0.1:8081. You can find `Proxy Listeners` in
Proxy → Options tab.
2. Forward browsers traffic to 127.0.0.1:8081 by changing proxy settings of the browser. For
Firefox, Preferences → Advanced → Network tab → Connection settings
3. Visit `http://localhost:8080/WebGoat/` and see if any traffic is getting forwarded to Burp
Proxy. Keep Intercept off and check in HTTP history tab of Burp Proxy.
2. Setting up FoxyProxy
1. Install `FoxyProxy Basic` extension for Firefox.
2. Go to Options of FoxyProxy Basic.
3. Click Àdd New Proxy` and enter all the details with proxy set to 127.0.0.1:8081.
4. Activate this proxy and your browser will be able to forward traffic to Burp Proxy.
Note: You can download FoxyProxy extension for other browsers as well and configure it in the same
way.
3. Configuring Burp Suite to work with HTTPS sites

1. Visit http://burp/ in the browser and download CA Certificate.
2. Install this CA certificate in Firefox, by going to Preferences → Advanced → Certificates →
View Certificates → Import
3. Close the browser and Burp Suite and reopen. Make sure browser is forwarding traffic to
127.0.0.1:8081 and Burp is listening at 127.0.0.1:8081.
4. Visit any https site like https://google.com and it will show up in Burp Proxy.
Note: You can follow same steps for setting up Burp Proxy with HTTPS sites on other browsers.
Burp Basics
Exercise
Understanding Basics of Burp Suite.
Prerequisites
1. WebGoat and Burp Suite already running.
2. Burp Proxy has already been configured with your browser.
Goals
1. Learn how to create projects and save data of project.
Steps
1. Run Burp Suite and select `New project on disk`.
2. Enter filename and project name. This creates a project file and saves it.
3. Now, browse the application using browser as normal and you can directly close Burp Suite.
4. When you reopen Burp Suite you can directly select the project file and it will show the
whole project with same proxy settings, same history, etc.
Tools – I
Exercise
Understanding how to use Proxy, Repeater, Target, Spider, Scanner and Intruder.
Prerequisites
Goals
1. Learn how to use Proxy and Repeater to intercept, alter or repeat requests/responses.
2. Learn how to use Target to setup project scope.
3. Learn how to use Spider to discover hidden content.
4. Learn how to use Scanner to passively or actively scan the application.
5. Learn how to use Intruder to automate attacks.
Steps
1. PROXY and REPEATER
1. Intercepting Requests
1. Turn on the intercept in Burp Proxy → Intercept.

2. Visit `http://localhost:8080/WebGoat/` and check if Burp is flashing and
awaiting for your input. This is because the request got intercepted by
Burp Proxy.
3. Look at the request in Burp. You can see the raw details of the request.
This is a GET request to the server in this case WebGoat.
4. Click `Forward` to send the request to the server.
2. Editing Requests
1. Turn on the intercept in Burp Proxy → Intercept.

2. Visit any page on WebGoat and check if Burp is flashing and awaiting for your
input. This is because the request got intercepted by Burp Proxy.
3. Look at the request in Burp. You can see the raw details of the request.
4. Now, make changes to the request. For e.g. modify a cookie.
5. Click `Forward` to send the modified request to the server.
Note: You can also see requests/responses history via Burp Proxy → HTTP history.
3. Using Repeater
1. Go to Burp Proxy → HTTP history.

2. Right click on any request and click `Send to Repeater`.
3. Now, you can edit the raw details of the request and send it over and over
again via `Repeater` tab.
4. You can do this with any live requests as well.
2. TARGET
1. Setting Scope
1. Go to Burp Target → Scope.

2. Add a new target scope as `localhost`.
3. This sets burp suite to use in-scope URLs. So, you filter out data only for your
in-scope URLs.
2. Using SiteMap
1. Go to Burp Target → SiteMap.

2. Browse the WebGoat as normal and see various requests/responses.
3. As you do this, it will build up sitemap which can be viewed via Burp Target →
SiteMap.
4. You can also you filtering feature to filter out requests only related to your in-
scope target.
3. SPIDER
1. Using Spider to Discover Hidden Content
1. Go to Burp Spider → Control.

2. Set `Spider Scope` to Ùse defined scope [defined in Target tab] `. This uses
scope from target tab.
3. Now, click `Spider is paused`. This will start up your spider and you will see
text as `Spider is running`.
4. From any other tabs like Target, you can always send any request for spidering
by right clicking and selecting `Spider this host/branch`.
Note: You should manually review the spider settings before running it on any
website. It may have adverse effects.
4. SCANNER
1. Passive Scanning
1. In Burp, go to Scanner → Live Scanning.

2. Set `Live Active Scanning` to `Don’t Scan`.
3. Set `Live Passive Scanning` to Ùse suite scope [defined in Target tab]`.
4. Now, browse the WebGoat, and Burp Scanner will find vulnerabilities for you.
5. Results can be viewed via Target → SiteMap.
2. Active Scanning
1. In Burp, go to Target → SiteMap.

2. Right-click on WebGoat and select Àctively scan this host`.
3. Make sure the “Remove out-of-scope items” is checked and then select next
and then Òk` to start scanning.
4. Results can be viewed via Scanner → Scan queue.
Note: You should manually review the scanner settings before running it on any
website. It may have adverse effects.
5. INTRUDER
1. Using Intruder to Brute Force Credentials
1. Browse the WebGoat to login page →

http://localhost:8080/WebGoat/login.mvc
2. Now, intercept the login request after you enter username and password. E.g.
POST http://localhost:8080/WebGoat/j_spring_security_check
3. In Burp Proxy → Intercept, right-click and select `Send to Intruder`.
4. Now, go to Intruder.
5. Set `Payload Positions` to value of `password`. Clear everything else by hitting
`Clear` button. Here, we are going to brute force the password.
6. Set Attack type to Sniper.
7. Go to `Payloads` tab.
8. Set `Payload Sets` to use `Payload type: Simple list`.
9. Select `Passwords` list from dropdown menu of `Payload Options`
10. Hit `Start attack` button. This will start your brute force attack.
11. Depending on request/response you will be able to identify if the password
was correct/not.
Note: You can do variety of different types of attacks using Intruder.
Tools – II
Exercise
Understanding how to use Sequencer, Decoder, Comparer and Extender.
Prerequisites
Goals
1. Learn how to use Sequencer to live capture and analyze tokens.
2. Learn how to use Decoder to encode/decode.
3. Learn how to use Comparer to compare requests/responses.
4. Learn how to use Extender to extend functionalities of Burp Suite.
Steps
1. SEQUENCER
1. Using Sequencer
1. Browse the WebGoat to login page →

http://localhost:8080/WebGoat/login.mvc
2. Login into WebGoat.
3. Go to Burp Proxy → HTTP history and locate the login request which sets the
session cookie (JSESSIONID) and logs in the user.
4. Right-click on the request and select `Send to Sequencer`.
5. Go to Sequencer → live capture.
6. Set `Token Location within Response` to `JSESSIONID`.
7. Hit `Start live capture` in `Select Live Capture Request` in live capture tab.
8. This will start a capture. You can run analysis once there are 100 tokens
captured by clicking the “Analyze Now” button.
9. Sequencer reports that the entropy of this token is extremely poor. You can
click through the various tabs to see the different reports that Sequencer
generates. You can also click the “Copy Tokens” button and paste into a text
document to look at the cookies yourself.
Note: Sequencer can also do analysis if you directly provide tokens to it.
2. Decoder
1. Using Decoder
1. Go to Burp Decoder and put this value èW91YXJldGhld2Vha2VzdGxpbms=`.

2. Now, you can encode/decode as per your requirements.
3. Do a Base64 decode on it.
Note: You can use decoder to encode/decode various values you come across while
your pentesting.
3. Comparer
1. Using comparer

2. Select any two requests and right-click and hit `Send to Comparer`. Depending
on the request/response, it may present you an option of sending request to
compare or sending response to compare. Select either.
3. Inside Comparer, select item 1 and 2.
4. Hit `Compare as Words` or `Bytes` and it will show the comparison.
4. Extender
1. Installing Extensions from BApp Store
1. Go to Burp Extender → BApp Store.

2. Select any extension you like. For e.g. I will select JSON Beautifier.
3. Hit install and it will download from app store and install it in your Burp Suite.
Note: You can also create your own extensions using APIs.
Advance usage of Burp
Exercise
Understanding how to use Engagement tools, Burp Collaborator and Burp Clickbandit.
Prerequisites
Goals
1. Learn how to use Engagement tools to auto discover content and auto create CSRF POC.
2. Learn how to use Burp Collaborator with Public Collaborator Server.
3. Learn how to use Burp Clickbandit to automate the process of creating clickjacking POC.
1. Engagement Tools
1. Using Content Discovery

2. Select any request and right-click and go to Engagement Tools → Discover
Content.
3. This will open Content Discovery window. Hit `Session is not running button`
to start.
4. This will create a new Site map with newly discovered content.
2. Using Generate CSRF POC

2. Find out a CSRF vulnerable request. For e.g. Logout request of WebGoat.
3. Select the request and right-click and go to Engagement Tools → Generate
CSRF POC.
4. This will give you HTML code which you can use to test CSRF attack.
2. Burp Collaborator
1. Using Public Collaborator Server
1. In Burp, go to Project Options → Misc.

2. Locate `Burp Collaborator Server`, select Ùse the default Collaborator
Server`.
3. Click `Run health check ...`. This is to verify if your Burp Client can contact the
Burp Public Collaborator Server.
4. Now, In Burp, locate the top menu bar and click `Burp Collaborator Client`.
5. Click `Copy to clipboard` to copy the payload which looks like
`lpea8oujjrjemzx9l15gj9w62x8nwc.burpcollaborator.net`.
6. Use this payload in your testing.
7. You can click `Poll now` to check if any outbound requests were received by
the server.
Note: You can also setup your own private collaborator server and then change
settings of `Burp Collaborator Server` in Project Options → Misc. This will make Burp
Client poll your private server.
3. Burp Clickbandit
1. Using Clickbandit
1. In Burp, locate the top menu bar and click `Burp Clickbandit`.
2. Click `Copy Clickbandit to clipboard`.
3. Login into WebGoat and visit
http://localhost:8080/WebGoat/start.mvc#attack/360466308/5. (This is
vulnerable to clickjacking)
4. Right click and go to Ìnspect Element` and then go to `console`. Paste the
`clickbandit code` in console and hit Ènter`.
5. This will start Burp Clickbandit in Record mode.
6. Now, click on the areas which you want victim to click in your clickjacking
attack. For e.g. click on `Show Source` button and then hit `Finish` on top.
7. Now, clickbandit will go in Review Mode and you can change transparency
settings.
8. Hit `Save` when you are done.
9. This will generate an HTML file with the clickjacking attack.

(BurpSuiteMastery) LabManualV3 1514182492549

Uploaded by

Copyright:

Available Formats

(BurpSuiteMastery) LabManualV3 1514182492549

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(BurpSuiteMastery) LabManualV3 1514182492549

Uploaded by

Copyright:

Available Formats

BURP SUITE

PRACTICAL HANDS-ON BURP

1. Install JRE on Windows / MacOS

2. Installing and running Burp Suite

1. Download Burp Suite

3. Configuring Burp Suite to work with HTTPS sites

2. Burp Proxy has already been configured with your browser.

2. Burp Proxy has already been configured with your browser.

2. Learn how to use Target to setup project scope.

3. Learn how to use Spider to discover hidden content.

4. Learn how to use Scanner to passively or actively scan the application.

5. Learn how to use Intruder to automate attacks.

1. Turn on the intercept in Burp Proxy → Intercept.

1. Turn on the intercept in Burp Proxy → Intercept.

1. Go to Burp Proxy → HTTP history.

1. Go to Burp Target → Scope.

1. Go to Burp Target → SiteMap.

1. Using Spider to Discover Hidden Content

1. Go to Burp Spider → Control.

1. In Burp, go to Scanner → Live Scanning.

1. In Burp, go to Target → SiteMap.

1. Using Intruder to Brute Force Credentials

1. Browse the WebGoat to login page →

Note: You can do variety of different types of attacks using Intruder.

2. Burp Proxy has already been configured with your browser.

2. Learn how to use Decoder to encode/decode.

3. Learn how to use Comparer to compare requests/responses.

4. Learn how to use Extender to extend functionalities of Burp Suite.

1. Browse the WebGoat to login page →

1. Go to Burp Decoder and put this value `eW91YXJldGhld2Vha2VzdGxpbms=`.

1. Go to Burp Proxy → HTTP history.

1. Installing Extensions from BApp Store

1. Go to Burp Extender → BApp Store.

Advance usage of Burp

2. Burp Proxy has already been configured with your browser.

2. Learn how to use Burp Collaborator with Public Collaborator Server.

1. Using Content Discovery

1. Go to Burp Proxy → HTTP history.

2. Using Generate CSRF POC

1. Go to Burp Proxy → HTTP history.

1. Using Public Collaborator Server

1. In Burp, go to Project Options → Misc.

You might also like