BURP SUITE

Page 1 of 12
BURPSUITE
Burp Suite is a tool that designed for web security testing. It is developed by
PortSwigger which is a software security company. Basically this tool is used in
cybersecurity, penetration tester and web developer as it helps to identify the weakness
and vulnerability in the websites which can be remediate.

BURPSUITE EDITIONS

1. Burp Suite Enterprise Edition: This edition has designed and launched for
organization. There is no limit to number of users per license.

2. Burp Suite Community Edition: This community edition is available free to download
from official website for those who wants essential manual toolkit to test website for
learning and practice purpose.

You can download the community edition from the following link:
https://portswigger.net/burp/communitydownload

3. Burp Suite Professional Edition: This professional edition contains huge range of
toolkit for manual and scanning testing for websites. Also, it requires license to
activate the product, one license for one user.

After providing information above regarding Burp Suite editions, I also wanted to convey
that each editions have some differences in their toolkit. For example, the professional
edition contains huge toolkit as compared to other editions. For more information, you can
visit the above link given and scroll down till end and you will see the comparison. Also,
attached the sample screenshot for your reference.

Page 2 of 12
FEATURES OF BURPSUITE

1. Dashboard: Dashboard has been categorized into 4 different parts, each category
works in a different way mention below.

• Tasks: This category shows all the traffic of live crawl & audit from proxy. Also
provides option to new scan.

• Event Log: Event log will display a chronological list of events that occurred
during the testing session. It also notes the timestamp, event type and detail
information of the event.

• Issue Activity: Issue activity automatically categorized the potential security

issue in the web application after scanning or testing any website.

• Advisory: The advisory section offers a detail information about the security
issue occurred during testing and it also provides the recommendation on
remedy for that potential issues.

SCREENSHOT: DASHBOARD

We tested the Acunetix vulnerable website in Burp Suite to show you a glimpse of dashboard
section with information captured.

Page 3 of 12
 2. Target: This feature is very crucial part option in Burp Suite where you can manage
and configure your targets web application for testing. This section allows you to
take control of the scanning and testing process.

• Sitemap: This is a sub-tab of target option which provides you a

comprehensive information about the target website and it also display all
the discovered URL’s, pages about the target website.

• Scope: This is a very helpful sub-tab in scope for the user to concentrate on a
particular ULR that included in scope during crawling and testing.

• Issue Definitions: This sub-tab provides you a wide range of vulnerabilities

list that helps you during testing to identify the issue and to set priority
according to the issue.

SCREENSHOT: TARGET -> SITEMAP

You can see the above highlighted area in filter, you can click on that option and set filter
according to your convenience to show data in this sitemap area.

SCREENSHOT: ADDING SCOPE

Page 4 of 12
You can add the scope by right clicking on the URL and click on option “add to scope”. In the
above screenshot you can see the URL is in included column after adding into the scope
.

SCREENSHOT: TARGET -> ISSUE DEFINITION

You can see the above screenshot of the issue definition which provide a huge range of
information about different vulnerabilites as well as the recomenndation of the
vulnerabilites so that user can set priority to fix the issue.

3. Proxy: This is a very crucial component in Burp Suite which allows user to intercept
and manipulate the HTTP/S request between client and server. This proxy itself have
sub-tabs which provides different functionalities.

• Intercept: This sub-tab allow user to intercept the request and response.
User can intercept request, response to review and manipulate the data
before allowing traffics to continue.

• HTTP History: This sub-tab captures the HTTP/S records so that user can
check the request and response to analyse the data and find the potential
security issue.

• WebSocket History: This sub-tab is same as HTTP History, as it keeps the

record of WebSocket history which can be helpful to analyse the messages
done between client and server.

• Options: This sub-tab provides you the configuration of the setting for proxy
tool.

Page 5 of 12
 SCREENSHOT: PROXY -> INTERCEPT

Basically user has to click on Intercept On to capture the particular page of the target
website and then open the website and click on that page, now the tool will capture the
traffic.

SCREENSHOT: PROXY -> HTTP HISTORY

SCREENSHOT: PROXY -> WEBSOCKET HISTORY

Page 6 of 12
 SCREENSHOT: PROXY->OPTIONS (1)

SCREENSHOT: PROXY->OPTIONS (2)

Basically, user have to select both the options given in the screenshot that is highlighted in
proxy->options settings in order to intercept properly.

Page 7 of 12
4. Intruder: This is a very powerful feature designed for attackers to attack on website
to test their security. It helps to do bruteforce attack, parameter fuzzing and more.

• Positions: This sub-tab allow users to set position of the payload in the
username and password section. It also offers you 4 different types of
attacks to perform according to the condition and i.e., Sniper, Battering Ram,
Pitchfork, and Cluster Bomb.

• Payloads: This sub-tab allow users to set the payload type and input
username and password directories so that system can run those
combinations to find out the correct data.

• Options: In this sub-tab you can configure the settings to attack, including
number of threads.

SCREENSHOT: INTRUDER -> POSITION

SCREENSHOT: INTRUDER -> PAYLOADS

Page 8 of 12
 SCREENSHOT: INTRUDER -> OPTIONS

5. Repeater: This is an another powerful feature desgined for security professional and
web developers which allow users to modify the captured request and re-send the
HTTP request to web application. Basically, this feature is useful for debugging and
analyzing the captured data to see how the website reacts after re-sending the
modify request to the web application.

SCREENSHOT: REPEATER

Page 9 of 12
 6. Decoder: This is another powerful feature existing in the Burp Suite which allow
users to decode the encoded data. It has variety of list that you can decode into that
format. For Example: Plain Text, ASCII, Binary, HTML, URL, etc.

SCREENSHOT: DECODER.

7. Comparer: It is one of the useful feature that allows user to send two different HTTP
request in the comparer section to compare the changes in the behaviour of the
website response.

SCREENSHOT: COMPARER

In the above screenshot, I have sent two captured responses of HTTP and clicked on the
compare option given in the bottom right corner and you can see the results in window.

Page 10 of 12
 8. Logger: This feature helps to capture real time request, response and keep record of
it so that user can analyze the data and send it to other tool. It also helps user to
inspect the data to find out potential security risk.

SCREENSHOT: LOGGER

9. Extender: This is an another powerful feature offered by Burp Suite for their users.
Basically it allow users to extend their application capability by adding extension and
scripts in the tool using BApp store.

SCREENSHOT: BAPP STORE

In the above screenshot you can see the highlighted area, you have to select the extension
that you want to add and click on install.

Page 11 of 12
SETUP YOU NEED TO RUN BURPSUITE IN MACHINE
You not only need Burp Suite but also need to configure an extension in web
browser. I recommend you to add “FoxyProxy” extension in Firefox web browser and setup
the basic details i.e., Title, Type, Hostname & Port Number. It is essential to add the
extension or you can manually add the proxy in the browser setting under network setting
so that you can intecept the traffic through the proxy.

SCREENSHOT: FOXYPROXY EXTENSION.

REFERENCES

https://portswigger.net/
www.google.com

Page 12 of 12