Web Application Vulnerability

Assessment using Burp Suite

1. Introduction
In this project, we perform a vulnerability assessment of a deliberately vulnerable web
application using Burp Suite, a powerful tool used for web application security testing. The
goal is to identify common web vulnerabilities and understand how attackers exploit them.

2. Objective
- Understand the functionalities of Burp Suite.
- Identify and exploit vulnerabilities like:
- SQL Injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Broken Authentication
- Insecure Direct Object Reference (IDOR)
- Generate a professional vulnerability report.

3. Tools & Environment

- Burp Suite Community Edition
- DVWA (Damn Vulnerable Web Application) hosted on XAMPP or Docker
- Browser: Firefox or Chrome (with Burp certificate)
- OS: Kali Linux or Windows
- Optional: OWASP Juice Shop or bWAPP for extended testing

4. Methodology

Step 1: Set Up the Environment

- Install XAMPP and DVWA or use OWASP Juice Shop.
- Set browser proxy to Burp Suite (127.0.0.1:8080).
- Import Burp’s certificate to avoid HTTPS issues.

Step 2: Intercept and Map

- Use Burp’s Proxy to intercept HTTP requests.
- Map the application using Target → Site map.
- Identify interesting parameters and endpoints.
Step 3: Active Testing
- Use Intruder for brute force or fuzzing attacks.
- Use Repeater to manually modify and replay requests.
- Use Scanner (Pro only) or manually test:
- SQL Injection on login fields
- XSS in search or comment forms
- CSRF in user actions
- File upload flaws
- Broken session management

5. Sample Vulnerabilities Found

Vulnerability Description Impact Fix
Recommendation

SQL Injection Login form Admin access Use prepared

vulnerable to `' OR statements
1=1--`

XSS Search field Cookie theft, session Sanitize user input

reflected payload hijacking
`<script>alert(1)</s
cript>`

CSRF Account deletion Account takeover Implement CSRF

without CSRF token risk tokens

IDOR Accessing `/profile? Privacy violation Implement access

id=2` showed control
another user’s data

6. Screenshots
Add relevant screenshots showing intercepted requests, XSS alerts, SQLi payloads, etc.

7. Conclusion
This project demonstrates the capabilities of Burp Suite in identifying critical security flaws
in web applications. By testing against DVWA, we practiced real-world attack techniques
and developed a deeper understanding of web application security.
8. Future Scope
- Automate scanning using Burp Suite Pro or extensions.
- Test real-world applications with permission.
- Integrate Burp Suite with tools like OWASP ZAP, Nmap, or Nikto.

9. References
- Burp Suite Official Docs: https://portswigger.net/burp
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- DVWA GitHub: https://github.com/digininja/DVWA