Burp Suite documentation - contents

Desktop editions
     Video tutorials
          Intercepting HTTP requests and responses
          Resending individual requests with Burp Repeater
          Scanning a website for vulnerabilities
          Using live tasks in Burp Suite
          Using Burp Suite projects
          Using Burp Suite project options
          Touring the Burp Suite user interface
          Using Burp Proxy's interception rules
          Using target scope in Burp Suite
          Testing WebSockets with Burp Suite
     Getting started
          Next steps
          Installing Burp Suite
               Downloading Burp Suite Professional
               Downloading Burp Suite Community Edition
               Installing Burp Suite
                    Burp Suite system requirements
                    Error running the installer on MacOS
          Launching Burp Suite
               Startup wizard
               Command line
                    Checking your Java version
                    Launching the Burp Suite JAR
                    Command line arguments
               Activate license
                    Manual activation
               Select project
                    Opening a project from a different Burp installation
               Select configuration
               Check display settings
                    Configuration library
                    User and project configuration files
                    Loading and saving configuration files
                    Configuration file format
               Working with Burp projects
                    Project files
                         Saving a copy of a project
                         Saving the Burp Collaborator identifier
                         Importing projects
          Configure Burp Proxy to work with an external browser
               Check listener is active
               Configuring your browser
                    Check your browser proxy configuration
                    Internet Explorer
               Installing Burp's CA certificate
                    Installing Burp's CA certificate on a mobile device
                    Why do I need to install Burp's CA certificate?
                         Removing Burp's CA certificate from Firefox
                         Installing Burp's CA certificate in Chrome - Windows and MacOS
                         Installing Burp's CA certificate in Chrome - Linux
                         Removing Burp's CA certificate from Safari
                    Internet Explorer
                         Removing Burp's CA certificate from Internet Explorer
          Downloading Burp's CA certificate
               Check that Burp is running
               Check your proxy listener is active
               Try a different port
               What next?
     Scanning web sites
          Launching scans
               Configuring scans
          Monitoring scan activity
          Browser-powered scanning
               How to enable browser-powered scanning
               System requirements for browser-powered scanning
               Browser-powered scanning on Linux
          Recorded logins
               Limitations for recorded login sequences
               How to record a login sequence for Burp Scanner
                    Recording login sequences using an external browser
               How to test a recorded login sequence
               Troubleshooting recorded login sequences
          Scan launcher
               Scan details
               Scan configuration
               Application login options
                    Use login credentials
                    Use recorded login sequences
               Resource pool options
          Live scans
               Live scan configuration
               Live audit
               Live passive crawl
          Crawl options
               Crawl optimization
                    Maximum link depth
                    Crawl strategy
               Crawl limits
               Login functions
                    How does the crawler identify login and registration forms?
                    Why is the crawler not filling my login forms?
               Handling application errors during crawl
               Miscellaneous crawl settings
                    Embedded browser options
          API scanning
               Prerequisites for API scanning
               Deriving locations from an API definition
               Parameter handling during API scans
               Limitations for API scanning
          Audit options
               Audit optimization
               Issues reported
               Handling application errors during audit
               Insertion point types
               Modifying parameter locations options
               Ignored insertion points
               Frequently occurring insertion points
               Misc insertion point options
               JavaScript analysis options
          Audit items
               Audit phase indicators
               Audit items annotations
               Report format
               Issue details
               HTTP messages
               Selecting issue types
               Report details
     Penetration testing
          Testing workflow
          Recon and analysis
          Tool configuration
          Vulnerability detection and exploitation
          Read more
     Mobile testing
     Troubleshooting performance issues
          Check the minimum system requirements
          Identify potential bottlenecks: CPU, memory, and network
          Optimize CPU usage
               Disabling pretty printing
               Disabling JavaScript analysis
               Configuring your scans for performance
               Narrowing the scope of your scans
               Scanning a single protocol
          Optimize memory usage
               Disabling extensions
               Allocating more memory to the Java machine
               Using a disk-based project
          Optimize network usage
               Reducing concurrent scans
               Configuring resource pools
     Becoming an early adopter
          Task details
          Task execution settings
               Task auto-start
               Resource pools
          Issue activity
               Issue activity annotations
                    Manual application mapping
                    Defining Target scope
                    Reviewing unrequested items
                    Discovering hidden content
                    Analyzing the attack surface
                    Target tool testing workflow
               Target site map
                    Target information
                         Site map views
                         Contents view
                         Issues view
                    Site map display filter
                    Site map annotations
                    Site map testing workflow
                    Comparing site maps
                         Site map sources
                         Request matching
                         Response comparison
                         Comparison results
               Getting started
               Using Burp Proxy
                    Getting set up
                    Intercepting requests and responses
                    Using the Proxy history
                    Burp Proxy testing workflow
                    Key configuration options for Burp Proxy
               Intercepting messages
                    Message display
                    History table
                    Proxy history display filter
                    Proxy history annotations
                    Proxy history testing workflow
                    Proxy listeners
                         Request handling
                         Exporting and importing the CA certificate
                         Creating a custom CA certificate
                         TLS protocols
                    Intercepting HTTP requests and responses
                    Intercepting WebSocket messages
                    Response modification
                    Match and replace
                    TLS pass through
                    Invisible proxying
               In-browser interface
               Getting started
               Using Burp Intruder
                    How Intruder works
                    Saving an attack
                    Typical uses
                         Enumerating identifiers
                         Harvesting useful data
                         Fuzzing for vulnerabilities
                    Request template
                    Payload markers
                    Attack type
                         Simple list
                              Predefined payload lists
                         Runtime file
                         Custom iterator
                         Character substitution
                         Case modification
                         Recursive grep
                         Illegal Unicode
                         Character blocks
                         Brute forcer
                         Null payloads
                         Character frobber
                         Bit flipper
                         Username generator
                         ECB block shuffler
                         Copy other payload
                         Payload processing rules
                         Payload encoding
               Intruder resource pool
                    Save options
                    Attack request headers
                    Error handling
                    Attack results options
                    Grep - match
                    Grep - extract
                    Grep - payloads
                    Handling redirections during attacks
               Configure attack
                    Launching an attack
               Attack results
                    Results table
                         Intruder attacks display filter
                         Burp Intruder testing workflow
                    Attack configuration tabs
                    Results menus
                         Attack menu
                         Save menu
                         Columns menu
               Analyzing results
               Using Burp Repeater
                    Using Burp Repeater with HTTP messages
                         Sending HTTP requests
                         HTTP request history
                    Using Burp Repeater with WebSocket messages
                    Repeater options
                    Managing request tabs
               Getting started
               Randomness tests
                    Character-level analysis
                    Bit-level analysis
                    Live capture
                         Select live capture request
                         Token location within response
                         Live capture options
                         Running the live capture
                    Manual load
               Analysis options
                    Token handling
                    Token analysis
                    Character-level analysis results
                    Bit-level analysis results
                    Results analysis options
               Loading data into Decoder
               Working manually
               Smart decoding
               Loading data into Comparer
               Performing comparisons
               Loading and managing extensions
               Extension details
               BApp store
               Burp Extender API
               Extender options
                    Java environment
                    Python environment
                    Ruby environment
               Submitting extensions
                    Before you submit
                    Submit your extension
                    Reviewing the extension
                    Updating your BApp
               Running Burp Clickbandit
               Record mode
               Review mode
          Collaborator client
               Using Burp Collaborator client
          Mobile Assistant
               Routing traffic through Burp Suite
               Bypassing certificate pinning
                    Adding injected apps
                    Injected apps list
                    Recovering from crashes
               Installing Burp Suite Mobile Assistant
               Logging and memory
               Logger functionality
               Task logger
               Logger configuration
                    Capture options
                    View options
          DOM Invader
               Starting DOM Invader
               Testing with DOM Invader
               Web messages
                    Generating automated messages
               Other options
     Useful functions
          Message editor
               Message analysis toolbar
                    Raw view
                    Pretty view
                    Hex view
                    Render view
                    Extension-specific views
                    Actions menu
               Other ways of using the message editor
               Context-specific actions
               Text editor
                    Syntax analysis
                    Pretty printing
                    Non-printing characters
                    Text editor hotkeys
                    Quick search
                    Working with encoded data in the inspector
                         Automatic decoding
                         Decoding selected characters
                         Editing encoded data
                    Working with individual characters in the inspector
                         Injecting non-printing characters
          Embedded browser
               Manual testing with Burp's embedded browser
               Scanning websites with Burp's embedded browser
               Embedded browser health check
               Text search
               Find comments and scripts
               Find references
          Target analyzer
          Content discovery
               File extensions
               Discovery engine
               Site map
          Task scheduler
          Generate CSRF PoC
               CSRF PoC options
          URL-matching rules
               Normal scope control
               Advanced scope control
          Response extraction rules
          Manual testing simulator
          Project options
          User options
               Platform authentication
               Upstream proxy servers
               SOCKS proxy
               Hostname resolution
               Out-of-scope requests
               Streaming responses
               Status 100 responses
               TLS negotiation
               Java TLS options
               Client TLS certificates
               Server TLS certificates
               Session handling challenges
               Session handling rules
                    Session handling tracer
               Cookie jar
               Integration with Burp tools
               Rule editor
                    Rule description
                    Rule actions
                         Use cookies from the session handling cookie jar
                         Set a specific cookie or parameter value
                         Check session is valid
                         Prompt for in-browser session recovery
                         Run a macro
                         Run a post-request macro
                         Invoke a Burp extension
                    Tools scope
                    URL scope
                    Parameter scope
               Macro editor
                    Record macro
                    Configuring macro items
                         Cookie handling
                         Parameter handling
                         Custom parameter locations in response
                    Re-analyze macro
                    Test macro
          Misc project options
               Scheduled tasks
               Burp Collaborator server
               Embedded browser project options
               User interface
                    How to enable dark mode in Burp Suite
               HTTP message display
               Character sets
               HTML rendering
          Misc user options
               Automatic project backup
               REST API options
               Proxy interception
               Proxy history logging
               Temporary files location
               Performance feedback
                    Logging exceptions to a local directory
               Update settings
               Message search
               Embedded browser
Enterprise Edition
     Trial setup guide
          Getting started with your trial
          Additional steps
          Install your trial
               Request a trial license
               Check your firewall configuration
               Install Burp Suite Enterprise Edition
          Start Burp Suite Enterprise Edition for the first time
               Open Burp Suite Enterprise Edition
               Configure an HTTP proxy
               Activate your license
          Configure the web server
          Add a website to scan
          Create a scan
               Schedule a recurring scan
          Process your scan results
               Analyze an issue
               Mark an issue as a false positive
               Using the dashboards
               Next steps
          Additional steps
               Running concurrent scans
                    Deploying additional agent machines
               Configuring your email server
               Setting up your team
               CI integration
               Creating custom scan configurations
               Migrating to an external database
          Core components
               Enterprise server
               Web server
               Agents and agent machines
               Managing Burp Suite Enterprise Edition services
                    List running services
                    Stop running services
                    Start services
          Agent machines
               Agent machine pools
          Required number of machines
               Multi-machine deployment
          System requirements
               General requirements
                    Swap space (Linux only)
               Bundled deployment
               External agent machines
               Database and storage space
                    Supported database versions
          Network and firewall configuration
               Fully bundled deployment
               Multi-system deployment
          Supported client browsers
     Getting started
          Trial tutorial
          On-premise trial deployment tutorial
          Preparing for the installation
          Setting up the external DB
               Resolving MySQL8 public key exception
          Initial installation
               Obtaining a license
                    What if I can't find my license key?
               Installing Burp Suite Enterprise Edition
          Deploying to the cloud
                    Main CloudFormation template
                         Nested templates
                    IAM CloudFormation template
                    How to deploy Burp Suite Enterprise Edition on AWS
                         Set up the IAM roles
                         Set up your own database (optional)
                    Configure the connection settings for the VPC security group
                         Create the main stack
                         Get the DNS name for launching Burp Suite Enterprise Edition
                         Set up routing and access the application
                    Azure Resource Manager template
                         Nested templates for Azure Resource Manager
                    How to deploy Burp Suite Enterprise Edition on Azure
                         Set up a database
                    Create the database server
                    Configure the database connection settings
                         Deploy the main stack to Azure
                    Create the service principal
                         Set up routing and access the application
                         The deployment is complete but bsee-application is in a "failed" state
                         How do I remove Burp Suite Enterprise Edition from Azure?
          Initial configuration
               Starting Burp Suite Enterprise Edition as an admin
               Activating your license
               Configuring your web server
                    Web server URL and port number
                    Enabling TLS
                    Configuring an HTTP proxy server
               Configuring your email server
                    Sending invites to newly created users
                    Configuring email recipients for scan reports
          Creating a new initial admin user
     Working with Burp Suite Enterprise Edition
          Starting Burp Suite Enterprise Edition
               Home page
          Working with sites
               Sites page
               Creating sites
               Adding application logins
                    Add login credentials
                    Add recorded login sequences
                         Limitations for recorded login sequences in Burp Suite Enterprise Edition
                         How to record a login sequence for Burp Suite Enterprise Edition
                         Troubleshooting recorded login sequences for Burp Suite Enterprise Edition
               Viewing site details
                    Site-level dashboard
                         Site URLs
                    Viewing folder details
                         Folder-level dashboard
          Working with scans
               Scans page
               Scan configurations
                    Creating custom scan configurations in Burp Suite Enterprise Edition
                         Crawl options
                         Audit options
                         Connection options
                         Request throttling
               Creating scans
               Browser-powered scans
                    How to enable browser-powered scanning for Burp Suite Enterprise Edition
                         Enabling browser-powered scanning on Linux machines
               Viewing scan details
                    Scheduled scans
                    Running and completed scans
                    Failed scans
          Scan results
               Viewing issue details
                    Requests and responses
                    Dynamic analysis
               Handling false positives
               Jira tickets
               Monitoring your progress
                    Downloading scan reports
                         Report type
                         Included severities
                         False positives
                    Automatically sending scan summary reports
                    Downloading charts
                    Downloading the event log
     Administration tasks
          Additional configuration and integration tasks
          General administration tasks
          Integrating with Jira
               Creating your Jira API token (cloud only)
               Configuring the integration
               Manually creating Jira tickets
          Integrating with your CI/CD platform
               Integration types
               Detailed instructions
               Integration types
                    Site-driven scan
                    Burp scan
               Create an API user
                    Create a role and group for CI/CD users
                    Create the CI/CD API user
                    Create an API user
                    Download and install the plugin
                    Configure the integration
                    Site-driven scan
                         Whitelist your Jenkins URL
                         Create the site-driven scan build step in Jenkins
                         Test your integration
                    Burp scan
                         Create the Burp scan build step in Jenkins
                         Test your integration
                    Create an API user
                    Download and install the plugin
                    Configure the integration
                    Site-driven scan
                         Whitelist your TeamCity URL
                         Create the site-driven scan build step in TeamCity
                         Test your integration
                    Burp scan
                         Create the Burp scan build step in TeamCity
                         Test your integration
                    Site-driven scan
                         Add the build steps to your pipeline
                         Test your integration
                    Burp scan
                         Add the build steps to your pipeline
                         Test your integration
                    Parameter reference
               Optional settings
                    Configuring optional settings using the native platform plugins
                    Configuring optional settings using the generic CI/CD driver
                    Overriding the default scan configurations from your CI/CD system
                    Ignoring issues
          Enabling CORS
               How to whitelist an application for CORS in Burp Suite Enterprise Edition
               Why do I need to do this?
          Deploying additional agent machines
               Setting up a new agent machine
               Authorizing a new agent machine
          Assigning agents
               Requesting additional agents
          Managing agent machine pools
               Features of agent machine pools
               Manage agent machine pools
          Migrating to an external database
               Installing the database transfer tool
               Preparing for migration
               Migrating your data
               Restarting services
          Changing your network settings
          Enabling single sign-on
                    Add Burp Suite Enterprise Edition to your trusted applications
                    Obtain key details from your identity provider
                    Enter your identity provider details
                    Additional identity provider configuration
                    Configuring single logout
                    Additional ADFS configuration
                         Create a central claim issuance policy
                         Create claim rules for each group individually
                    Additional Okta configuration
                    Additional Azure AD configuration
               Configuring user permissions
          Managing your team
                    Creating a new user
                    Creating API users
               Restricting access to sites
          Managing your certificates
          Managing the site tree
               Creating folders and subfolders
               Adding sites to a folder
          Managing sites and scan data
               Automatically create sites for API-generated scans
                    How does Burp Suite Enterprise Edition decide which sites to match?
               Automatically delete old scans
               Scan deltas
               Configuring false positive settings
               Backing up your data
          Managing updates
               Offline updates
               Downtime during updates
          Downloading logs
          Help center
               Support pack
     API reference
          GraphQL API
          REST API
          Core approach
          Session handling
          Detecting changes in application state
          Application login
          Crawling volatile content
          Crawling with the embedded browser (browser-powered scanning)
          Audit phases
          Issue types
          Insertion points
               Encoding data within insertion points
               Nested insertion points
               Modifying parameter locations
          Automatic session handling
          Avoiding duplication
               Consolidation of frequently occurring passive issues
               Handling of frequently occurring insertion points
          JavaScript analysis
          Handling application errors
Burp Collaborator
     What is Burp Collaborator?
     How Burp Collaborator works
     Security of Collaborator data
     Options for using Burp Collaborator
     Deploying a private server
          Basic set-up on a closed network
          General set-up steps
          Installation and execution
          Collaborator server ports and firewall rules
          Running on non-standard ports
          Collaborator server resources
          DNS configuration
          Collaborator configuration file
          TLS configuration
          Interaction events and polling
          Collaborator logging
          Testing the installation
          Add custom HTTP content
          Add custom DNS records
          Troubleshooting your server
Burp Infiltrator
     How Burp Infiltrator works
     Installing Burp Infiltrator
          Non-interactive installation
     Configuration options