ProfessionalCommunity Edition

Penetration testing workflow

  • Last updated: January 29, 2024

  • Read time: 5 Minutes

Burp Suite includes a range of automated and manual tools that you can use in your penetration testing workflow. The tutorials in this section are designed to teach you how to use Burp Suite to:

  1. Map your target application.
  2. Analyze the attack surface.
  3. Test for vulnerabilities.

You can complete most of the tutorials as a stand-alone exercise. If you're just starting out, you can use the tutorials to get an overview of a typical penetration testing workflow. Otherwise you can select tutorials to learn how to combine different Burp tools to perform a specific task.

You can practice the processes outlined in most of the tutorials using our deliberately vulnerable website, ginandjuice.shop, or a deliberately vulnerable lab from the Web Security Academy. We provide a link to a suitable lab where necessary.

Note

Some of the tools used in this testing workflow are only available in Burp Suite Professional.

Tutorials

Stage 1: Map the target application

You can use a combination of manual and automated tools to map the application.

Manually browse the application in Burp's browser. Your traffic is proxied through Burp automatically. As you browse, the Proxy history and Target site map are populated. By default, a live task also discovers content that can be deduced from responses, for example from links and forms.

To manually discover additional content, you can identify any unrequested items on the site map, then review these in Burp's browser.

Note

To control the content that is added to the site map and Proxy history, set the target scope to focus on the items you are interested in. You can then configure Burp to log only in-scope items.

You can also automate the mapping process and discover additional content:

  • Configure a scan to crawl the application's content. Burp Scanner uses Burp's browser to navigate the application, which dramatically increases coverage.
  • When using Burp Scanner, configure login credentials for a site to discover content that is only accessible to authenticated users.
  • Use the content discovery tool to find content that is not linked from visible content.
  • Use Burp Intruder to enumerate additional subdomains or paths.

Note

Many applications contain features that hinder testing, such as reactive session termination and use of pre-request tokens. You can use session handling rules and macros to handle these situations.

Stage 2: Analyze the attack surface

Use the Proxy history and Target site map to analyze the information that Burp captures about the application. While you use these tools you can quickly view and edit interesting message features in the Inspector.

You can send HTTP messages that you want to investigate further to Burp Organizer. This tool enables you to store and annotate HTTP messages to organize your workflow. For more information, see the Burp Organizer documentation.

You can also use other Burp tools to help you analyze the attack surface and decide where to focus your attention:

  • Use the Target analyzer to analyze how many static and dynamic URLs the target application contains, and how many parameters each URL takes. This can help you to understand the extent of the attack surface.
  • Use Burp Scanner to scan a specific interesting request. Burp Scanner audits only this request. This can flag issues quickly.

Stage 3: Test for vulnerabilities

You can use a combination of Burp tools to detect and exploit vulnerabilities.

You may already have identified a range of issues through the mapping process. By default, Burp Scanner scans all requests and responses that pass through the proxy. Burp lists any issues that it identifies under Issue activity on the Dashboard.

You can also use Burp Scanner to actively audit for vulnerabilities. Scanner sends additional requests and analyzes the application's traffic and behavior to identify issues.

To investigate the identified issues, you can use multiple Burp tools at once. To send a request between tools, right-click the request and select the tool from the context menu. Some example strategies are outlined below for different types of vulnerabilities:

Input-based vulnerabilities

The following are examples of input-based vulnerabilities:

You can use Burp in various ways to exploit these vulnerabilities:

  • Scan the interesting request.
  • Use Burp Intruder to fuzz for error messages or other exceptions.
  • Use Burp Repeater to manually modify and reissue the request repeatedly.
  • Actively exploit any vulnerabilities with Burp Intruder. For example, use the recursive grep payload type to exploit SQL injection vulnerabilities.

Logic and design flaws

The following are examples of logic and design flaws:

  • Unsafe use of client-side controls.
  • Failure to enforce account lockout.
  • Ability to skip steps in a multi-stage process.

You generally need to work manually to exploit these types of flaws:

Access control vulnerabilities

To test for access control and privilege escalation vulnerabilities, you can:

  • Compare site maps to:

    • Identify functionality that is visible to one user and not another.
    • Test whether a low privileged user can access restricted functions.
    • Discover where user-specific identifiers are used to segregate access to data by two users of the same type.
  • Access the request in different Burp browsers to determine how requests are handled in different user contexts:

    • Use a different user context and a separate proxy listener with a different port for each browser.
    • Open additional Proxy history windows for each browser.
    • Filter each window to show items received on a specific listener port. Each history window shows only the items for the associated user context.
    • Switch requests between browsers, to determine how they are handled in the other user context. To do this, right-click the request in the Proxy history, select Request in browser, then Current session.
  • Some privilege escalation vulnerabilities arise when the application passes a user identifier in a request, then uses that to identify the current user context. To test for this, use Burp Intruder to cycle through identifiers and retrieve interesting user-specific data from the application's response.

Other vulnerabilities

Burp contains tools that can be used to perform virtually any task when probing for other types of vulnerabilities, for example:

Was this article helpful?