Burp Suite ¶

Burp Suite is a collection of tools that can be used to intercept requests, responses, and inject content into them. This process can be automated, and it's useful both to test websites, and API.

Burp Suite Community is free, and most features are included in 😎, through the intruder is rate-restricted, we can't save our project, and we can't use the automated vulnerability scanner.

• Download (it's advised to use a "stable" version)
• Run and create a new (temporary) project

➡️ You can set options for the project according to your needs for this project, or/and for the user, such as using the dark theme.

On Kali Linux, Burp Suite is installed by default:

$ sudo apt install burpsuite # if not installed
$ burpsuite

📚 As a student, you can apply for a free trial.

There are 6 modules in the suite:

• Proxy: intercept, and modify requests
• Repeater: intercept, modify, and resend multiple times
• Intruder: try to brute force entry point/forms/...
• Decoder: decode something, or encode a payload
• Comparer: compare data
• Sequencer: check algorithm generating tokens/...

You can use CTRL+SHIFT and a letter to switch to a tab:

• D - Dashboard
• T - Target
• P - Proxy
• R - Repeater
• I - Intruder

Like most community-friendly software, you can write extensions/plugins to enhance them. You can find extensions in the Extender | BApp Store tab. There are useful extensions such as:

• Logger++: "[...] logging extension for Burp Suite."
• WordPress Scanner: "Find known vulnerabilities in WordPress plugins and themes using WPScan database."
• Request Timer: "This extension captures response times for requests made by all Burp tools. It could be useful in uncovering potential timing attacks."
• ...

To install some plugins, you may have to install some adapters as not every plugin was written in Java.

• Jython (Python)
• JRuby (Ruby)
• ...

• Proxy>Options>Match and Replace for automatic injection
• Burp Scanner (paid, see HTB notes)