In ye olden days, when hackers still used quill and ink, there weren’t many resources available for learning the trade. One could not simply enroll in cybersecurity courses in college or create an account on one of the many educational platforms available today. Instead, hackers found themselves on dedicated forums discussing and sharing information among themselves. It was during this time that Dafydd Stuttard chose the user handle “PortSwigger.”
Stuttard eventually became a penetration tester and wrote a web testing tool that he aptly named “Burp” (too many port swigs will produce those). With Burp, payloads could be programmatically iterated and web traffic could be generated and recorded at a rapid rate. Further development of this tool and additional functionality resulted in an entire web testing toolkit now known as Burp Suite—released and maintained by Stuttard’s company PortSwigger.
The Hypertext Transfer Protocol
The Hypertext Transfer Protocol (HTTP), the protocol that facilitates web traffic, uses a client–server model. To most people, the client in this relationship is their browser (Chrome, Safari, Firefox, etc.). On the other side of this relationship, the server is the entity providing resources to be rendered by the browser displaying a web page/web application.
In this context, “resources” refer to items such as the HTML file (this file defines the layout of a web page), the CSS file (this file provides graphic design aspects for the elements of an HTML file), JavaScript files (these code files are responsible for making a web page interactive), image files, video files, etc. This is achieved by a client sending a request for these resources. The server will parse the request and provide a response that includes the resources requested.
You can conceptualize HTTP as a visit to a restaurant. You tell the waiter (the browser) your order. The waiter writes down what you want on an order slip (the request). This order slip is then given to the chef in the kitchen (the server). The chef combines all the ingredients (resources) relevant to your order to make and serve you your dish (the response). Now, take some bytes (pun intended).
What is Burp Suite used for?
Burp Suite is an HTTP interception proxy tool that acts as an intermediary between your browser and a website. Any requests generated by your browser and the responses it receives first pass through Burp Suite before reaching their intended recipient. This means hackers can intercept and modify requests and responses before forwarding them to a server or before they are rendered by a browser, respectively.
With Burp Suite, you can change both the order slip and the dish you receive, unbeknownst to both the waiter and the chef. Get yourself that ribeye for the price of a kids’ grilled cheese meal.
Until now, you have assumed the intended end user role when using web applications. Intended behavior is predictable behavior, and predictable user interactions are much easier to defend against. With Burp Suite, you’re now able to use web applications in an unintended manner by altering what is sent and received.
Burp Suite: Installation
There are three different subscription tiers for the product, but we’ll cover the free Community Edition in this article.
To install Burp Suite Community Edition, visit https://portswigger.net/burp/releases#community and download the latest release for your operating system. Once downloaded, run the installation and proceed through the installation wizard.
FoxyProxy
By default, Burp’s proxy server listens for incoming browser connections on your computer on port 8080. To do this, browser settings must be configured to use Burp Suite. This requires additional steps using an extension called FoxyProxy.
To install and configure FoxyProxy, follow these steps:
- Download the extension for Firefox or Chrome.
- Select “Options,” the “Proxy” tab, and then click the “Add” button.
- Enter any “Title” you want to name the proxy. For the “Hostname,” enter the localhost address of 127.0.0.1 and for the “Port,” enter 8080.
4. By clicking on the FoxyProxy icon at the top right-hand corner of both browsers, you can now toggle the proxy on and off.
Burp Suite: Configuration
The secure version of HTTP is HTTP Secure (HTTPS). The unsecure version sends data in its human-readable plaintext form. This is a security issue because anyone that intercepts a request or response can view any sensitive information. HTTPS solves this issue by establishing a secure, encrypted connection between your browser and a website.
When you visit a secure website using HTTPS, your browser expects a Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate from the website to verify its legitimacy. These certificates are issued by trusted third parties known as certificate authorities (CA) who verify that websites are genuinely what they claim to be.
Your browser needs to also trust Burp. To do this and to avoid security warnings about untrusted connections, Burp Suite generates its own CA certificate. This needs to be added to the list of trusted entities in your browser.
To add Burp’s CA certificate, follow these steps:
- Start Burp Suite by opening the application and selecting “Next” and then “Start Burp.” Ensure the proxy in FoxyProxy is on.
2. Once Burp Suite is running, visit http://burpsuite in your browser and click on “CA Certificate” in the upper right-hand corner. This will download the cacert.der file.
3. In Firefox:
- Open “Settings” and use the search bar to look up “Certificates.” Click “View Certificates,” the “Authorities” tab, and then “Import.” Select the cacert.der file and click “Open.” Select “Trust this CA to identify websites.” In the window that appears, click “OK” on the current window and the Certificate Manager window to exit. Close and restart Firefox. Now, when you navigate to any websites using the https:// schema with Burp Suite running, no warnings will appear.
In Chrome using Windows (instructions for MacOS or Linux):
- Navigate to chrome://certificate-manager/localcerts in a Chrome window. Select “Local certificates” and click “Manage imported certificates from Windows.” In the window that appears, select the “Trusted Root Certification Authorities” tab and click the “Import…” button. This will launch the Certificate Import Wizard. Click the “Next” button to continue. Click “Browse…” and select the cacert.der file. If you cannot find it, try selecting “All Files (*.*)” from the dropdown menu in the bottom right-hand corner. Click the “Open” button, “Next,” “Next,” “Finish,” and “Yes” if you get a security warning window. The Certificate Import Wizard will notify you that “The import was successful” in a pop-up. Click “OK” and “Close” the Chrome settings window.
Pro tip: You can skip all these shenanigans by just using Burp Suite’s built-in browser.
Rest stop. That was a lot of information to take in. But the following will help further familiarize you with Burp Suite.
What does the Community Edition of Burp Suite provide?
Pro tip: To save your eyes, before continuing, consider switching to dark mode by selecting “Settings,” “Display,” and switching the “Theme” to “Dark.”
Although it lacks some of the advanced features found in the Professional Edition, the Community Edition still provides a robust set of tools and an intuitive interface that allow for thorough web security assessments. The interfaces and tools included in the free edition are as follows:
Dashboard
The Dashboard provides an overview of the Project you are in. A Project in Burp Suite is simply an instance of the application.
Target
The Target tab includes the Site map, Scope, and Issue definitions subtabs.
Site map
As HTTP traffic is proxied through Burp Suite, the left-hand side of the interface will populate with all of the websites, their paths, and associated requests and responses. This collection will be displayed in the Site map subtab and can be viewed at any time to get a sense of the website structure.
Scope
The Scope subtab allows you to set a filter on what traffic is recorded by Burp Suite based on one or more prefixes that you supply. For example, if you want Burp to only record traffic on example.com, you can add “example.com” as a prefix to the list.
To capture traffic to multiple top-level domains for a second-level domain (e.g., both .com and .org), you can just add “example” to the list. You also have the option to include any subdomains by marking the “Include subdomains” checkbox.
Issue definitions
This tab provides detailed information on different vulnerabilities, acting as a useful reference when writing vulnerability reports.
Proxy
The Proxy tab includes the Intercept, HTTP history, WebSockets history, and Proxy settings subtabs.
Intercept
In the Intercept subtab, you can capture all the requests your browser made before they are sent to the server. Additionally, by right-clicking within the request pane to open the context menu, you can select “Do intercept > Response to this request.” This will capture the associated response after you send the request using the “→ Forward” button. Once requests or responses are captured, you can make arbitrary alterations to them. You can also click the “Drop” button so a request is not sent to a server.
HTTP history
All of the proxied traffic will be logged in the HTTP history subtab. You can select any row from the table to view the request and response pair. By default, the requests are ordered by their numeric identification number (# column) that corresponds to the order with which they were proxied based on time. The request table also includes columns of additional information useful for analyzing web traffic. The following are columns included by default and a brief description of their values (take a big mental inhale—it’s a bit lengthy):
-
- Host: The schema plus the value of the host header of the request.
- Method: The HTTP request method used (GET, POST, PUT, OPTIONS, etc.).
- URL: The path of the request.
- Params: Any included query parameters.
- Edited: A checkmark indicates if a request was edited before being forwarded.
- Status code: The response status code.
- Length: The response size in bytes.
- MIME type: The response content type.
- Extension: The file extension of the response.
- Title: The value of the <title></title> HTML tag of the response.
- Notes: Any notes you have added to a request using the right-click context menu.
- TLS: A checkmark indicates if the request was sent over HTTPS.
- IP: The IP address of the server.
- Cookies: Any cookies sent with the request.
- Time: The time of the request.
- Listener port: The port that Burp Suite is listening on.
- Start response timer: The time in milliseconds between when a request was sent and when the first byte of the response was received.
You can click on the column names to sort the rows by category.
WebSockets history
The Websockets history subtab shares some of the same columns seen in the HTTP history subtab and includes the following columns specific to WebSocket traffic:
- Direction: Specifies if a message was sent to a server or received by a client.
WebSocket ID: The connection used to transmit a message.
Proxy settings
The Proxy settings subtab pop-up window includes several options for customizing how HTTP traffic is handled by Burp Suite. In this interface, you can change the listening port of Burp Suite, control what traffic is intercepted, how responses are displayed, set match and replace rules, configure HTTP history options, and other miscellaneous settings.
Intruder
This is what started it all—the original Burp tool evolved into what is now referred to as Intruder.
With Burp Intruder, you can iterate through payload requests to fuzz or carry out brute-force attacks.
The Intruder tab includes the Positions, Payloads, Resource pool, and Settings subtabs.
Positions
To mark where a payload or payloads should be inserted, you highlight what is to be replaced and click the “Add §” button in the Positions subtab. The selected area will then be encased with § characters.
Payloads
The Payloads subtab provides an interface to specify the values that will replace the marked position. The value of “Payload set:” refers to the positions in the order they were added. If more than one position was marked, you can select it using the dropdown menu. Expanding the dropdown menu next to “Payload type:” will present a variety of options to choose from.
If you are wanting to use your own saved wordlists (I recommend wordlists provided by AssetNote), keep the default “Simple wordlist” selection and upload the file by clicking “Load” in the “Payload settings [Simple list]” section. For further customization, there are a number of “Payload processing” options available. Special characters (e.g., “&,” which is used to delineate query parameters) can be automatically URL-encoded so they are interpreted by a server as their literal value (“&” becomes “%26”) in the “Payload encoding” section.
Resource pool
In the Resource pool subtab, you can specify how many requests will be sent simultaneously in your Intruder campaign. By default, 10 requests will be sent in parallel, but you can set a custom value by selecting the “Create new resource pool” radio button and filling out the input fields. Being able to configure your own rate of request forwarding is useful when the target has rate-limiting protections in place to avoid triggering the threshold.
Settings
Additional options for request handling, error handling, and result output customization are available under the Settings subtab.
Initializing your Intruder attack
Once you’ve configured Intruder to your desired specifications, click the “Start attack” button in the upper right-hand corner of any of the subtabs to begin sending payload requests. A new window displaying a live feed of the attack will appear. You can sort the column category by clicking on the column name, which is useful for analysis and discovering which payloads received anomalous responses.
Note: The request forwarding rate is throttled in the Community Edition. If you have a Professional license, Intruder attacks take much less time to complete.
Pro tip: You can send any request to Intruder by focusing the request pane and using the shortcut CTRL + i.
Repeater
With Burp Repeater, you can send a request from any other tab that includes a request pane to an interface designed for manual testing. Each time the “Send” button is clicked in Repeater, the request is added to a history log that allows you to spot differences in responses based on the modifications made. To iterate through your request history, use the “<“ and “>“ buttons to move backward and forward through time, respectively. There are several request-handling options available that will be displayed after you click the gear icon to the right of the “Send” button.
Pro tip: You can send any request to Repeater by focusing on the request pane and using the shortcut CTRL + r.
Pro tip: You can give a custom name to a Request tab by right-clicking on it.
Sequencer
Burp Sequencer allows for token analysis to determine the level of entropy (i.e., randomness) across a collected sample.
The Sequencer tab includes the Live capture, Manual load, and Sequencer settings subtabs.
Live capture
Using the Live capture subtab, a request can be sent to Sequencer and any issued token positions can be marked. Once you have set the position(s) and clicked the “Start live capture” button, Burp will automatically generate new requests to collect a large number of tokens for analytic purposes. Clicking “Analyze now” will output the results in several different formats.
Manual load
Instead of automatically capturing tokens, you can create a manual list for analysis in the Manual load subtab.
Sequencer settings
Settings that dictate how Sequencer captures, handles, and analyzes tokens can be configured in this pop-up window.
Decoder
Although the name of this tab is Decoder, values can be both encoded, decoded, and hashed in this interface. Each iteration will produce a window below the last one utilized, containing the output of the previous transformation directive. This allows for a complex series of encryption, decryption, and hashing. To select a method or algorithm, expand the desired drop-down menu.
Comparer
With Burp Comparer, you can evaluate the differences between sets of data on a word- or byte-level basis. This tool is useful in discovering small differences in responses that may lead to vulnerability findings. Simply paste, load a file, or send data via the right-click context menu to add it as an entry. When at least two entries are included, clicking either “Words” or “Bytes” under “Compare…” in the bottom right-hand corner will open a results window.
Logger
While the HTTP subtab only includes a list of traffic handled by Burp Proxy, the Logger tab also displays traffic generated by other tools within Burp. The columns should all be familiar with the exception of the “Tool” column that identifies the feature that handled the request and the “Param count” that displays the number of query parameters instead of a string representation.
Organizer
Burp Organizer allows you to add proxied HTTP traffic to a table to assist you in keeping track of important requests, responses, or WebSocket messages. The main difference between this table and others throughout Burp Suite is that entries are not automatically logged in the Organizer table. A new column named “Status” is included, which allows you to tag a row with an identifier that hints toward its evaluation level in your web security assessment workflow. The tags are as follows:
- New
- In progress
- Postponed
- Done
- Ignored
Extensions
But wait, there’s more!
The Extensions tab includes the Installed, BApp Store, APIs, BChecks (Professional Edition only—will not be covered), and Extension settings subtabs.
BApp Store
The BApp Store subtab is a repository of community-developed extensions that have been vetted by PortSwigger to ensure both their security and quality are of a high standard.
As Burp Suite is written in Java, you will need to install Jython and JRuby for any extensions that are written in Python or Ruby.
To install and configure the dependencies, follow these steps:
- Install the latest releases of Jython (jython-standalone-X.X.X.jar) and JRuby (jruby-complete-X.X.X.X.jar).
- Click the “Extension settings” subtab, click “Select file …,” and select the file downloads for the appropriate sections.
- Reselect the desired extension. The “Install” button should now be enabled.
Installed
All of the extensions you have installed will be listed in the “Installed” subtab. At the top of the interface is a “Total estimated system impact:” bar with a rating of either “Low,” “Medium,” or “High.” This bar indicates the level of strain on Burp Suite performance and is associated with the current extensions enabled.
To toggle between an extension being enabled and disabled, click the checkbox in the “Loaded” column. You can also “Unload” an extension by right-clicking to open up the context menu.
The order in which extensions are listed is important. Requests and responses are handled by the extension order starting from top to bottom. To change the order, click on an extension in the table and use the “Up” and “Down” buttons.
Additionally, the context menu also has the “Remove” option to uninstall the respective extension. View the details of an extension, and configure output and error handling using the tabs under the extension table.
Pro tip: If you made any changes to an extension and would like them to take effect, you can reload an extension using CTRL + clicking (CMD + clicking for Mac) on the associated checkbox.
APIs
The APIs subtab includes information about the application programming interfaces available for developing your own Burp Suite extensions. If you are interested in creating your own, refer to https://portswigger.net/burp/documentation/desktop/extensions/creating for more information.
Learn
The Learn tab includes additional resources to help you along your bug bounty journey. I highly recommend taking advantage of the lessons and labs provided free of charge by PortSwigger in the Web Security Academy.
Additional pro tips
Pro tip: The buttons in the top right-hand corner of both the request and response panes are useful. When enabled (highlighted blue):
- The eye icon will remove clutter headers.
- The three line + arrow icon will wrap lines for easy viewing.
- The \n icon will display carriage return and line feed characters, which are useful when constructing request smuggling attacks.
Pro tip: If any of your match and replace rules are not working, ensure that you have selected the Raw tab in either the request or response panes. The default “Pretty” display adds extra whitespace for easy viewing.
Pro tip: The Inspector panel to the right provides nice tables of key/value pairs and can also be used as a shortcut to encode highlighted sections.
Pro tip: Use the Filter bars included within every tab with an HTTP traffic table to finetune what is displayed for easy parsing.
Pro tip: READ THE OFFICIAL DOCUMENTATION AVAILABLE HERE.
Conclusion
Can you believe you get all of this for free? Big thanks to PortSwigger. While this guide ended up being rather lengthy, there are many more configurations to explore and customize for your personal testing techniques. However, you should now have a basic understanding of how you can use Burp Suite to exploit vulnerabilities in not only labs and CTF challenges but also in the wild. Go get those bounties! Let me know if you pop any, and we can celebrate with some port.
Until next time, love y’all.
- Ninjeeter