Burp Suite Explained

Burp Suite
Logo Caption:Logo of PortSwigger, the company that develops Burp Suite
Logo Size:250px
Developer:PortSwigger
Programming Language:Java
Engines:-->
Genre:Security testing
Licence:-->

Burp Suite is a proprietary software tool for security assessment and penetration testing of web applications.[1] [2] It software was initially developed in 2003-2006 by Dafydd Stuttard[3] to automate his own security testing needs, after realizing the capabilities of automatable web tools like Selenium.[4] Stuttard created the company PortSwigger to flagship Burp Suite's development. A community, professional, and enterprise version of this product are available.

Notable capabilities in this suite include features to proxy web-crawls (Burp Proxy),[5] log HTTP requests/responses (Burp Logger and HTTP History), capture/intercept in-motion HTTP requests (Burp Intercept),[6] and aggregate reports which indicate weaknesses (Burp Scanner).[7] This software uses a built-in database containing known-unsafe syntax patterns and keywords to search within captured HTTP requests/responses.[8]

Burp Suite possesses several penetration-type functionalities. A few built-in PoC services include tests for HTTP downgrade,[9] interaction with tool-hosted external sandbox servers (Burp Collaborator),[10] and analysis for pseudorandomization strength (Burp Sequencer).[11] This tool permits integration of user-defined functionalities through download of open-source plugins (such as Java Deserialization Scanner[12] and Autorize[13]).

Features

As a web security analyzer, Burp Suite offers several built-in features designed to assist testers in auditing their web applications.

Community Edition

The Community Edition version of Burp Suite includes the following features.[14]

Professional Edition

Burp Suite's Professional edition includes all Community features plus those listed below.

Burp Extender

BAppsBurp Suite offers an extension store[33] where users can upload and download plugins for functionalities not supported natively. Different plugins alter in functionality, ranging from adjustments for UI readability, additions to scanner rules, and implementations of new analysis-based features.

Burp Suite's extension API is open-source.[34] [35] Support for Java plugins is natively supported, while extensions which use Python and Ruby require users to download JAR files for Jython and JRuby respectively.[36]

Many Burp plugins have also been created by Portswigger employees as a means of developing proof-of-concepts for research conducted by the company.[37] Examples of these include extensions created by James Kettle, Portswigger's Director of Research,[38] including Backslash Powered Scanner,[39] [40] Param Miner,[41] [42] and HTTP Request Smuggler.[43] [44]

BChecks

BChecks were added to Burp Suite in June 2023[45] as a means of permitting users to create and customize their own scanner rules.[46] A curated collection of BChecks are maintained by Portswigger through an open-source GitHub project.[47]

Bambdas

Users can write Java scripts to create custom HTTP request/response index filtering in Burp Suite's proxy HTTP History, WebSocket History, and Logger lists.[48] [49]

See also

Notes and References

  1. Book: Rahalkar . Sagar Ajay . A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities . 2021 . Apress . 978-1-4842-6401-0.
  2. Book: Lozano . Carlos A. . Shah . Dhruv . Walikar . Riyaz Ahemed . Hands-On Application Penetration Testing with Burp Suite . 2019-02-28 . Packt Publishing . 9781788995283.
  3. Web site: PortSwigger . About . 2024-07-09 . PortSwigger.
  4. Web site: PortSwigger . Ask me anything, with Burp Suite creator Dafydd Stuttard . 2020-07-09 . YouTube. 9 July 2020 .
  5. Web site: Rose . Adam . Proxy VM Traffic Through Burp Suite . 2024-07-09 . FortyNorth Security. 21 April 2023 .
  6. Web site: Setter . Matthew . Introduction to Burp Suite . 2017-12-06 . Web Dev With Matt. 6 December 2017 .
  7. Web site: Lavish . Zandt . Intro to Burp Suite Automatic Scanning . 2022-07-12 . GreatHeart.
  8. Web site: Shelton-Lefley . Tom . Web Application Cartography: Mapping Out Burp Suite's Crawler . 2021-03-05 . PortSwigger.
  9. Web site: PortSwigger . HTTP/2 Normalization in the Message Editor . 2024-07-09 . PortSwigger.
  10. Web site: Stuttard . Dafydd . Introducing Burp Collaborator . 2015-04-16 . PortSwigger.
  11. Web site: Stuttard . Dafydd . Introducing Burp Sequencer . 2007-10-21 . PortSwigger.
  12. Web site: Java Deserialization Scanner . 2024-07-09 . GitHub.
  13. Web site: Autorize . 2024-07-09 . GitHub.
  14. Web site: 2016-02-24. en. "Burp Suite : Home page". portswigger.net .
  15. Web site: PortSwigger . Proxy . 2024-07-09 . PortSwigger.
  16. Web site: Setter . Matthew . How to Intercept Requests and Modify Responses With Burp Suite . 2018-02-09 . YouTube. 9 February 2018 .
  17. Web site: Burp Suite 101: Exploring Burp Proxy and Target Specification . 2023-10-15 . Hacklido. 15 October 2023 .
  18. Web site: PortSwigger . Full Crawl and Audit . 2024-07-09 . PortSwigger.
  19. Web site: Aggarwal . Sahil . BurpSuite Logger Secrets for Pentesters . 2023-01-11 . CertCube Blog. 11 January 2023 .
  20. Web site: Pradeep . Filtering Burp Suite HTTP History . 2023-06-02 . Study Tonight.
  21. Web site: TryHackMe . Burp Suite Repeater . 2024-07-09 . TryHackMe.
  22. Web site: Chandel . Raj . BurpSuite Encoder Decoder Tutorial . 2018-01-24 . Hacking Articles. 24 January 2018 .
  23. Web site: Salame . Walid . How to Use Burp Decoder . 2024-04-09 . KaliTut. 9 April 2024 .
  24. Web site: PortSwigger . Installing Extensions . 2024-07-09 . PortSwigger.
  25. Web site: PortSwigger . Dashboard . 2024-07-09 . PortSwigger.
  26. Web site: PortSwigger . Vulnerabilities List . 2024-07-09 . PortSwigger.
  27. Web site: FireCompass . Mastering Burp Intruder Attack Modes . 2023-10-31 . FireCompass Blog. 31 October 2023 .
  28. Web site: PortSwigger . OAST . 2024-07-09 . PortSwigger.
  29. Web site: PortSwigger . Organizer . 2024-07-09 . PortSwigger.
  30. Web site: Stuttard . Dafydd . Introducing Burp Infiltrator . 2016-07-26 . PortSwigger.
  31. Web site: Roof . Zach . Learn Clickjacking With Burp Suite . 2024-07-09 . Teachable.
  32. Web site: PortSwigger . Manage Project Files . 2024-07-09 . PortSwigger.
  33. Web site: PortSwigger . BApp Store . 2024-07-09 . PortSwigger.
  34. Web site: PortSwigger . Creating Extensions . 2024-07-09 . PortSwigger.
  35. Web site: Burp Extensions Montoya API . 2024-07-09 . GitHub.
  36. Web site: TryHackMe Burp Suite Extensions . 2024-03-21 . Medium.
  37. Web site: PortSwigger . Research . 2024-07-09 . PortSwigger.
  38. Web site: PortSwigger . Meet the Swiggers: James K . 2024-07-09 . PortSwigger.
  39. Web site: Backslash Powered Scanner . 2024-07-09 . GitHub.
  40. Web site: Kettle . James . Backslash Powered Scanning: hunting unknown vulnerability classes . 2016-11-04 . PortSwigger Research.
  41. Web site: Param Miner . 2024-07-09 . GitHub.
  42. Web site: Kettle . James . Practical Web Cache Poisoning . 2018-09-09 . PortSwigger Research.
  43. Web site: HTTP Request Smuggler . 2024-07-09 . GitHub.
  44. Web site: Kettle . James . HTTP Desync Attacks: Request Smuggling Reborn . 2019-09-07 . PortSwigger Research.
  45. Web site: PortSwigger . Professional Community 2023.6 . 2024-07-09 . PortSwigger.
  46. Web site: Use BCheck to Improve Vulnerability Scanning . 2023-09-01 . YesWeHack.
  47. Web site: BChecks . 2024-07-09 . GitHub.
  48. Web site: Stocks . Emma . Introducing Bambdas . 2023-11-14 . PortSwigger.
  49. Web site: Bambdas . 2024-07-09 . GitHub.