Penetration Testing with BurpSuite – An introduction

Tarveen Kaur May 31, 2017
BurpSuite is one of the most popular suites of applications used for testing web applications for security. It is a Java-based software developed by Portswigger Web Security Company. The parts of BurpSuite can be combined to conduct manual as well as automated testing. Few of the noteworthy tools in the suite are a proxy server, a web scanner, a spider, intruder, repeater, sequencer, decoder, collaborator and extender.  
How to get BurpSuite?
It is available as a free download with limited but extremely capable functionality. In free edition, you will find tools like Proxy, Spider, Repeater, Sequencer, Decoder, Comparer and we can inspect and modify traffic between the browser and the target application, using the intercepting Proxy. In Professional Edition many powerful features are there to make your work faster and more effective which let you find more vulnerabilities in a shorter time. You can benefit from numerous high-value features, including search, target analysis, content discovery, and task scheduling. The tools which can be found in Professional Edition along with what is available in Free Edition are Intruder, scanner, save and restore, search, Target analyser, content discovery, task scheduler. However, the professional edition is affordably priced and well worth the investment if you are serious about web penetration testing. You can obtain a licensed copy here:  
Features of Various Tools in Burpsuite
BurpSuite consists of various tools  which are responsible for performing several testing activities. Individual tools can be used at different stages of testing as you progress at each stage to perform different actions.  Features of each tool has been briefed below:
  1. The Burp Target tool shows the site map with detailed information about your target applications that are in scope of your current work and helps you drive the process of testing for vulnerabilities.
  2. Burp Proxy allows you to intercept, view and modify all requests and responses passing between your browser and destination web servers. You can also modify and play with the raw traffic passing in both directions.
  3. Burp Spider is a tool for automatically crawling web applications. It uses various intelligent techniques to generate an inventory of an application’s content and functionality.
  4. Burp Scanner is used to test for XSS vulnerabilities which may occur anywhere where an application includes in responses data that originated from any untrusted source.
  5. Burp Intruder is a powerful tool for carrying out automated customized attacks against web applications. It is highly configurable and can be used to perform a wide range of tasks to make your testing faster and more effective.
  6. Burp Repeater is a simple tool for manually manipulating and reissuing individual HTTP requests, and analysing the application’s responses. You can send a request to Repeater from anywhere within Burp, modify the request and issue it over and over.
  7. SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. Burp is used to Detect SQL Injection Flaws.
  8. Burp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.
  9. Burp Comparer is a utility for performing a visual “diff” between any two items of data, such as pairs of similar HTTP messages.
  10. Save and Restore feature of Burp lets you save the state and configuration of the key tools, and restore this on another occasion. This facility is of huge benefit to penetration testers, enabling you to seamlessly resume yesterday’s work, perform backups of key information throughout a job, and take a complete archive of the information accumulated at the end of an engagement.
  11. Target Analyser can be used to analyse a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself.
  12. Task Scheduler can be used to automatically start and stop certain tasks at defined times and intervals. You can use the task scheduler to start and stop certain automated tasks out of hours while you are not working, and to save your work periodically or at a specific time.
  13. Content Discovery function can be used to discover content and functionality which is not linked from visible content that you can browse to or spider.
  14. Burp provides various functions that let you search for different items like Simple text search, find comments, find scripts, and find references to a particular URL. Suite-wide searches can be performed.
How to Use BurpSuite to Perform Security Testing
A typical process of security testing consists of three high-level steps:
  1. Identification of the scope of security testing
  2. Performing the tests (including intrusion)
  3. Reporting
There can be a variety of activities within each of these steps and you can use BurpSuite with its tools to perform each of those. Let us see how
1. Utilizing Burp Suite to identify the scope of testing
The most important step in a security testing exercise is to understand the scope of testing. You can use the Spider tool to obtain the sitemap and identify the total number of URL’s present in the website as well as get an idea of the complexity involved. Whereas it is always useful to walk through the website manually as well, it is always important to find out the URL’s which are hidden from the end users. They often become targets of the attackers and require protection too.
2. Performing the tests
You can use the Intruder tool after you have created a list of URLs you want to test. Best practice before attempting intrusion test is to limit the traffic from the same browser from other websites. For this, you can close all other websites or can use the proxy tab to limit the scope only to the website you’re testing. For using the Intruder tool, select one of the preset payloads from the Payloads tab, select the root (/) of the website URL and click, Send to Intruder. This will perform various types of attacks and will generate a comprehensive report. You can also use the scanning capability of Burp along with the FuzzDB, this will give you numerous combinations of possible attack types the tool can test against. This will generate results which might be slightly overwhelming for you to read. Just notice the alerts flagged by the tool or look for the unusual behaviour in response size, return time and regex’s. You can pass this data to the Sequencer tool in order to understand the randomness of the outcome and check the patterns in the anomalous behaviour. Sequencer is particularly useful where session tokens are randomly generated on the fly and passed into the requests or responses. If they are not random, they can offer an attacker an opportunity to find the patterns and attempt the attacks like session hijacking or cross-site request forgery. For specific kinds of tests, such as authentication, Burp allows you to conduct Brute Force attack with the help of its built-in list of common passwords.
3. Reporting
With Burp, you can generate various reports highlighting your findings. These reports can include the textual representation of the data along with the tests that could indicate a vulnerability or graphs of various kinds. You should decide the kind of reports based on your specific needs. Often, security reports are manually drafted with the observations in categories, such as critical, moderate, or low risk. It’s a good practice to have two reports, one that summarizes the outcomes and another that gives the detailed information on the findings.  

Tarveen Kaur

Accessibility Practice Lead at Magic EdTech, Tarveen is actively engaged in building new class digital accessibility solutions for education.