Burp Suite Essentials

I like to learn by reading. Burp suite is one of those things you really need to practice using, although I thought a little book to reference would be nice. Here is an overview of the book which is written by Akash Mahajan.. Thank you

Another helpful source i have found is https://portswigger.net/burp/documentation/desktop/getting-started I will post up what I find in here within this article as well. Seems to be some videos as well as practice examples.
Portswigger in general is a resource worth checking out and covers much more than just burp.

What is Burp

Burp Suite is a collection of tools that allow effective security testing of web applications. It is written in Java making it cross-platform and extremely versatile. 
One feature of Burp is the Burp Suite Proxy. This allows us to sit in the middle of a client / server interaction, intercepting the HTTP traffic from either side. With some additional information we could decrypt the HTTPS traffic also. With the HTTP requests and Responses we can probe for website vulnerabilities. 

Chapter 1. Getting started with Burp

chapter summary/ key points:

Oracle Java 1.6+ is required to run the software, this is usually pre-installed on Windows and Mac OS. We need the Java Runtime Environment (JRE)

If you have 1.6+ run this command to pass the JAR to Java runtime..
   $  java -jar -Xmx2G /path/to/burpsuite.jar

Cautions against double clicking the java .jar file to run the application, instead we should specify the amount of RAM we would like to allocate to the program. ~2G is usually enough for most web application tests. 

-Xmx2G -Xmx2048M both mean allocate 2G RAM

If we do not specify the RAM there is a potential for crashing the application due to not enough RAM. The default size could be as low as 128 MB. If We go above 4G however, the Java Virtual Machine (JVM) Garbage Collector (GC) will need to do more work.

sometimes we also would need to specify that we want to use IPv4 and not IPv6. We may get an error while connecting to websites returning IPv4 addresses. 
ex:  java.net.SocketExeption: Permission denied
      Burp proxy error: Permission denied: connect

to tell java to use IPv4 run:
   $  java -Xmx2048M -Djava.net.preferIPv4Stack=true -jar /path/to/burpsuite.jar

note that IPv6 will now be disabled. 

Chapter 2. Configuring Browsers to Proxy through Burp

We can tell our browser to send all our HTTP traffic through Burp first. You will need to reconfigure your proxy settings in the browser. What you set up in Internet explorer should carry across to Chrome, Firefox, but maybe not. 
Without going into too much detail, you need to go to your browsers LAN/ proxy settings and set localhost to port 8080.

With this set up all of your traffic will go through Burp. By default, intercept mode is on when you start Burp Suite. So, you will need to forward or drop the request traffic manually to load the content on the browser.

This is all nice, but configuring this every time will get old and we will be proxying all browser traffic. Firefox has an extension that will allow us to have the settings automated and have finer control over the proxy traffic.

FoxyProxy can be searched up in the tools for firefox and downloaded easily.
Right click on the fox icon on the browser and Add New Proxy. Set localhost to 8080. In the URL patterns tab you can add a new pattern name example and an actual pattern example.com/*. Aso required is pattern name Burp and pattern *burp/* in order to work. Setting a different color to each proxy will help when we need to use multiple proxies on tests.

It is advised to set up a new profile to add to foxyproxy. Mozilla has a profile manager which can be invoked using a command line flag to create a security testing profile:
     /path/to/firefox-binary -profilemanager
A pop-up profile manager will appear

Chapter 3. Setting the Scope and Dealing with Upstream Proxies

Burp provides an interface for adding or removing specific items from scope. This would be important when dealing with a professional pentest. 

Leave a Comment

Your email address will not be published. Required fields are marked *