Introduction

We covered the Burp Suite proxy settings in addition to the scope and target settings as part TryHackMe Junior Penetration Tester pathway.

Specifically, we will be looking at:

  • What Burp Suite is
  • An overview of the available tools in the framework
  • Installing Burp Suite for yourself
  • Navigating and configuring Burp Suite.

OSCP Certificate Study Notes

Burp Suite Practical Notes

This room is primarily designed to provide a foundational knowledge of Burp Suite which can then be built upon further in the other rooms of the Burp module; as such, it will be a lot heavier in theory than subsequent rooms, which take more of a practical approach. You are advised to read the information here and follow along yourself with a copy of the tool if you haven’t used Burp Suite before. Experimentation is key: use this information in tandem with playing around with the app for yourself to build a foundation for using the framework, which can then be built upon in later rooms.

What is Burp Suite?

Burp Suite is a Java-based framework designed and developed to manually conduct web application penetration testing.

Put simply: Burp Suite is a framework written in Java that aims to provide a one-stop-shop for web application penetration testing. In many ways, this goal is achieved as Burp is very much the industry standard tool for hands-on web app security assessments. Burp Suite is also very commonly used when assessing mobile applications, as the same features which make it so attractive for web app testing translate almost perfectly into testing the APIs (Application Programming Interfaces) powering most mobile apps.

At the simplest level, Burp can capture and manipulate all of the traffic between an attacker and a webserver: this is the core of the framework. After capturing requests, we can choose to send them to various other parts of the Burp Suite framework — we will be covering some of these tools in upcoming rooms. This ability to intercept, view, and modify web requests prior to them being sent to the target server (or, in some cases, the responses before they are received by our browser), makes Burp Suite perfect for any kind of manual web app testing.

 Burp Suite captures and enables modification of all the HTTP/HTTPS traffic between a browser and a web server. This enables penetration testers to route traffic to various components within the Burp Suite framework such as the intruder, repeater, comparer and sequencer.

Community edition
The default free version
Pro version
The pro version comes with below features:

  • An automated vulnerability scanner.
  • A fuzzer/brute-forcer that isn’t rate limited.
  • Saving projects for future use and report generation.
  • A built-in API to allow integration with other tools.
  • Unrestricted access to add new extensions for greater functionality.
  • Access to the Burp Suite Collaborator.
    Enterprise version
    Used for continuous scanning and monitoring of web applications aside from manual testing.

Setting Up Burp Suite

  • Scope Definition: Before starting, the user sets a target scope in the Target tab, ensuring Burp only logs and intercepts requests related to the target website. This keeps the session organized, especially when multiple tabs and requests are open.
  • Proxy Configuration: Under the Proxy tab, filtering options are adjusted so only requests within the defined target scope are intercepted, avoiding noise from unrelated traffic.

Working with Burp Suite’s Proxy

  • Intercepting Requests: With intercept on, Burp Suite captures all HTTP requests to the target, allowing modifications before sending to the server. The example demonstrates intercepting requests for input fields on a form, adjusting headers, and modifying contents.
  • Modifying Requests for Testing: By intercepting and modifying requests, users can change parameters, headers, and the request body. For instance, modifying form fields in the request can help test how a web application handles altered inputs.

Using Burp Suite for XSS Testing

  • Form Manipulation: The tutorial illustrates entering a cross-site scripting (XSS) payload in an input field. When directly inputting the payload in the form field fails due to character filtering, Burp Suite’s proxy intercepts and allows encoding or alteration of the payload before submitting it.
  • URL Encoding for Bypassing Filters: By using Burp’s tools, the payload can be encoded or adjusted to bypass the website’s input validation, which might block special characters in the request directly.

Burp Suite Pro Features

  • The video briefly touches on features exclusive to the Pro version, such as automated vulnerability scanning and project management features. Pro’s automation lists and identifies vulnerabilities, presenting them directly in the Issue Definitions tab.

 

Room Answers | TryHackMe Burp Suite Basics: The Proxy

Which edition of Burp Suite will we be using in this module?
 

Which edition of Burp Suite runs on a server and provides constant scanning for target web apps?

 

Burp Suite is frequently used when attacking web applications and ______ applications.

Which Burp Suite feature allows us to intercept requests between ourselves and the target?
 

Which Burp tool would we use if we wanted to bruteforce a login form?

In which Project options sub-tab can you find reference to a “Cookie jar”?

 

In which User options sub-tab can you change the Burp Suite update behaviour?

 

What is the name of the section within the User options “Suite” sub-tab which allows you to change the Burp Suite keybindings?

 

If we have uploaded Client-Side TLS certificates in the User options tab, can we override these on a per-project basis (Aye/Nay)?

Which button would we choose to send an intercepted request to the target in Burp Proxy?

 

[Research] What is the default keybind for this?

Note: Assume you are using Windows or Linux (i.e. swap Cmd for Ctrl).

What is the flag you receive?

 

Look through the Issue Definitions list.

What is the typical severity of a Vulnerable JavaScript dependency?

 
Video Walk-Through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles