We covered the basics of the Burp Suite web application security testing framework. Burp Suite is a Java-based framework designed to serve as a comprehensive solution for conducting web application penetration testing. It has become the industry standard tool for hands-on security assessments of web and mobile applications, including those that rely on application programming interfaces (APIs). This was part of TryHackMe BurpSuite : The Basics For Beginners.

Get COMPTIA Pe ntest+ Study Notes

Burp Suite Practical Notes

The Complete Practical Metasploit Framework Course

Introduction to Burp Suite

Burp Suite is a Java-based framework designed to serve as a comprehensive solution for conducting web application penetration testing. It has become the industry standard tool for hands-on security assessments of web and mobile applications, including those that rely on application programming interfaces (APIs).

Simply put, Burp Suite captures and enables manipulation of all the HTTP/HTTPS traffic between a browser and a web server. This fundamental capability forms the backbone of the framework. By intercepting requests, users have the flexibility to route them to various components within the Burp Suite framework, which we will explore in upcoming sections. The ability to intercept, view, and modify web requests before they reach the target server or even manipulate responses before they are received by our browser makes Burp Suite an invaluable tool for manual web application testing.

Configuring Burp Suite with the Browser

The first step in using Burp Suite is configuring it with the browser to intercept requests.Set the browser’s proxy settings to localhost:8080 and apply the settings to intercept traffic, including HTTP, HTTPS, and FTP protocols.

Overview of Burp Suite Tools

Target: Displays a site map and allows you to define the scope of your target (e.g., web applications).

Proxy: Intercepts HTTP/HTTPS requests and lets you modify and forward them.

Intruder: A powerful tool for fuzzing, brute-force attacks, and injecting payloads (e.g., username/password brute-forcing).

Repeater: Sends repeated HTTP requests with modifications to see how the server responds.

Sequencer: Analyzes randomness in data such as session tokens and cookies.

Decoder: Encodes/decodes data from formats like Base64, Hex, or URL-encoded.

Comparer: Compares different HTTP requests and responses to identify changes.

Extender: Allows adding extensions to Burp Suite to increase functionality (available in the premium version).

Using the Proxy Tab

The proxy acts as a middleman between the browser and the web application. It intercepts requests, allowing you to modify or analyze them before forwarding them to the target server.The video demonstrates intercepting requests, forwarding them, and sending them to other Burp Suite tools like Repeater and Intruder using keyboard shortcuts.

History and WebSockets

The HTTP History tab saves all requests sent through the proxy. This can be used to modify and resend old requests or keep a log of actions.The WebSocket History tab logs WebSocket communications, useful for analyzing real-time interactions that don’t require HTTP encapsulation.

Customizing Proxy Options

Advanced options in the proxy tab allow fine-grained control over which requests are intercepted. The AND rule specifies whether a request should be intercepted based on matching certain criteria (e.g., URLs in the target scope).An example shows how to configure the proxy to intercept only specific requests while allowing others (e.g., browsing Google) without interruption.

Practical Testing

A web application hosted on a virtual machine is used to demonstrate request interception, modification, and testing against different Burp Suite features.The video also explains how to modify the scope to target only specific URLs.

TryHackMe Burp Suite | Room Answers

 

Which edition of Burp Suite will we be using in this module?

Burp Suite Community

Which edition of Burp Suite runs on a server and provides constant scanning for target web apps?

Burp Suite Enterprise

Burp Suite is frequently used when attacking web applications and ______ applications.

Mobile

Which Burp Suite feature allows us to intercept requests between ourselves and the target?

Proxy

Which Burp tool would we use if we wanted to bruteforce a login form?

Intruder

If we have uploaded Client-Side TLS certificates in the User options tab, can we override these on a per-project basis (Aye/Nay)?

Aye

Which button would we choose to send an intercepted request to the target in Burp Proxy?

Forward

[Research] What is the default keybind for this?

Ctrl+F

What is the typical severity of a Vulnerable JavaScript dependency?

Low

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles