Burp, by information security professionals, is often said to be our best friend. Burp doesn’t ring a bell? It is a software dedicated to web security audits, used by a majority of information security professionals. First, we will present you the software Burp and four fundamental modules. For those already familiar with the tool, a second more technical article details some functionalities and extensions to gain efficiency.
Burp Suite shortly
Burp Suite, most often only called Burp, is a tool dedicated to auditing web platforms. Its main functionalities are a web proxy and a web vulnerability scanner. This software is developed by PortSwigger. Burp Suite has a free version, which includes the proxy, the repeater and the intruder (in a limited way). We are talking here below of these three modules and the scanner, which is included in the paid version.
This tool is the indispensable software to audit a web application, as it meets the first need of an audit professional: to access the exchanges between the browser and the web server, in order to understand the architecture and how the solution to be audited works. Thanks to its different functionalities easily configured, it is the Swiss Army knife of a pentester.
Burp Suit is not the only software to offer functionalities like vulnerability scanner and web proxy. The tool ZAP developed by the OWASP or VEGA indeed offer the same functionalities. However, by its modularity with its extensions, its ergonomics and its active community (who develops new extensions and creates detailed documentation about the modules), Burp has become a reference tool in its category.
Burp’s global functioning is designed in a modular way. Some of the modules are installed by default in the software, which are the essentials modules to run an audit. Other complementary modules, called extensions, are available to download via the extender (the “catalog” of Burp). The following article Functionalities and extensions will specify some extensions that simplify some time-consuming tasks.
We will now detail the principles of four essential modules of this software.
The HTTP proxy is an interception proxy, which enables to be placed between the user and the HTTP applications, in order to intercept all the requests issued by the user. It is THE main function for a web pentester, because it allows a total understanding of the working of the website. The proxy offers two possibilities:
- either to intercept and block the requests, in order to modify very quickly all requests made by the web app (tab intercept);
- or to set the tool in passive mode, and in that case a history of the requests sent by the site will be available in the tab HTTP history or Websocket history (depending on the communication protocol).
Finally, this module offers many configuration functionalities in order to modify the requests automatically it receives.
The vulnerability scanner enables to automate some tests. During an audit, a pentester does not have enough time to test all the parameters of the requests made by a website manually. The scanner helps the pentester in its task. In order to scan a request, it only requires to selecting in the proxy the request to analyse. Burp will then take the request and send it again with various malicious payload for every parameter it has. The server’s behaviour in response to these loads is analysed by Burp, which will notify when a vulnerability seems to have been discovered.
The intruder of Burp is a module which enables to scan the requests with personalized payloads. Contrary to the scanner, the intruder does not have lists of pre-defined payloads. It is up to the pentester to fill in a load list, which allows specifying the parameters to scan and the tests to execute.
This module is used for brute force attacks, to enumerate objects or even bypass filters. It is indeed possible to set up a specific payloads list according to the target vulnerability.
The repeater is a module sending HTTP requests to a server. It retrieves the requests intercepted previously by the proxy and enables to modify them manually, before sending them again individually to the server.
This module is in particular used to test logic flaws, as the finer modifications it enables are appreciated analyzing logical processes, such as the payment of a shopping cart.
After this first article, we hope that Burp is not anymore ‘technical jargon’, and that this presentation of four essential modules has illustrated the value of Burp to test the security of web applications.
To go into the tool further, we explain to you in the next article some functionalities and extensions to strengthen your use of this software.
To receive other articles: click here