Burp Suite Cheat Sheet
Überblick
Burp Suite ist die branchenführende Web Application Security Testing Plattform von PortSwigger, die umfassende Tools und Fähigkeiten zur Identifizierung, Analyse und Nutzung von Sicherheitslücken in Webanwendungen und APIs bietet. Als de facto-Standard für Web-Applikationsdurchdringungstests kombiniert Burp Suite automatisierte Scanfähigkeiten mit leistungsstarken manuellen Testtools, die es Sicherheitsexperten ermöglichen, gründliche Bewertungen moderner Web-Anwendungen, REST APIs, GraphQL Endpoints und komplexer Single-page-Anwendungen durchzuführen. Die modulare Architektur und das erweiterbare Framework der Plattform eignen sich sowohl für automatisierte Sicherheitstests als auch für detaillierte manuelle Sicherheitsforschung.
Die Kernkraft der Burp Suite liegt in ihrem integrierten Ansatz zur Web Application Security Testing und kombiniert mehrere spezialisierte Tools innerhalb einer einheitlichen Schnittstelle, die umfassende Sicherheitsbewertungen erleichtert. Die Plattform umfasst einen abfangenden Proxy für die Verkehrsanalyse und -manipulation, einen Web-Verwundbarkeitssscanner zur automatisierten Entdeckung von Sicherheitsproblemen, ein Eindringwerkzeug für kundenspezifische Angriffe und Fuzzing, einen Repeater für manuelle Anforderungsmanipulation und einen Sequenzer zur Analyse von Sitzungstoken-Traditionalität. Dieses integrierte Toolet ermöglicht Sicherheitsexperten, komplette Sicherheitsbewertungen von der ersten Aufklärung durch detaillierte Sicherheitsausbeutung und Validierung durchzuführen.
Die erweiterten Funktionen von Burp Suite umfassen anspruchsvolle Session-Handling-Funktionen, kundenspezifische Erweiterungsentwicklung durch ihre API, Integration mit CI/CD-Pipelines für DevSecOps-Workflows und umfassende Reporting-Funktionen für technische und Führungskräfte. Die Plattform unterstützt moderne Webtechnologien wie JavaScript-heavy-Anwendungen, WebSocket-Kommunikation, HTTP/2-Protokoll und komplexe Authentifizierungsmechanismen. Burp Suite ist mit seiner aktiven Community von Sicherheitsforschern, umfangreichen Dokumentationen und kontinuierlichen Innovationen in der Web Application Security Testing Methodologien das Eckpfeilerwerkzeug für Web Application Security Professionals weltweit.
Installation
Burp Suite Community Edition
Installation von Burp Suite Community Edition:
```bash
Download from PortSwigger website
https://portswigger.net/burp/communitydownload
Linux Installation
Download JAR file
wget https://portswigger.net/burp/releases/download?product=community&version;=latest&type;=jar -O burpsuite_community.jar
Install Java (if not already installed)
sudo apt update sudo apt install -y openjdk-11-jdk
Verify Java installation
java -version
Run Burp Suite
java -jar burpsuite_community.jar
Create desktop shortcut
cat > ~/Desktop/BurpSuite.desktop << 'EOF' [Desktop Entry] Version=1.0 Type=Application Name=Burp Suite Community Comment=Web Application Security Testing Exec=java -jar /path/to/burpsuite_community.jar Icon=/path/to/burp-icon.png Terminal=false Categories=Development;Security; EOF
chmod +x ~/Desktop/BurpSuite.desktop
Windows Installation
Download installer from PortSwigger
Run installer as Administrator
Follow installation wizard
Launch from Start Menu or Desktop
macOS Installation
Download DMG file
Mount DMG and drag to Applications
Launch from Applications folder
```_
Burp Suite Professional
Installieren von Burp Suite Professional:
```bash
Purchase license from PortSwigger
Download Professional edition
Linux Installation
wget https://portswigger.net/burp/releases/download?product=pro&version;=latest&type;=jar -O burpsuite_pro.jar
Run with license
java -jar burpsuite_pro.jar
Enter license key when prompted
License format: XXXX-XXXX-XXXX-XXXX
Increase memory allocation for large applications
java -Xmx4g -jar burpsuite_pro.jar
Run with custom JVM options
java -Xmx8g -XX:+UseG1GC -jar burpsuite_pro.jar
Create startup script
cat > ~/bin/burp-pro.sh ``<< 'EOF'
!/bin/bash
java -Xmx8g -XX:+UseG1GC -jar /opt/burpsuite/burpsuite_pro.jar "$@" EOF
chmod +x ~/bin/burp-pro.sh ```_
Docker Installation
Running Burp Suite in Docker:
```bash
Create Dockerfile for Burp Suite
cat >`` Dockerfile.burp << 'EOF' FROM openjdk:11-jre-slim
Install dependencies
RUN apt-get update && apt-get install -y \ wget \ xvfb \ x11vnc \ fluxbox \ && rm -rf /var/lib/apt/lists/*
Download Burp Suite Community
RUN wget -O /opt/burpsuite_community.jar \ "https://portswigger.net/burp/releases/download?product=community&version;=latest&type;=jar"
Create startup script
RUN echo '#!/bin/bash\nXvfb :1 -screen 0 1024x768x16 &\nexport DISPLAY=:1\nfluxbox &\nx11vnc -display :1 -nopw -listen localhost -xkb &\njava -jar /opt/burpsuite_community.jar' > /start.sh RUN chmod +x /start.sh
EXPOSE 5900 8080
CMD ["/start.sh"] EOF
Build Docker image
docker build -f Dockerfile.burp -t burpsuite .
Run Burp Suite in Docker
docker run -d --name burpsuite \ -p 5900:5900 \ -p 8080:8080 \ -v $(pwd)/burp-data:/root/.BurpSuite \ burpsuite
Access via VNC
Connect to localhost:5900 with VNC client
```_
Browserkonfiguration
Browser konfigurieren, um mit Burp Suite zu arbeiten:
```bash
Firefox Configuration
1. Open Firefox
2. Go to Settings > Network Settings
3. Configure Manual proxy:
- HTTP Proxy: 127.0.0.1, Port: 8080
- Use this proxy server for all protocols: checked
4. Install Burp CA certificate:
- Navigate to http://burp
- Download CA Certificate
- Import in Firefox Certificate Manager
Chrome Configuration
Launch Chrome with proxy settings
google-chrome --proxy-server=127.0.0.1:8080 --ignore-certificate-errors
Create Chrome profile for Burp
google-chrome --user-data-dir=/tmp/chrome-burp --proxy-server=127.0.0.1:8080
Install CA certificate in Chrome
1. Navigate to http://burp
2. Download CA Certificate
3. Go to Chrome Settings > Privacy and Security > Security
4. Manage certificates > Authorities > Import
5. Select downloaded certificate
FoxyProxy Extension (Recommended)
Install FoxyProxy extension
Configure proxy:
- Title: Burp Suite
- Proxy Type: HTTP
- IP: 127.0.0.1
- Port: 8080
```_
Basisnutzung
Proxy Konfiguration
Einrichtung und Nutzung des Burp Proxy:
```bash
Start Burp Suite
java -jar burpsuite_community.jar
Proxy Tab Configuration
1. Go to Proxy > Options
2. Proxy Listeners:
- Interface: 127.0.0.1:8080 (default)
- Add additional listeners if needed
3. Intercept Client Requests: On/Off
4. Intercept Server Responses: On/Off
Basic Proxy Usage
1. Configure browser to use Burp proxy
2. Navigate to target application
3. Observe requests in Proxy > HTTP history
4. Intercept and modify requests as needed
Certificate Installation
1. With proxy configured, navigate to http://burp
2. Click "CA Certificate" to download
3. Install in browser certificate store
4. Trust for identifying websites
Scope Configuration
1. Go to Target > Scope
2. Add target URLs to scope
3. Configure proxy to only show in-scope items
4. Use scope to focus testing efforts
```_
Zielanalyse
Analyse von Zielanwendungen:
```bash
Site Map Building
1. Browse target application normally
2. Observe site map building in Target tab
3. Review discovered content and parameters
4. Identify attack surface
Content Discovery
1. Right-click on target in site map
2. Select "Spider this host"
3. Configure spider options
4. Review discovered content
Parameter Analysis
1. Review Params tab in Target
2. Identify all parameters used
3. Note parameter types and contexts
4. Plan parameter-based attacks
Technology Identification
1. Review HTTP headers in proxy history
2. Identify server technologies
3. Note framework and language indicators
4. Research known vulnerabilities
```_
Manuelle Prüfung
Manuelle Sicherheitsprüfungen durchführen:
```bash
Request Manipulation with Repeater
1. Send interesting requests to Repeater
2. Modify parameters, headers, and body
3. Analyze responses for vulnerabilities
4. Test different attack payloads
SQL Injection Testing
1. Identify database parameters
2. Test with SQL injection payloads:
- ' OR '1'='1
- '; DROP TABLE users; --
- UNION SELECT 1,2,3--
3. Analyze error messages and responses
4. Exploit confirmed vulnerabilities
XSS Testing
1. Identify reflection points
2. Test with XSS payloads:
-
- ">
- javascript:alert('XSS')
3. Test in different contexts (HTML, JavaScript, CSS)
4. Bypass filters and encoding
Authentication Testing
1. Analyze login mechanisms
2. Test for weak passwords
3. Check session management
4. Test for privilege escalation
```_
Erweiterte Funktionen
Automatisches Scannen
Verwendung von Burp Scanner (nur Professional):
```bash
Active Scanning
1. Right-click on target in site map
2. Select "Actively scan this host"
3. Configure scan settings:
- Scan speed: Fast/Normal/Thorough
- Scan accuracy: Minimize false positives/Normal/Minimize false negatives
4. Monitor scan progress in Scanner tab
Passive Scanning
1. Passive scanning runs automatically
2. Review issues in Scanner > Issues
3. Analyze issue details and evidence
4. Verify findings manually
Custom Scan Configurations
1. Go to Scanner > Options
2. Configure attack insertion points
3. Customize payload sets
4. Set scan optimization options
Live Scanning
1. Enable live passive scanning
2. Configure live active scanning
3. Set scan queue management
4. Monitor real-time results
```_
Eindringliche Angriffe
Verwendung von Burp Eindringling für automatisierte Angriffe:
```bash
Sniper Attack
1. Send request to Intruder
2. Set single payload position
3. Configure payload set (wordlist)
4. Launch attack and analyze results
Battering Ram Attack
1. Set multiple payload positions
2. Use same payload for all positions
3. Useful for testing same value everywhere
4. Analyze response variations
Pitchfork Attack
1. Set multiple payload positions
2. Use different payload sets
3. Iterate through payloads in parallel
4. Test related parameter combinations
Cluster Bomb Attack
1. Set multiple payload positions
2. Test all combinations of payloads
3. Comprehensive but time-consuming
4. Useful for credential brute forcing
Custom Payloads
1. Create custom wordlists
2. Use payload processing rules
3. Configure payload encoding
4. Set grep extraction rules
```_
Bearbeitung von Sitzungen
Umgang mit komplexen Sitzungen:
```bash
Session Handling Rules
1. Go to Project Options > Sessions
2. Create session handling rules
3. Configure rule actions:
- Use cookies from Burp's cookie jar
- Run macro
- Check session is valid
4. Set rule scope and conditions
Macros for Authentication
1. Record login sequence as macro
2. Configure macro to extract session tokens
3. Use macro in session handling rules
4. Automatically maintain authentication
Cookie Management
1. Review cookies in Proxy > Options > Sessions
2. Configure cookie scope and handling
3. Manage session fixation issues
4. Test cookie security attributes
CSRF Token Handling
1. Identify CSRF token parameters
2. Create macro to extract tokens
3. Configure automatic token updates
4. Test CSRF protection effectiveness
```_
Erweiterungen und Anpassung
Erweiterung der Funktionalität von Burp Suite:
```bash
BApp Store Extensions
1. Go to Extender > BApp Store
2. Browse available extensions
3. Install useful extensions:
- Logger++
- Autorize
- Param Miner
- Turbo Intruder
- Active Scan++
Manual Extension Installation
1. Download extension JAR/Python file
2. Go to Extender > Extensions
3. Click Add and select file
4. Configure extension settings
Custom Extension Development
1. Use Burp Extender API
2. Develop in Java, Python, or Ruby
3. Implement required interfaces
4. Test and debug extensions
Popular Extensions
Logger++: Enhanced logging and filtering
Autorize: Authorization testing
Param Miner: Parameter discovery
Turbo Intruder: High-speed attacks
Collaborator Everywhere: SSRF testing
```_
Automatisierungsskripte
Burp Suite API Automation
```python
!/usr/bin/env python3
Burp Suite API automation script
import requests import json import time import base64 import urllib3 from urllib.parse import urljoin
Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class BurpSuiteAPI: def init(self, api_url="http://127.0.0.1:1337", api_key=None): self.api_url = api_url.rstrip('/') self.api_key = api_key self.session = requests.Session() self.session.verify = False
if api_key:
self.session.headers.update(\\\\{'X-API-Key': api_key\\\\})
def get_proxy_history(self):
"""Get proxy history"""
try:
response = self.session.get(f"\\\\{self.api_url\\\\}/burp/proxy/history")
if response.status_code == 200:
return response.json()
else:
print(f"Error getting proxy history: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception getting proxy history: \\\\{e\\\\}")
return None
def send_to_repeater(self, request_data):
"""Send request to Repeater"""
try:
response = self.session.post(
f"\\\\{self.api_url\\\\}/burp/repeater/send",
json=request_data
)
if response.status_code == 200:
return response.json()
else:
print(f"Error sending to repeater: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception sending to repeater: \\\\{e\\\\}")
return None
def start_active_scan(self, target_url, scan_config=None):
"""Start active scan"""
scan_data = \\\\{
'urls': [target_url]
\\\\}
if scan_config:
scan_data.update(scan_config)
try:
response = self.session.post(
f"\\\\{self.api_url\\\\}/burp/scanner/scans/active",
json=scan_data
)
if response.status_code == 201:
return response.json()
else:
print(f"Error starting scan: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception starting scan: \\\\{e\\\\}")
return None
def get_scan_status(self, scan_id):
"""Get scan status"""
try:
response = self.session.get(f"\\\\{self.api_url\\\\}/burp/scanner/scans/\\\\{scan_id\\\\}")
if response.status_code == 200:
return response.json()
else:
print(f"Error getting scan status: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception getting scan status: \\\\{e\\\\}")
return None
def get_scan_issues(self, scan_id=None):
"""Get scan issues"""
url = f"\\\\{self.api_url\\\\}/burp/scanner/issues"
if scan_id:
url += f"?scan_id=\\\\{scan_id\\\\}"
try:
response = self.session.get(url)
if response.status_code == 200:
return response.json()
else:
print(f"Error getting scan issues: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception getting scan issues: \\\\{e\\\\}")
return None
def generate_report(self, report_config):
"""Generate scan report"""
try:
response = self.session.post(
f"\\\\{self.api_url\\\\}/burp/report",
json=report_config
)
if response.status_code == 200:
return response.content
else:
print(f"Error generating report: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception generating report: \\\\{e\\\\}")
return None
def run_intruder_attack(self, attack_config):
"""Run Intruder attack"""
try:
response = self.session.post(
f"\\\\{self.api_url\\\\}/burp/intruder/attack",
json=attack_config
)
if response.status_code == 200:
return response.json()
else:
print(f"Error running intruder attack: \\\\{response.status_code\\\\}")
return None
except Exception as e:
print(f"Exception running intruder attack: \\\\{e\\\\}")
return None
Automated Web Application Testing
class WebAppTester: def init(self, burp_api): self.burp = burp_api self.results = \\{\\}
def discover_application(self, target_url):
"""Discover application structure"""
print(f"Discovering application: \\\\{target_url\\\\}")
# Start with basic crawling
scan_config = \\\\{
'scan_configurations': ['crawl_and_audit'],
'application_logins': [],
'resource_pool': 'default'
\\\\}
scan_result = self.burp.start_active_scan(target_url, scan_config)
if scan_result:
scan_id = scan_result['scan_id']
print(f"Started discovery scan: \\\\{scan_id\\\\}")
return scan_id
return None
def wait_for_scan_completion(self, scan_id, max_wait=3600):
"""Wait for scan to complete"""
start_time = time.time()
while time.time() - start_time < max_wait:
status = self.burp.get_scan_status(scan_id)
if status:
scan_status = status.get('scan_status', 'unknown')
print(f"Scan \\\\{scan_id\\\\} status: \\\\{scan_status\\\\}")
if scan_status == 'finished':
return True
elif scan_status == 'failed':
print(f"Scan \\\\{scan_id\\\\} failed")
return False
time.sleep(30) # Check every 30 seconds
print(f"Scan \\\\{scan_id\\\\} did not complete within \\\\{max_wait\\\\} seconds")
return False
def analyze_vulnerabilities(self, scan_id=None):
"""Analyze discovered vulnerabilities"""
print("Analyzing vulnerabilities...")
issues = self.burp.get_scan_issues(scan_id)
if not issues:
print("No issues found")
return \\\\{\\\\}
vulnerability_summary = \\\\{\\\\}
for issue in issues:
severity = issue.get('severity', 'Unknown')
issue_type = issue.get('issue_type', 'Unknown')
if severity not in vulnerability_summary:
vulnerability_summary[severity] = \\\\{\\\\}
if issue_type not in vulnerability_summary[severity]:
vulnerability_summary[severity][issue_type] = 0
vulnerability_summary[severity][issue_type] += 1
return vulnerability_summary
def test_authentication(self, login_url, credentials):
"""Test authentication mechanisms"""
print(f"Testing authentication at: \\\\{login_url\\\\}")
# Test weak passwords
weak_passwords = ['password', '123456', 'admin', 'test', 'guest']
for username, password in credentials:
for weak_pass in weak_passwords:
# Create intruder attack for password testing
attack_config = \\\\{
'base_request': \\\\{
'url': login_url,
'method': 'POST',
'headers': \\\\{'Content-Type': 'application/x-www-form-urlencoded'\\\\},
'body': f'username=\\\\{username\\\\}&password;=\\\\{weak_pass\\\\}'
\\\\},
'attack_type': 'sniper',
'payload_sets': [weak_passwords]
\\\\}
result = self.burp.run_intruder_attack(attack_config)
if result:
print(f"Tested \\\\{username\\\\}:\\\\{weak_pass\\\\}")
def generate_comprehensive_report(self, scan_id, output_file):
"""Generate comprehensive security report"""
print(f"Generating report: \\\\{output_file\\\\}")
report_config = \\\\{
'scan_id': scan_id,
'report_type': 'HTML',
'include_false_positives': False,
'include_request_response': True
\\\\}
report_data = self.burp.generate_report(report_config)
if report_data:
with open(output_file, 'wb') as f:
f.write(report_data)
print(f"Report saved: \\\\{output_file\\\\}")
return True
return False
def run_comprehensive_test(self, target_url, output_dir="/tmp/burp_results"):
"""Run comprehensive web application test"""
print(f"Starting comprehensive test of: \\\\{target_url\\\\}")
# Create output directory
import os
os.makedirs(output_dir, exist_ok=True)
# Step 1: Discovery
scan_id = self.discover_application(target_url)
if not scan_id:
print("Failed to start discovery scan")
return False
# Step 2: Wait for completion
if not self.wait_for_scan_completion(scan_id):
print("Scan did not complete successfully")
return False
# Step 3: Analyze results
vulnerabilities = self.analyze_vulnerabilities(scan_id)
# Step 4: Generate report
report_file = os.path.join(output_dir, f"burp_report_\\\\{scan_id\\\\}.html")
self.generate_comprehensive_report(scan_id, report_file)
# Step 5: Summary
print("\n=== Test Summary ===")
print(f"Target: \\\\{target_url\\\\}")
print(f"Scan ID: \\\\{scan_id\\\\}")
print(f"Report: \\\\{report_file\\\\}")
print("\nVulnerabilities by Severity:")
for severity, issues in vulnerabilities.items():
print(f" \\\\{severity\\\\}:")
for issue_type, count in issues.items():
print(f" \\\\{issue_type\\\\}: \\\\{count\\\\}")
return True
Usage example
def main(): import argparse
parser = argparse.ArgumentParser(description='Burp Suite Automation')
parser.add_argument('--target', required=True, help='Target URL')
parser.add_argument('--api-url', default='http://127.0.0.1:1337', help='Burp API URL')
parser.add_argument('--api-key', help='Burp API key')
parser.add_argument('--output', default='/tmp/burp_results', help='Output directory')
args = parser.parse_args()
# Initialize Burp API
burp_api = BurpSuiteAPI(args.api_url, args.api_key)
# Initialize tester
tester = WebAppTester(burp_api)
# Run comprehensive test
success = tester.run_comprehensive_test(args.target, args.output)
if success:
print("Comprehensive test completed successfully")
else:
print("Comprehensive test failed")
if name == "main": main() ```_
Integrationsbeispiele
CI/CD Integration
```yaml
Jenkins Pipeline for Burp Suite Integration
pipeline \\{ agent any
environment \\\\{
BURP_API_URL = 'http: //burp-server:1337'
BURP_API_KEY = credentials('burp-api-key')
TARGET_URL = 'https: //staging.example.com'
\\\\}
stages \\\\{
stage('Deploy Application') \\\\{
steps \\\\{
// Deploy application to staging
sh 'deploy-to-staging.sh'
\\\\}
\\\\}
stage('Security Scan') \\\\{
steps \\\\{
script \\\\{
// Start Burp scan
def scanResult = sh(
script: """
python3 burp_automation.py \
--target $\\\\{TARGET_URL\\\\} \
--api-url $\\\\{BURP_API_URL\\\\} \
--api-key $\\\\{BURP_API_KEY\\\\} \
--output ./burp-results
""",
returnStatus: true
)
if (scanResult != 0) \\\\{
error("Burp scan failed")
\\\\}
\\\\}
\\\\}
\\\\}
stage('Process Results') \\\\{
steps \\\\{
// Archive scan results
archiveArtifacts artifacts: 'burp-results/**/*', fingerprint: true
// Publish security report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'burp-results',
reportFiles: '*.html',
reportName: 'Burp Security Report'
])
// Check for critical vulnerabilities
script \\\\{
def criticalVulns = sh(
| script: "grep -c 'High\ | Critical' burp-results/*.html | | true", | returnStdout: true ).trim()
if (criticalVulns.toInteger() > 0) \\\\{
currentBuild.result = 'UNSTABLE'
echo "Found $\\\\{criticalVulns\\\\} critical/high vulnerabilities"
\\\\}
\\\\}
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Clean up
sh 'rm -rf burp-results'
\\\\}
failure \\\\{
// Send notification
emailext (
subject: "Security Scan Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
body: "Security scan failed for $\\\\{TARGET_URL\\\\}. Check console output for details.",
to: "$\\\\{env.SECURITY_TEAM_EMAIL\\\\}"
)
\\\\}
\\\\}
\\} ```_
Fehlerbehebung
Gemeinsame Themen
Proxy-Verbindungsprobleme: ```bash
Check Burp proxy listener
Go to Proxy > Options > Proxy Listeners
Verify 127.0.0.1:8080 is running
Test proxy connectivity
curl -x 127.0.0.1:8080 http://example.com
Check browser proxy settings
Verify proxy configuration in browser
Test with simple HTTP site first
Certificate issues
Reinstall Burp CA certificate
Clear browser certificate cache
Check certificate trust settings
```_
Leistungsfragen: ```bash
Increase Java heap size
java -Xmx4g -jar burpsuite_pro.jar
Optimize Burp settings
Reduce proxy history size
Limit active scan threads
Disable unnecessary extensions
Database optimization
Clear project data regularly
Use temporary projects for large scans
Monitor disk space usage
```_
Scanner-Ausgaben: ```bash
Check scan configuration
Verify target scope settings
Review scan insertion points
Check authentication settings
Monitor scan progress
Review scan queue status
Check for scan errors
Verify network connectivity
```_
Leistungsoptimierung
Optimierung von Burp Eigenschaften der Suite:
```bash
JVM Optimization
java -Xmx8g -XX:+UseG1GC -XX:MaxGCPauseMillis=100 -jar burpsuite_pro.jar
Burp Configuration
Project Options > Misc:
- Automatic project backup: Disabled for performance
- Temporary files location: Fast SSD
- Memory usage: Optimize for large projects
Scanner Optimization
Scanner > Options:
- Scan speed: Adjust based on target
- Concurrent scan threads: 10-20
- Insertion point types: Limit as needed
Proxy Optimization
Proxy > Options:
- History size: Limit to reasonable number
- Automatic response modification: Minimal
- Match and replace rules: Optimize regex
```_
Sicherheitsüberlegungen
Operationelle Sicherheit
** Prüfung der Zulassung:** - Nur Testanwendungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben - Erhalten Sie eine ordnungsgemäße Genehmigung vor der Durchführung von Sicherheitsbewertungen - Umfang und Einschränkungen der Dokumentenprüfung - Respektgeschwindigkeitsbegrenzung und Vermeidung von Servicestörungen - Implementierung der richtigen Zugangskontrollen für Burp-Projekte und Daten
Datenschutz: - Verschlüsseln Sie Burp-Projektdateien mit sensiblen Daten - Implementierung sicherer Datenspeicherrichtlinien für Scan-Ergebnisse - Kontrollieren Sie Zugriff auf Sicherheitsdaten und Berichte - Sichere Übertragung von Scanergebnissen und -ergebnissen - Regelmäßige Backup- und Recovery-Verfahren für kritische Daten
Compliance und Governance
** Testverfahren:** - Implementierung standardisierter Testmethoden - Dokumentation aller Prüftätigkeiten für die Erfüllung von Zwecken - Regelmäßige Überprüfung der Prüfverfahren und -ergebnisse - Einhaltung der Organisationssicherheitspolitiken - Integration mit Sicherheitsmanagement-Workflows
Referenzen
- PortSwigger Burp Suite Dokumentation
- [Burp Suite API Referenz](https://LINK_5
- Web Security Testing Guide
- [OWASP Top 10](_LINK_5___
- [Web Application Security Consortium](__LINK_5___