Aller au contenu
1337skills 1337skills - Aide-mémoires

Burp Suite

Installation & Setup

Community Edition

# Linux (apt)
sudo apt-get install burpsuite-community

# Linux (manual download)
wget https://portswigger.net/burp/releases/download
chmod +x burpsuite_community_linux_v2024.x_installer_x64.sh
./burpsuite_community_linux_v2024.x_installer_x64.sh

# macOS (Homebrew)
brew install burp-suite-community

# Windows
# Download from portswigger.net and run installer

Pro Edition

  • Purchase from Burp website
  • Install via same methods as Community
  • Activate with license key (can also use 30-day free trial)

System Requirements

ComponentRequirement
JavaJRE 11+
RAM4GB minimum (8GB+ recommended)
Disk2GB free space
OSLinux, macOS, Windows

Proxy Configuration

Browser Proxy Setup

Firefox

  1. Settings → Network → Proxy settings
  2. Manual proxy configuration
  3. HTTP Proxy: 127.0.0.1 Port: 8080
  4. Use this proxy for all protocols

Chrome/Chromium

# Via command line
google-chrome --proxy-server="http://127.0.0.1:8080"

# Or configure system proxy settings
# Settings → Advanced → System → Open proxy settings

Burp Listener Configuration

  1. Proxy tab → Proxy settings
  2. Click “Add” under Proxy listeners
  3. Bind to address: 127.0.0.1 Port: 8080
  4. Check “Running”

SSL Certificate Installation

Firefox

  1. Proxy → Options → Import CA certificate
  2. Download cacert.der
  3. Firefox → Preferences → Privacy & Security → Certificates → Import
  4. Select the downloaded certificate

Chrome

# Linux
sudo cp burp_cacert.der /usr/local/share/ca-certificates/
sudo update-ca-certificates

# macOS
sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain burp_cacert.der

# Windows
# Double-click certificate → Install Certificate → Trusted Root

Request Interception

Intercepting Requests

  1. Open Proxy → Intercept
  2. Check “Intercept is on”
  3. Browse normally in configured browser
  4. Requests appear in Intercept tab
  5. Edit and click “Forward” or “Drop”

Filter & Log Requests

FeaturePurpose
Intercept filtersShow/hide specific request types
LoggerView all proxy traffic history
HistoryBrowse captured requests
ScopeLimit to target domains only

Keyboard Shortcuts

Ctrl+I    Toggle intercept on/off
Ctrl+F    Forward selected request
Ctrl+D    Drop selected request
Ctrl+U    URL encode selected text

Repeater (Manual Request Testing)

Basic Workflow

  1. Select request in Proxy History
  2. Right-click → Send to Repeater
  3. Edit request in left panel
  4. Click “Send” (or Ctrl+Enter)
  5. View response in right panel

Common Tests

TestMethod
Parameter manipulationEdit parameter values
Authentication bypassRemove/modify auth headers
SQLi detectionInject quotes, SQL keywords
Header injectionAdd/modify headers
Method overrideChange GET to POST

Useful Tricks

# Test for information disclosure
X-Original-URL: /admin
X-Rewrite-URL: /admin

# Bypass WAF
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1

# Test for XXE
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>

Intruder (Automated Attack Tool)

Attack Types

TypeUse CasePayload
SniperSingle parameter fuzzingOne payload position
Battering RamMultiple identical payloadsSame payload all positions
PitchforkMultiple different payloadsOne payload per position (paired)
Cluster BombCartesian productAll combinations

Setup Workflow

  1. Repeater → Select request → Send to Intruder
  2. Positions tab → Clear all → Mark parameters
  3. Payloads tab → Select attack type
  4. Add payload set (numbers, strings, custom)
  5. Options tab → Set threading (Community: 1 thread)
  6. Start attack

Payload Sets

  • Simple list (wordlist file)
  • Numbers (range, step)
  • Brute force (charset, length)
  • Runtime file (external file path)
  • Recursive grep (extract from responses)
  • Character substitution

Resource Pool (Pro)

# Allow concurrent requests in Community edition via JVM settings
BURP_JAVA_MEMORY="-Xmx8g"

Scanner (Vulnerability Scanning)

Active Scanning

  1. Right-click request → Send to Scanner
  2. Scanner tab → Active scanning
  3. Configure scan scope (select categories)
  4. Click “Scan”

Scan Configuration

SettingOption
CrawlInclude parent directories
AuditSelect vulnerability types
ConsolidateGroup duplicate issues
ThrottleControl request rate

Vulnerability Categories

  • Cross-site scripting (XSS)
  • SQL injection (SQLi)
  • Insecure authentication
  • Cross-site request forgery (CSRF)
  • Broken access control
  • External entity (XXE) injection
  • Insecure deserialization
  • Server-side template injection (SSTI)

View Results

  1. Scanner tab → Issues
  2. Click issue → details, request/response, remediation
  3. Filter by severity (High, Medium, Low, Info)
  4. Export report (HTML, XML)

Sequencer (Randomness Testing)

Analyze Session Tokens

  1. Copy session token from request
  2. Sequencer tab → “Live capture”
  3. Paste token in token location field
  4. Click “Start” to capture samples
  5. Analyze randomness (entropy analysis)

Interpretation

EntropyQuality
7+ bits/byteGood randomness
5-7 bits/byteModerate randomness
<5 bits/bytePoor randomness (vulnerable)

Decoder (Encoding/Decoding)

Supported Encodings

Base64
HTML
URL
Unicode
Hex
ASCII

Binary
Gzip
Base32

Workflow

  1. Decoder tab → Paste encoded value
  2. Select decoder type
  3. View decoded output
  4. Switch encoders by clicking format buttons

Example: SQLi Detection

# Encoded payload
%27%20OR%20%271%27%3D%271

# After URL decode
' OR '1'='1

# Detect as SQL injection

Comparer (Diff Tool)

Compare Requests/Responses

  1. Select two requests
  2. Right-click → Send to Comparer (x2)
  3. Comparer tab → Compare
  4. View byte-by-byte or word-by-word diff

Use Cases

ScenarioPurpose
Before/after WAF bypassIdentify filtering changes
Admin vs user responsesFind authorization issues
Cached vs fresh responseDetect information disclosure

Extender & BApps (Extensions)

Install Community Extensions (Pro)

  1. Extender tab → BApp Store
  2. Browse extensions (1000+ available)
  3. Click “Install”
ExtensionPurpose
Param MinerDiscover hidden parameters
Turbo IntruderFaster multi-threaded attacks
ActiveScan++Enhanced vulnerability scanning
Collaborator EverywhereSSRF/OOB detection
HTTP Request SmugglerHTTP desync attacks

Custom Scripting (Pro)

// Simple Burp extension example
public String extensionName() {
    return "My Custom Extension";
}

public void registerExtensionCallbacks(IBurpExtenderCallbacks callbacks) {
    // Register callbacks
}

Scope Configuration

Set Target Scope

  1. Target tab → Scope → Add
  2. Enter domain: example.com
  3. Configure protocol, port
  4. Exclude patterns if needed

Proxy Intercept Filter

  1. Proxy → Options → Intercept Client Requests
  2. Add filter: Show only scope items
  3. Check “Restrict to scope”

Benefits

  • Reduces noise in logs
  • Focuses Scanner on target
  • Prevents accidental attacks on other sites

Match & Replace Rules

Add Rule

  1. Proxy → Options → Match and Replace
  2. Click “Add”
  3. Set match condition (regex supported)
  4. Set replacement value
  5. Check enabled

Examples

MatchReplacePurpose
User-Agent:.*User-Agent: Mozilla/5.0Standardize user agent
Authorization:.*Authorization: Bearer TOKENInject token
CSRF-Token:.*CSRF-Token: Bypass CSRF check

Macros (Pro)

Record Macro

  1. Repeater → “Record macro”
  2. Perform login steps manually
  3. Stop recording
  4. Burp extracts session token automatically

Use in Scanner/Intruder

  1. Proxy → Options → Session handling rules
  2. Scope → “Run macro before each request”
  3. Select recorded macro
  4. Intruder attacks use fresh session

Session Handling (Pro)

  1. Proxy → Options → Cookie jar
  2. Add domain cookies manually
  3. Check “Enabled” for auto-handling

Custom Session Rules

  1. Session handling rules → Add
  2. Set rule type (cookie, header, macro)
  3. Configure scope
  4. Enable automatic handling

Collaborator (Pro)

Out-of-Band (OOB) Testing

  1. Burp Collaborator menu → Generate payload
  2. Inject payload into parameter: https://collaborator.burpusercontent.com/...
  3. Poll → Check for interactions
  4. View DNS/HTTP requests from target

Use Cases

VulnerabilityMethod
Blind SQLi1' AND SLEEP(5)-- with timing
XXEExternal entity with Collaborator URL
SSRFCollaborator URL in URL parameter
Command injectionPing collaborator domain

Common Workflows

XSS Testing

<!-- Reflected XSS -->
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

<!-- Stored XSS -->
<!-- Submit via form, verify appears in other requests -->

<!-- DOM-based XSS -->
<!-- Check browser console for errors after payload -->

SQLi Testing

-- Union-based
' UNION SELECT NULL, NULL, NULL--

-- Boolean-based
' AND 1=1--
' AND 1=2--

-- Time-based
'; WAITFOR DELAY '00:00:05'--
'; SELECT SLEEP(5)--

CSRF Testing

  1. Repeater → Request → Remove Session/Auth headers
  2. Create HTML form with target action
  3. View rendered form in browser
  4. Check if action succeeds without auth

SSRF Testing

# Probe internal services
http://localhost:8080
http://127.0.0.1:3000
http://169.254.169.254/latest/meta-data/

# Via Intruder with port numbers
http://localhost:[PORT]

Command-Line Usage

Headless Scanning

# Community edition doesn't support headless mode
# Pro edition with credentials:

java -jar burpsuite_pro_v2024.x.jar \
  --project-file=/path/to/project.burp \
  --user-config-file=/path/to/config.json

Automated Scanning

# Via Jenkins/CI pipeline
burpsuite_pro_v2024.x --project-file=project.burp \
  --scan="https://example.com"

Project Management

Create Project

  1. Dashboard → Create new project
  2. Name: Target Name
  3. Save location (local .burp file)

Save/Load Project

  1. File → Save project
  2. File → Open project
  3. All proxy history, Scanner results preserved

Export Results

  1. Target → Site map → Export
  2. Scanner → Issues → Export
  3. Format: HTML, XML, JSON
FormatUse
HTMLClient reports, stakeholders
XMLAutomated processing, CI/CD
JSONAPI integration

Performance Tips

Reduce Memory Usage

# Limit proxy history
Proxy Options Set history size limit

# Disable Scanner auto-crawl
Scanner Options Don't crawl dynamic requests

# Use scope filtering
Target → Scope → Restrict to scope only

Faster Scanning

  1. Community: Single-threaded only
  2. Pro: Increase resource pool threads
  3. Focus on High/Medium severity only
  4. Use active scanning on known endpoints

Large Project Optimization

# Split into multiple projects by subdomain
# Use match/replace to inject tokens
# Save intermediate .burp files periodically

Keyboard Shortcuts Reference

ShortcutAction
Ctrl+IToggle intercept
Ctrl+FForward request
Ctrl+DDrop request
Ctrl+UURL encode
Ctrl+TTab to next tool
Ctrl+RSend to Repeater
Ctrl+SSave project
Ctrl+KSearch in history

Community vs Pro Comparison

FeatureCommunityPro
Proxy
Repeater
Decoder
ScannerManual onlyAutomated
IntruderSingle-threadedMulti-threaded
Sequencer
Comparer
ExtenderLimitedFull
Collaborator
Macros
Session handling
Headless scanning

Resources

  • Official docs: portswigger.net/burp/documentation
  • Academy: portswigger.net/web-security (free labs)
  • Community: forum.portswigger.net
  • Extensions: portswigger.net/bapps