Burp Suite – Lisandre

Start Burp Suite.
Using Burp as proxy, go to http://burp/
Click on CA Certificate and download the file
In Firefox, click on Options -> Privacy & Security
Under Security -> Certificates, click on View Certificates
Click on Import and select Trust this CA to identify websites, email users and software developers

Add Burp’s root certificate to the Windows Trust Store

This can be needed when intercepting requests from desktop applications like Electron.

Start Burp Suite.
Download Burp’s certificate at http://burp
Double-click on the certificate file
Choose the computer (vs user only)
Add to trusted root CA

Add Burp’s root certificate to Mac OS’ keychain

This can be needed when intercepting requests from desktop applications like Electron.

Start Burp Suite.
Download Burp’s certificate at http://burp
Double-click on the certificate file
In the Keychain Access application, double-click on PortSwigger CA.
Click on Trust to expand the menu.
Select Always Trust for When using this certificate.

Troubleshooting

Error “Invalid CORS request” when using Burp as proxy

Disable extension Param Miner. See CORS failure (PortSwigger).

HTTP redirects to HTTP in Chromium

Open Chromium and click on Settings.
Click on Privacy and security->Security.
Search for HTTPS
Under Advanced, under Always use secure connections, disable Use HTTPS whenever possible and get warned before loading sites that don’t support it.

Settings

Click Settings on the top right corner to access the settings window.

Tools->Proxy

Also accessible via tab Proxy->Proxy settings.

Disable interception at startup

In the Settings window, click on Tools->Proxy.
Under Default Proxy interception state, select Disable interception.

Replace User-Agent in all requests:

Click on Tools->Proxy.
Under Match and replace rules, click Add.
- Type: Request header
- Match: ^User-Agent.*$
- Replace: User-Agent: whatever
- Comment: Test XSS in logging of User-Agent
- Regex match: (select)
- Click OK

Network->Connections

Test behind a proxy (e.g. corporate network)

Credentials are NOT encrypted when stored by Burp. On Windows, they can be found at C:\Users\<username>\AppData\Roaming\BurpSuite\bapps in the .json file.

Find proxy information from http://wpad/wpad.dat
In the Settings window, click on Network->Connections.
Under Upstream Proxy Servers, click Add.

Destination host: *
Proxy host: enter proxy server
Proxy port: enter 8080 (or other proxy port)

Test using NTLM credentials

In the Settings window, click on Network->Connections.
Under Platform authentication, select Do platform authentication.
Click Add.
Enter Destination host, type: NTLMv2, username and domain

Authentication using certificates

You MUST specify a password when creating the PKCS#12 file because Burp requires a password.

Generate PKCS#12 file (.pfx or .p12):

DOMAIN=example.com
openssl pkcs12 -export -out ${DOMAIN}.p12 -inkey ${DOMAIN}.key -in ${DOMAIN}.crt -name ${DOMAIN}

Import the certificate in Burp:

In the Settings window, click on Network->TLS.
Under Client TLS certificates, click Add.
Specify the host that requires the certificate
Select File (PKCS#12)
Choose the .p12 file and enter the password

Sessions

Perform specific actions when sending an HTTP request, like adding a Header, cookie, etc.

Add a HTTP header to all requests (example with X-Forwarded-For)

In the Settings window, click on Sessions.
Under Session handling rules, click on Add.
- In the Details tab:
  - Under Rule actions, click Add.
  - Select Set a specific header value.
    - Name: X-Forwarded-For
    - Value: 127.0.0.1
- In the Scope tab:
  - Under Tools scope, select all checkboxes.
  - Under URL scope, select Include all URLs.

Macros

A macro is a sequence of one or more requests. You can use macros within session handling rules to perform tasks such as logging in to the application, obtaining anti-CSRF tokens, etc.

Scanning or sending (Repeater) a request that is in the middle of a process and the process needs to be started from the beginning every time for the scanned/sent request to be processed – or the other way around scanning/repeating a request in the beginning/middle of a process and the process needs to be finished to see the results.
Scanning/Repeating a request that requires a CSRF token which needs to be fetched from somewhere for every request.
Session timeouts that do not allow manual testing or scans to finish.

See example from PortSwigger’s lab Practitioner – Broken brute-force protection, IP block.

After creating the macro, do not forget to create a session handling rule to call it.

Dashboard & Scanner

Web vulnerability scanner. Pro version only.

Using Burp Scanner during manual testing
Live crawl paths view (PortSwigger)

BChecks

BChecks (GitHub)
BCheck definitions (PortSwigger)
BCheck definition reference (PortSwigger)
Adding custom scan checks (PortSwigger)

BChecks are custom scan checks that you can create and import from plain text files (.bcheck). Burp Scanner runs these checks in addition to its built-in scanning routine. These files use a custom definition language to specify the behavior of the check.

Import BChecks from Lisandre.com on GitHub.

Create or import BChecks

Click on the Extensions->BChecks tab.
Click on New to create a new BCheck, or click on Import to import a file.

Run BChecks

Click on the Target->Site map tab.
Right-click on the target host, and click New scan.
Under Scan details, select Audit selected items.
Under Scan configuration:
- Click on New.
- Enter configuration name “BChecks only”.
- Under Issues Reported:
  - Select Select individual issues.
  - Click in the list, Ctrl-A, right-click and unselect Enable.
  - Click to select only BCheck generated issue.
  - Select Save to library (for reuse) and click Save.
- Click OK.

Scan a specific request

Right-click on a request from the Proxy tab (or other modules) and select Do active scan. Burp Scanner will use its default configuration to audit only this request.

Scan defined insertion points

Option 1 (preferred)

Install the Scan manual insertion point extension.
Highlight any sequence of characters within a request (typically a parameter value), right-click and select Extensions > Scan manual insertion point.

Option 2

Use this option when there is more than one parameter to test in a request.

Right-click on a request and Send to Intruder (Ctrl + I)
Click Clear $ and select the parameters that need scanning. Click Add $.
Right-click on the request within the Intruder, and select Scan defined insertion points.
Click OK.

Target

Visualize the target application’s contents in a folder structure hierarchy that corresponds to the site’s URL. Shows all the content that has been discovered until now, by manually browsing the site’s pages.

The scope can be used as a filter in the Proxy -> HTTP history tab.

Add a target to scope

The scope defines on which target(s) the spider and testing will occur and to not accidentally include more targets.

Via the site map

Browse the web application using Burp Suite
Click on Target -> Site map
Right-click on a target folder and choose Add to scope

Target Scope – Simple scope

Wildcards (*) expressions are not supported in URL prefixes for normal scope control. Regular expressions are NOT supported.

Click on Target -> Scope settings
Under Include in scope, click on Add
In Host or IP range, enter a hostname.
Click checkbox Include subdomains if you want the subdomains to be included in the scope.

Target Scope – Advanced scope

With advanced scope, regular expressions are supported.

Click on Target -> Scope settings
Click on Use advanced scope control
Under Include in scope, click on Add
In Host or IP range, enter a regular expression

All subdomains of test.com

.*\.test\.com$

(^|^[^:]+:\/\/|[^\.]+\.)test.*

Hostname is exactly something.else.com (no /something)

^something\.else\.com$

Hostname is exactly something.else.com + something.else.com/…

^something\.else\.com

ALL requests except some domains (like trackers):

Include in scope:
- Prefix: .*
Exclude from scope:
- Prefix: .*.mozilla.com
- Prefix: .*.mozilla.net
- Prefix: … load file burp-out-of-scope-advanced.txt (GitHub)
Select Drop all out-of-scope requests

Generate report

Never send this report as is to a client, always look for false positive before sending.

Click on Target -> Site map.
Right-click on a target folder -> Issues -> Report issues for this branch.

When Burp is:
  Certain: 90% of the time it is a real flaw
  Firm: 60% it's not a false positive
  Tentative: is probably false positive

Spider / Discover Content (hidden pages or directories)

Content discovery (PortSwigger)

Select the options carefully or it could take many hours with all options checked and even bring the site down.

Download the common.txt file (like Dirbuster) from SecLists.

For authenticated spider:

In the Settings window, click on Sessions.
Under Session handling rules, click on Add.
- In the Details tab:
  - Under Rule description, enter Spider (or any other name).
  - Under Rule actions, click Add.
  - Select Set a specific header value.
    - Name: Authorization
    - Value: Bearer <JWT value>
    - Select Add if not present.
  - Select Set a specific cookie or parameter value.
    - Name: <cookie name>
    - Value: <value>
    - Select Add if not present.
  - In the Scope tab:
    - Under Tools scope, select Target.
    - Under URL scope, select Include all URLs.

In the Target->Site map tab, right-click on a target folder and select Engagement tools->Discover content. Use these configurations under the Config tab:

Option	Directories (~ 5 min)	Short Scan	Advanced Scan
Target
Discover	Directories only	Files and directories	Files and directories
Recurse subdirectories	(unselect, too long)	16	16
Filenames
Built-in short file list		Yes
Built-in short directory list		Yes
Built-in long list			Yes
Built-in long directory list	Yes		Yes
Custom file list
Custom directory list
Names observed in use on target site		Yes	Yes
Derivations based on discovered items		Yes	Yes
File Extensions
Test these extensions			Yes
Test all extensions observed in use on target site, except for		Yes	Yes
Test these variant extensions on discovered files		Yes	Yes
Test file stems with no extension		Yes	Yes
Discovery Engine
Case sensitivity	Auto-detect	Auto-detect	Auto-detect
Add discovered content to suite site map	Yes	Yes	Yes
Copy content from suite site map	Yes	Yes	Yes
Spider from discovered content	Yes	Yes	Yes
Number of discovery threads	4	4	4
Number of spider threads	2	2	2

Proxy

Main engine of Burp, which allows it to intercept and modify all web traffic.

Proxy listeners

Click on Proxy -> Proxy settings
Under Proxy Listeners, click on 127.0.0.1:8080 (checkmark will appear under Running). Add other listeners as needed.

Firefox

To prevent Firefox from sending requests to detectportal.firefox.com, enter about:config in the Firefox address bar and disable network.captive-portal-service.

# In Firefox, use add-on FoxyProxy:
# https://addons.mozilla.org/en-CA/firefox/addon/foxyproxy-standard/
Click the fox beside URL (right)
Manual Proxy Configuration
Host: 127.0.0.1 Port: 8080
Give proxy name in General Tab
Right click on the fox to select proxy.

Chromium

To use the Chromium browser that comes with Burp Suite:

Click on Proxy -> Intercept
Click on Open browser

Intercept

Click on Proxy -> Proxy settings
- Intercept Client Requests: Select File extension + URL is in target scope
- Intercept Server Responses: Select URL is in target scope + was intercepted
- Response Modification: Select Unhide hidden form fields + Prominently highlight unhidden fields
Click on Proxy -> Intercept
Click on Intercept is off to start intercepting requests
Click on Forward (many times) if the website is waiting for a response

To modify specific responses, like a JavaScript file, use the Response interception rule “URL Matches myfilename.js”.

Custom columns

In the Proxy->HTTP history tab, click the “…”-> Add custom column on the right of the filter (search bar) to create a personalized column that displays the data you want to see.

See Bambdas

return requestResponse.response().headerValue("X-Cache");

var value = requestResponse.response().headerValue("X-Cache");
if (value != null) {  return value; } else { return ""; }

Add a filter on HTTP history

Basic filter

See Filtering the HTTP history (PortSwigger).

Click on Proxy -> HTTP history
Click on the search bar
Click on tab Settings mode (by default)
Select any needed filter, like Show only in-scope items

Bambdas

Filtering the HTTP history with Bambdas (PortSwigger)
Bambdas – the next big thing in customization (PortSwigger)

Montoya API available to write Bambdas: ProxyHttpRequestResponse and Utilities. Use Java operators: && (and), || (or), ! (not).

Click on Proxy -> HTTP history
Click on the search bar
Click on tab Bambda mode
Enter Java code to filter proxy entries.

Example:

var filterScope = true; var filterURL = true; var filterTime = true;
var filterStatus = true; var filterExtension = true; var filterNotes = true;
var filterSearchTerm = true; var filterEdited = true; var filterNoResponse = true;
var caseSensitive = false;

// Uncomment filters as needed
//filterSearchTerm = requestResponse.contains("admin", caseSensitive); // In request or response
//filterSearchTerm = requestResponse.hasResponse() && requestResponse.response().contains("admin", caseSensitive); // In response only
//filterScope = requestResponse.request().isInScope();
//filterURL = requestResponse.request().path().contains("admin");
//filterURL = !requestResponse.request().path().contains("path to exclude");
//filterTime = requestResponse.time().isAfter(ZonedDateTime.now().minusHours(1));
//filterStatus = requestResponse.hasResponse() && requestResponse.response().statusCode() == 200;
//filterExtension = !requestResponse.request().pathWithoutQuery().toLowerCase().matches(".*\\.(gif|jpg|png|css|otf|ttf|woff)$");
//filterNotes = requestResponse.annotations().hasNotes();
//filterEdited = requestResponse.edited();
//filterNoResponse = !requestResponse.hasResponse();

return filterScope && filterURL && filterTime && filterStatus && filterExtension && filterNotes && filterSearchTerm && filterEdited && filterNoResponse;

Example on WebSockets:

var filter = !message.contains("PING", false) && !message.contains("PONG", false);
return filter;

Intruder

Professional version for full functionality. Attacks in the Community Edition are time throttled.

Carry out automated, customized attacks against web applications. Web fuzzing (send unexpected input to target application). This process may help to identify web application security flaws.

Official Documentation (PortSwigger)

Scan a specific parameter using the Intruder

See Dashboard & Scanner section.

Fuzzing values in parameters

# Burp Intruder is a tool for automating customized attacks against web applications.
# It is extremely powerful and configurable, and can be used to perform a huge range 
# of tasks, from simple brute-force guessing of web directories through to active 
# exploitation of complex blind SQL injection vulnerabilities. 

Typical Use:
    Enumerating identifiers
    Harvesting useful data
    Fuzzing for vulnerabilities

# Manually crawl website
Intruder -> Positions: Choose Sniper attack, add variable to last part of URL
Intruder -> Payloads: Simple list, Add from list: Directories - long
Click Start Attack
In the result window, order by length to find differences
Choose 2 requests with different lengths, right-click on raw request -> Send to comparer

### Attack types ###

- Sniper: use for 1 payload, e.g. fuzzing directory names, product numbers, etc. Most used.
- Battering ram: use single payload in many positions, e.g. insert email address in form field and query string
- Cluster bomb: use multiple UNRELATED payloads for each position (max 20), e.g. username & password
- Pitchfork: use multiple RELATED payloads for each position (max 20), e.g. username & ID in other field

When sessions or tokens are hidden fields in a form

In the Positions tab, set variables on the sessions or tokens. Use attack type “Pitchfork” to set unique payload lists for each position.
In the Options tab, under Grep – Extract, click Add. Scroll down to the hidden field containing the sessions or tokens. Do these steps as many times as needed.
In the Payloads tab, select Recursive grep then select the grep extract.

Using simple lists

You need to replace the placeholders in predefined lists! There is NO standard in placeholder names (e.g. {domain} vs <yourdomain>).

Select Simple list as the Payload type
Click on Add from list and select Fuzzing – full
Under Payload processing, click Add:
- Choose Replace placeholder with base value, leave {base} as the placeholder to replace (default)
- Choose Replace placeholder with collaborator payload, leave \{domain\} as the placeholder to replace (default)
- Choose Match/replace, match regex \{FILE\}, replace with ../../../../../../../../../../etc/passwd
- Choose Match/replace, match regex <youremail>, replace with your own email address.

Repeater

Manually modify and reissue web requests.

To search within Repeater tab names, use Ctrl + Shift + S (action “Search Tabs”)

1. Testing the logic flaws of a page
2. Checking for false positive issues after generating a report
3. Changing the parameter values (e.g. testing input-based vulnerabilities)

Right-click on the raw request -> Request in browser -> In current browser session
(will copy the URL in memory, just paste in browser)
  original session: session cookie in the request will be used
  current browser session: burp lets the browser attach the cookie

Collaborator

The Collaborator module acts as a web server. It can inspect requests (HTTP, DNS) and can be useful to test out-of-band vulnerabilities.

Unless you have configured Burp to use a private Collaborator server, Burp Scanner and the Burp Collaborator client will use oastify.com for their Collaborator payloads instead of burpcollaborator.net (former domain).

Click on the Collaborator tab.
Click on Copy to clipboard to obtain the URL of the Collaborator server.
To test, paste the URL in a web browser, then click Poll now.

Error in Dashboard

The Burp Collaborator server used by Burp Collaborator client is not reachable, change the settings to use this feature.

The Burp Collaborator client was unable to connect to the Burp Collaborator server that it uses to perform OAST checks. As a result, these checks were skipped for t his scan.

Click on Settings
Click on Project->Collaborator
Select Poll over unencrypted HTTP

Using nip.io

Find the Burp Collaborator IP address:

nslookup <BURP COLLABORATOR ID>.oastify.com

Use nip.io to resolve the IP address found. This can bypass some validations on the domain. Send the collaborator ID in the user Agent or this will not work.

curl -A <BURP COLLABORATOR ID> http://<BURP COLLABORATOR IP ADDRESS>.nip.io/

curl -A 2ilfvksuforj6d1asys5z2wujlpcd31s http://54.77.139.23.nip.io/

Sequencer

Analyzes the quality of randomness in an application’s session tokens or other important data items that are intended to be unpredictable.

Decoder

Allows for encoding and decoding data.

Comparer

Utility to perform visual diff between any two items of data, such as similar web responses.

Logger

Logger is a tool for recording network activity. Logger records all HTTP traffic that Burp Suite generates, for investigation and analysis, but is particularly useful for:

Investigating what happened if Burp Suite is producing unexpected results.
Looking at the details of what Burp Suite is sending when your work involves session handling.
Making sure that long-term ongoing tasks (such as background scans) are still running.
Analysis of any issues that need visibility into what Burp Suite is doing.

Organizer

Burp Organizer (PortSwigger)

Extensions

Professional version only

“BApp Store” allows you to load Burp extensions, which extend Burp’s functionalities through using third-party apps.

Configure Jython – library for Java and Python

Download the Jython standalone JAR file.
In Burp Suite, click on Extender->Options.
Under Python Environment, select the location of the Jython standalone JAR file.

Add extensions

Under BApp Store, add the following:

AWS Security Checks
Hackvertor
SAML Raider
WordPress Scanner
Collaborator Everywhere

Add extension manually

Download the .bapp file from BApp Store (PortSwigger).
In the Extensions->BApp Store tab, click on Manual install… at the bottom of the screen.
Choose the downloaded file.

HackVertor

Hackvertor will break Burp syntax parsing: syntax highlighting, automatic detection of injection points, automatic URL-encoding.

Chaining tags

<@base64><@gzip_compress>Hello!<@/gzip_compress><@/base64>

Generate fake data

Useful to generate unique values in APIs. You can generate fake data using Hackvertor (from com.github.javafaker).

Right-click -> Extensions -> Hackvertor -> Fake -> fake_address

For example, send a request to Burp Collaborator with the following User-Agent:

User-Agent: <@fake_hacker("Does the $adjective $noun $verb?","en-GB")/>

User-Agent: Does the back-end alarm calculate?

Use variables

Option 1 – Click on menu Hackvertor -> Global variables. Enter a variable name and value.

Option 2 – Click on tab Hackvertor -> Variables. Parameter value “true” means that the variable is global.

<@set_email(true)>myemail@example.com<@/set_email>
<@set_name(true)>John<@/set_name>

User-Agent: <@get_email/>

Generate a signed JWT (requires the secret key)

<@jwt('HS256','secretkey')>{"email":"<@get_email/>","uid":12345}<@/jwt>

Sign the body of a request

[...]
X-Token: <@set_token(false)>foobar123456<@/set_token>
X-Sig: <@hmac_sha1('<@get_token/>')><@get_body/><@/hmac_sha1>
[...]

<@set_body(false)>name=joe&surname=john&role=admin<@/set_body>

Fix common errors

Pop-up windows not showing buttons (Burp 2020.1)

Install Java 9 or later. Download Java.
Or use JDK for launching the JAR.
Or this can happen when not enough RAM.

Environment variable

In Control Panel/System/Advanced System Settings, add new system variable JRE_HOME:

C:\Progra~1\Java\jre-9.0.4

Check Java version

java -version

A website with error in certificate can’t connect to proxy

In the Settings window, click on Network->Connections.
Under Upstream Proxy Servers, click Add.
- Destination host: myserver
- Proxy host: (leave empty)
- Proxy port: (leave empty)

Connection is not secure / Install Burp’s certificate

Install Burp’s certificate. See top of this page.

Received fatal alert: no_application_protocol

Click on Project Options
Click the HTTP tab
Under the HTTP/2 section, unselect Enable HTTP/2

Out of memory

Start Burp with:

java -XX:MaxPermSize=1G -jar [burp_file_name.jar]

Usage

THIS SECTION REQUIRES SOME CLEANUP 😉

Starting Burp Suite Pro using the jar file.

java -jar -Xmx2G /[path]/burp.jar

#Java path
#C:\Program Files (x86)\Java\jdk1.8.0_201\src.zip\com\sun\security\auth\module

==========================
# Analyze target (identify all dynamic URLs and parameters)
==========================

Target -> Site map
Right-click on target folder -> Engagement tools -> Analyze target

==========================
# List comments, scripts, and references
==========================

Target -> Site map
Right-click on target folder -> Engagement tools -> Find comments
Right-click on target folder -> Engagement tools -> Find scripts
Right-click on target folder -> Engagement tools -> Find references

==========================
# Passive Scan (identify some vulnerabilities)
# Analyzes the HTTP messages for evidence of certain types of vulnerabilities
# Does not send any additional requests to the server
==========================

Target -> Site map
Right-click on target folder -> Passively scan this branch

==========================
# Actively Scan (web app vulnerability scan)
# Automates the fuzzing to find web application vulnerabilities
==========================

Target -> Site map
Right-click on target folder -> Actively scan this branch

Select options:
Remove duplicate items (same URL and parameters)
Remove items with media responses
Remove items with the following extensions: gif,jpg,png,css

==========================
# Run scanner for web specific vulnerabilities
# PROFESSIONAL VERSION ONLY
==========================
By default, passive scanning on all domains
Confidence in results can be "Certain", "Firm" or "Tentative"
Results can be exported

In Browser:
  Select the Burp proxy configuration
  Go to your_ip/mutillidae
In Burp Suite:
  Click on Proxy Tab, the Intercept tab
  Click on Intercept is on (to switch off)
  Click on Scanner tab, then Live Scanning tab
  Select Use suite scope [defined in Target tab]
  Click on Target tab, then Site map tab
  Expand your target
  Right-click on target, click Spider this branch
  Click on Spider tab, then Control tab to monitor progress
  Click on Target tab, then Site map
  Right-click on target, then Actively scan this branch
  Click Next, review the list, then OK
  Click Scanner, then Scan Queue to monitor the progress
  Click Scanner tab, then Results
  Right-click on root node, the Report selected issues to export results 

==========================
# SQL Injection
==========================
In Browser:
  Select the Burp proxy configuration
  Go to your_ip/mutillidae
  Click OWASP Top 10 -> A1 - Injection -> SQLi - Extract Data -> User Info
This page is vulnerable to SQL injection
Enter name & password and click View Account Details

In Burp Suite:
  Click on Proxy tab, Intercept tab
  (should see the request)
  Right-click on the request, Copy to File
  (enter file name)
  Click on Intercept is on
  Close Burp

==========================
# Session Tokens
==========================
# Session tokens are generally used for tracking sessions since by default HTTP is 
# a stateless protocol. make sure session tokens are properly randomized and cannot be guessed.

To generate new session token:

In Browser:
  Clear browser history including cookies.
  Select the Burp proxy configuration
  Go to your_ip/mutillidae
In Burp Suite:
  Click on Proxy tab, then Intercept
  (session token is not present)
  Click on Forward
  (PHPSESSID=your session token)
  Click on Forward
  (screen should be white when job done)
  Click on HTTP history tab
  Click on first host entry (top)
  Click on Response tab, then Raw
  Right-click within Raw section, and Send to Sequencer
  Click on Sequencer tab
  Select the session token
  Click Start live capture
  Click Analyze now
  Play with the options...
  


==========================
# AWS
==========================
In BApp Store, install AWS Security Checks

==========================
# Bypass WAF
==========================
https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c

In BApp Store, install "Bypass WAF" extension.

==========================
# WSDL files
==========================
# Request WSDL file from developer. It contains information on how to call the service.

Open SOAP-UI
Click on SOAP
Select the WSDL file
In SOAP-UI Preferences, set Proxy to manual 127.0.0.1 port 8080

In Burp, set intercept on

Play query in SOAP-UI