Burp Suite

Complete suite for web application attacks: webcrawler, web vulnerability scan, web attacks.

Table of Contents

Setup

Install Burp’s certificate

To use Burp proxy more effectively with HTTPS websites, install Burp’s certificate. See Installing Burp’s CA certificate (PortSwigger).

Download Burp’s root certificate

  • Start Burp Suite.
  • Using Burp as proxy, go to http://burp/
  • Click on CA Certificate and download the file

Firefox

  • In Firefox, click on Options -> Privacy & Security
  • Under Security -> Certificates, click on View Certificates
  • Click on Import and select Trust this CA to identify websites, email users and software developers

Windows Trust Store

This can be needed when intercepting requests from desktop applications like Electron.

  • Double-click on the certificate file
  • Choose the computer (vs user only)
  • Add to trusted root CA

Mac OS’ keychain

This can be needed when intercepting requests from desktop applications like Electron.

  • Double-click on the certificate file
  • In the Keychain Access application, double-click on PortSwigger CA.
  • Click on Trust to expand the menu.
  • Select Always Trust for When using this certificate.

Target Scope

Add a target to scope

The scope defines on which target(s) the spider and testing will occur and to not accidentally include more targets.

Via the site map

  • Browse the web application using Burp Suite
  • Click on Target -> Site map
  • Right-click on a target folder and choose Add to scope

Target Scope – Simple scope

Wildcards (*) expressions are not supported in URL prefixes for normal scope control. Regular expressions are NOT supported.

  • Click on Target -> Scope settings
  • Under Include in scope, click on Add
  • In Host or IP range, enter a hostname.
  • Click checkbox Include subdomains if you want the subdomains to be included in the scope.

Target Scope – Advanced scope

With advanced scope, regular expressions are supported.

  • Click on Target -> Scope settings
  • Click on Use advanced scope control
  • Under Include in scope, click on Add
  • In Host or IP range, enter a regular expression

All subdomains of test.com

.*\.test\.com$
(^|^[^:]+:\/\/|[^\.]+\.)test.*

Hostname is exactly something.else.com (no /something)

^something\.else\.com$

Hostname is exactly something.else.com + something.else.com/…

^something\.else\.com

ALL requests except some domains (like trackers):

  • Include in scope:
    • Prefix: .*
  • Exclude from scope:
  • Select Drop all out-of-scope requests

Disable interception at startup

  • In the Settings window, click on Tools->Proxy.
  • Under Default Proxy interception state, select Disable interception.

Replace User-Agent in all requests

  • Click on Tools->Proxy.
  • Under Match and replace rules, click Add.
    • Type: Request header
    • Match: ^User-Agent.*$
    • Replace: User-Agent: whatever
    • Comment: Test XSS in logging of User-Agent
    • Regex match: (select)
    • Click OK

Test behind a proxy (e.g. corporate network)

Credentials are NOT encrypted when stored by Burp. On Windows, they can be found at C:\Users\<username>\AppData\Roaming\BurpSuite\bapps in the .json file.

  • Find proxy information from http://wpad/wpad.dat
  • In the Settings window, click on Network->Connections.
  • Under Upstream Proxy Servers, click Add.
Destination host: *
Proxy host: enter proxy server
Proxy port: enter 8080 (or other proxy port)

Test using NTLM credentials

  • In the Settings window, click on Network->Connections.
  • Under Platform authentication, select Do platform authentication.
  • Click Add.
  • Enter Destination host, type: NTLMv2, username and domain

Authentication using certificates

You MUST specify a password when creating the PKCS#12 file because Burp requires a password.

Generate PKCS#12 file (.pfx or .p12):

DOMAIN=example.com
openssl pkcs12 -export -out ${DOMAIN}.p12 -inkey ${DOMAIN}.key -in ${DOMAIN}.crt -name ${DOMAIN}

Import the certificate in Burp:

  • In the Settings window, click on Network->TLS.
  • Under Client TLS certificates, click Add.
  • Specify the host that requires the certificate
  • Select File (PKCS#12)
  • Choose the .p12 file and enter the password

Crawl / Discover Content

Find hidden pages or directories.

Select the options carefully or it could take many hours with all options checked and even bring the site down.

Download the common.txt file (like Dirbuster) from SecLists.

For authenticated spider:

  • In the Settings window, click on Sessions.
  • Under Session handling rules, click on Add.
    • In the Details tab:
      • Under Rule description, enter Spider (or any other name).
      • Under Rule actions, click Add.
      • Select Set a specific header value.
        • Name: Authorization
        • Value: Bearer <JWT value>
        • Select Add if not present.
      • Select Set a specific cookie or parameter value.
        • Name: <cookie name>
        • Value: <value>
        • Select Add if not present.
      • In the Scope tab:
        • Under Tools scope, select Target.
        • Under URL scope, select Include all URLs.

In the Target->Site map tab, right-click on a target folder and select Engagement tools->Discover content. Use these configurations under the Config tab:

OptionDirectories
(~ 5 min)		Short ScanAdvanced Scan
Target
DiscoverDirectories onlyFiles and directoriesFiles and directories
Recurse subdirectories(unselect,
too long)		1616
Filenames
Built-in short file listYes
Built-in short directory listYes
Built-in long listYes
Built-in long directory listYesYes
Custom file list
Custom directory list
Names observed in use on target siteYesYes
Derivations based on discovered itemsYesYes
File Extensions
Test these extensionsYes
Test all extensions observed in use on target site, except forYesYes
Test these variant extensions on discovered filesYesYes
Test file stems with no extensionYesYes
Discovery Engine
Case sensitivityAuto-detectAuto-detectAuto-detect
Add discovered content to suite site mapYesYesYes
Copy content from suite site mapYesYesYes
Spider from discovered contentYesYesYes
Number of discovery threads444
Number of spider threads222

Scanner & BChecks

Web vulnerability scanner. Pro version only.

Dastardly uses the same security scanner as Burp Suite.

Passive scan

Passive scan can identify some vulnerabilities. It analyzes the HTTP messages for evidence of certain types of vulnerabilities but does NOT send any additional requests to the server.

  • Click on Target -> Site map
  • Right-click on the target and click Passively scan this host

Active scan

Actively scans a target, fuzzing with the web application to find vulnerabilities.

For authenticated scan and more, see Web Application Enumeration

Other option:

  • Click on Target -> Site map
  • Right-click on the target and click Actively scan this host

BChecks

BChecks are custom scan checks that you can create and import from plain text files (.bcheck). Burp Scanner runs these checks in addition to its built-in scanning routine. These files use a custom definition language to specify the behavior of the check.

Import BChecks from Lisandre.com on GitHub.

Create or import BChecks

  • Click on the Extensions->BChecks tab.
  • Click on New to create a new BCheck, or click on Import to import a file.

Run BChecks

  • Click on the Target->Site map tab.
  • Right-click on the target host, and click New scan.
  • Under Scan details, select Audit selected items.
  • Under Scan configuration:
    • Click on New.
    • Enter configuration name “BChecks only”.
    • Under Issues Reported:
      • Select Select individual issues.
      • Click in the list, Ctrl-A, right-click and unselect Enable.
      • Click to select only BCheck generated issue.
      • Select Save to library (for reuse) and click Save.
    • Click OK.

Scan a specific request

Right-click on a request from the Proxy tab (or other modules) and select Do active scan. Burp Scanner will use its default configuration to audit only this request.

Scan defined insertion points

Option 1 (preferred)

  • Install the Scan manual insertion point extension.
  • Highlight any sequence of characters within a request (typically a parameter value), right-click and select Extensions > Scan manual insertion point.

Option 2

Use this option when there is more than one parameter to test in a request.

  • Right-click on a request and Send to Intruder (Ctrl + I)
  • Click Clear $ and select the parameters that need scanning. Click Add $.
  • Right-click on the request within the Intruder, and select Scan defined insertion points.
  • Click OK.

Bambdas

Bambda Filters

Import Bambdas from Lisandre.com on GitHub.

Montoya API available to write Bambdas: ProxyHttpRequestResponse and Utilities. Use Java operators: && (and), || (or), ! (not).

  • Click on Proxy -> HTTP history
  • Click on the search bar
  • Click on tab Bambda mode
  • Enter Java code to filter proxy entries.

Bambda Custom Actions

Module: Repeater only

Install the Extensibility Helper extension, click on Extensibility Helper tab, Bambda Store and search “custom action”.

Bamdbas execute arbitrary code on your machine. Always read the code before executing code from external sources.

The custom actions are saved in the project. All Repeater tab share the same custom actions. There is a Autorun au send button (only one can be selected).

  • In the Repeater module, click on the Custom actions tab.
  • Click on Add samples.

Examples:

Import Bambda custom actions from Lisandre.com on GitHub.

// Translate body to English
var sysMsg = Message.systemMessage("Some message");
var usrMsg = Message.userMessage(requestResponse.response().bodyToString());
var result = ai.prompt().execute(sysMsg), usrMsg).content();
logging.logToOutput(english);

Sessions

Perform specific actions when sending an HTTP request, like adding a Header, cookie, etc.

Add a HTTP header to all requests

Example with “X-Forwarded-For”:

  • In the Settings window, click on Sessions.
  • Under Session handling rules, click on Add.
    • In the Details tab:
      • Under Rule actions, click Add.
      • Select Set a specific header value.
        • Name: X-Forwarded-For
        • Value: 127.0.0.1
    • In the Scope tab:
      • Under Tools scope, select all checkboxes.
      • Under URL scope, select Include all URLs.

Macros

A macro is a sequence of one or more requests. You can use macros within session handling rules to perform tasks such as logging in to the application, obtaining anti-CSRF tokens, etc.

  • Scanning or sending (Repeater) a request that is in the middle of a process and the process needs to be started from the beginning every time for the scanned/sent request to be processed – or the other way around scanning/repeating a request in the beginning/middle of a process and the process needs to be finished to see the results.
  • Scanning/Repeating a request that requires a CSRF token which needs to be fetched from somewhere for every request.
  • Session timeouts that do not allow manual testing or scans to finish.

See example from PortSwigger’s lab Practitioner – Broken brute-force protection, IP block.

After creating the macro, do not forget to create a session handling rule to call it.

Proxy

Main engine of Burp, which allows it to intercept and modify all web traffic.

  • Click on Proxy -> Proxy settings
  • Under Proxy Listeners, click on 127.0.0.1:8080 (checkmark will appear under Running). Add other listeners as needed.

Intercept

Firefox

To prevent Firefox from sending requests to detectportal.firefox.com, enter about:config in the Firefox address bar and disable network.captive-portal-service.

# In Firefox, use add-on FoxyProxy:
# https://addons.mozilla.org/en-CA/firefox/addon/foxyproxy-standard/
Click the fox beside URL (right)
Manual Proxy Configuration
Host: 127.0.0.1 Port: 8080
Give proxy name in General Tab
Right click on the fox to select proxy.

Chromium

To use the Chromium browser that comes with Burp Suite:

  • Click on Proxy -> Intercept
  • Click on Open browser

Intercept

  • Click on Proxy -> Proxy settings
    • Intercept Client Requests: Select File extension + URL is in target scope
    • Intercept Server Responses: Select URL is in target scope + was intercepted
    • Response Modification: Select Unhide hidden form fields + Prominently highlight unhidden fields
  • Click on Proxy -> Intercept
  • Click on Intercept is off to start intercepting requests
  • Click on Forward (many times) if the website is waiting for a response

To modify specific responses, like a JavaScript file, use the Response interception rule “URL Matches myfilename.js”.

Match and replace

To edit a specific line in a JavaScript file:

  • Click on Proxy -> Match and replace
  • Under HTTP match and replace rules, click Add.
    • Type: Response body
    • Match: whatever = false;
    • Replace: whatever = true;
    • Comment: Edit JavaScript line
    • Do NOT select the Regex match checkbox.

Custom columns

In the Proxy->HTTP history tab, click the “…”-> Add custom column on the right of the filter (search bar) to create a personalized column that displays the data you want to see.

See Bambdas

return requestResponse.response().headerValue("X-Cache");
var value = requestResponse.response().headerValue("X-Cache");
if (value != null) {  return value; } else { return ""; }

Intruder

Professional version for full functionality. Attacks in the Community Edition are time throttled.

Carry out automated, customized attacks against web applications. Web fuzzing (send unexpected input to target application). This process may help to identify web application security flaws.

Scan a specific parameter using the Intruder

See the Scanner section.

Fuzzing values in parameters

# Burp Intruder is a tool for automating customized attacks against web applications.
# It is extremely powerful and configurable, and can be used to perform a huge range 
# of tasks, from simple brute-force guessing of web directories through to active 
# exploitation of complex blind SQL injection vulnerabilities. 

Typical Use:
    Enumerating identifiers
    Harvesting useful data
    Fuzzing for vulnerabilities

# Manually crawl website
Intruder -> Positions: Choose Sniper attack, add variable to last part of URL
Intruder -> Payloads: Simple list, Add from list: Directories - long
Click Start Attack
In the result window, order by length to find differences
Choose 2 requests with different lengths, right-click on raw request -> Send to comparer

### Attack types ###

- Sniper: use for 1 payload, e.g. fuzzing directory names, product numbers, etc. Most used.
- Battering ram: use single payload in many positions, e.g. insert email address in form field and query string
- Cluster bomb: use multiple UNRELATED payloads for each position (max 20), e.g. username & password
- Pitchfork: use multiple RELATED payloads for each position (max 20), e.g. username & ID in other field

When sessions or tokens are hidden fields in a form

  • In the Positions tab, set variables on the sessions or tokens. Use attack type “Pitchfork” to set unique payload lists for each position.
  • In the Options tab, under Grep – Extract, click Add. Scroll down to the hidden field containing the sessions or tokens. Do these steps as many times as needed.
  • In the Payloads tab, select Recursive grep then select the grep extract.

Using simple lists

You need to replace the placeholders in predefined lists! There is NO standard in placeholder names (e.g. {domain} vs <yourdomain>).

  • Select Simple list as the Payload type
  • Click on Add from list and select Fuzzing – full
  • Under Payload processing, click Add:
    • Choose Replace placeholder with base value, leave {base} as the placeholder to replace (default)
    • Choose Replace placeholder with collaborator payload, leave \{domain\} as the placeholder to replace (default)
    • Choose Match/replace, match regex \{FILE\}, replace with ../../../../../../../../../../etc/passwd
    • Choose Match/replace, match regex <youremail>, replace with your own email address.

Collaborator

The Collaborator module acts as a web server. It can inspect requests (HTTP, DNS) and can be useful to test out-of-band vulnerabilities.

Unless you have configured Burp to use a private Collaborator server, Burp Scanner and the Burp Collaborator client will use oastify.com for their Collaborator payloads instead of burpcollaborator.net (former domain).

  • Click on the Collaborator tab.
  • Click on Copy to clipboard to obtain the URL of the Collaborator server.
  • To test, paste the URL in a web browser, then click Poll now.

Error in Dashboard

The Burp Collaborator server used by Burp Collaborator client is not reachable, change the settings to use this feature.

The Burp Collaborator client was unable to connect to the Burp Collaborator server that it uses to perform OAST checks. As a result, these checks were skipped for t his scan.

  • Click on Settings
  • Click on Project->Collaborator
  • Select Poll over unencrypted HTTP

Using nip.io

Find the Burp Collaborator IP address:

nslookup <BURP COLLABORATOR ID>.oastify.com

Use nip.io to resolve the IP address found. This can bypass some validations on the domain. Send the collaborator ID in the user Agent or this will not work.

curl -A <BURP COLLABORATOR ID> http://<BURP COLLABORATOR IP ADDRESS>.nip.io/
curl -A 2ilfvksuforj6d1asys5z2wujlpcd31s http://54.77.139.23.nip.io/

Generate a report

Never send this report as is to a client, always look for false positive before sending.

  • Click on Target -> Site map.
  • Right-click on a target folder -> Issues -> Report issues for this branch.
When Burp is:
  Certain: 90% of the time it is a real flaw
  Firm: 60% it's not a false positive
  Tentative: is probably false positive

Extensions

“BApp Store” allows you to load Burp extensions, which extend Burp’s functionalities through using third-party apps.

Configure Jython – library for Java and Python

  • Download the Jython standalone JAR file.
  • In Burp Suite, click on Extender->Options.
  • Under Python Environment, select the location of the Jython standalone JAR file.

Add extensions

Under BApp Store, add the following:

  • AWS Security Checks
  • Hackvertor
  • SAML Raider
  • WordPress Scanner
  • Collaborator Everywhere

Add extension manually

  • Download the .bapp file from BApp Store (PortSwigger).
  • In the Extensions->BApp Store tab, click on Manual install… at the bottom of the screen.
  • Choose the downloaded file.

Hackvertor

Hackvertor will break Burp syntax parsing: syntax highlighting, automatic detection of injection points, automatic URL-encoding.

Chaining tags

<@base64><@gzip_compress>Hello!<@/gzip_compress><@/base64>

Generate fake data

Useful to generate unique values in APIs. You can generate fake data using Hackvertor (from com.github.javafaker).

Right-click -> Extensions -> Hackvertor -> Fake -> fake_address

For example, send a request to Burp Collaborator with the following User-Agent:

User-Agent: <@fake_hacker("Does the $adjective $noun $verb?","en-GB")/>
User-Agent: Does the back-end alarm calculate?

Use variables

Option 1 – Click on menu Hackvertor -> Global variables. Enter a variable name and value.

Option 2 – Click on tab Hackvertor -> Variables. Parameter value “true” means that the variable is global.

<@set_email(true)>myemail@example.com<@/set_email>
<@set_name(true)>John<@/set_name>
User-Agent: <@get_email/>

Generate a signed JWT (requires the secret key)

<@jwt('HS256','secretkey')>{"email":"<@get_email/>","uid":12345}<@/jwt>

Sign the body of a request

[...]
X-Token: <@set_token(false)>foobar123456<@/set_token>
X-Sig: <@hmac_sha1('<@get_token/>')><@get_body/><@/hmac_sha1>
[...]

<@set_body(false)>name=joe&surname=john&role=admin<@/set_body>

Troubleshooting

Error “Invalid CORS request” when using Burp as proxy

Disable extension Param Miner. See CORS failure (PortSwigger).

HTTP redirects to HTTP in Chromium

  • Open Chromium and click on Settings.
  • Click on Privacy and security->Security.
  • Search for HTTPS
  • Under Advanced, under Always use secure connections, disable Use HTTPS whenever possible and get warned before loading sites that don’t support it.

Pop-up windows not showing buttons (Burp 2020.1)

  • Install Java 9 or later. Download Java.
  • Or use JDK for launching the JAR.
  • Or this can happen when not enough RAM.

Environment variable: in Control Panel/System/Advanced System Settings, add new system variable “JRE_HOME”.

C:\Progra~1\Java\jre-9.0.4

Check Java version

java -version

A website with error in certificate can’t connect to proxy

  • In the Settings window, click on Network->Connections.
  • Under Upstream Proxy Servers, click Add.
    • Destination host: myserver
    • Proxy host: (leave empty)
    • Proxy port: (leave empty)

Connection is not secure / Install Burp’s certificate

Install Burp’s certificate. See top of this page.

Received fatal alert: no_application_protocol

  • Click on Project Options
  • Click the HTTP tab
  • Under the HTTP/2 section, unselect Enable HTTP/2

Out of memory

Start Burp with:

java -XX:MaxPermSize=1G -jar [burp_file_name.jar]

Reference