Complete suite for web application attacks: webcrawler, web vulnerability scan, web attacks.
OSCP: Burp Community Edition is officially allowed during the exam according to the OSCP Exam Guide. DO NOT USE THE PRO VERSION!
Dastardly uses the same security scanner as Burp Suite.
- Burp Releases
- Launching Burp Suite from the command line
- Using Burp to Test for the OWASP Top Ten
- Tips and tricks for Burp Suite Pro (NorthSec 2023)
- Burpsuite (CSbyGB)
Quick links: Custom columns, Bambdas
Install Burp’s certificate
To use Burp proxy more effectively with HTTPS websites, install Burp’s certificate.
- Installing Burp’s CA certificate (PortSwigger)
Add Burp’s root certificate in Firefox
- Start Burp Suite.
- Using Burp as proxy, go to http://burp/
- Click on CA Certificate and download the file
- In Firefox, click on Options -> Privacy & Security
- Under Security -> Certificates, click on View Certificates
- Click on Import and select Trust this CA to identify websites, email users and software developers
Add Burp’s root certificate to the Windows Trust Store
This can be needed when intercepting requests from desktop applications like Electron.
- Start Burp Suite.
- Download Burp’s certificate at http://burp
- Double-click on the certificate file
- Choose the computer (vs user only)
- Add to trusted root CA
Add Burp’s root certificate to Mac OS’ keychain
This can be needed when intercepting requests from desktop applications like Electron.
- Start Burp Suite.
- Download Burp’s certificate at http://burp
- Double-click on the certificate file
- In the Keychain Access application, double-click on PortSwigger CA.
- Click on Trust to expand the menu.
- Select Always Trust for When using this certificate.
Troubleshooting
Error “Invalid CORS request” when using Burp as proxy
Disable extension Param Miner. See CORS failure (PortSwigger).
HTTP redirects to HTTP in Chromium
- Open Chromium and click on Settings.
- Click on Privacy and security->Security.
- Search for HTTPS
- Under Advanced, under Always use secure connections, disable Use HTTPS whenever possible and get warned before loading sites that don’t support it.
Settings
Click Settings on the top right corner to access the settings window.
Tools->Proxy
Also accessible via tab Proxy->Proxy settings.
Disable interception at startup
- In the Settings window, click on Tools->Proxy.
- Under Default Proxy interception state, select Disable interception.
Replace User-Agent in all requests:
- Click on Tools->Proxy.
- Under Match and replace rules, click Add.
- Type: Request header
- Match: ^User-Agent.*$
- Replace: User-Agent: whatever
- Comment: Test XSS in logging of User-Agent
- Regex match: (select)
- Click OK
Network->Connections
Test behind a proxy (e.g. corporate network)
Credentials are NOT encrypted when stored by Burp. On Windows, they can be found at C:\Users\<username>\AppData\Roaming\BurpSuite\bapps in the .json file.
- Find proxy information from http://wpad/wpad.dat
- In the Settings window, click on Network->Connections.
- Under Upstream Proxy Servers, click Add.
Destination host: *
Proxy host: enter proxy server
Proxy port: enter 8080 (or other proxy port)
Test using NTLM credentials
- In the Settings window, click on Network->Connections.
- Under Platform authentication, select Do platform authentication.
- Click Add.
- Enter Destination host, type: NTLMv2, username and domain
Authentication using certificates
You MUST specify a password when creating the PKCS#12 file because Burp requires a password.
Generate PKCS#12 file (.pfx or .p12):
DOMAIN=example.com
openssl pkcs12 -export -out ${DOMAIN}.p12 -inkey ${DOMAIN}.key -in ${DOMAIN}.crt -name ${DOMAIN}
Import the certificate in Burp:
- In the Settings window, click on Network->TLS.
- Under Client TLS certificates, click Add.
- Specify the host that requires the certificate
- Select File (PKCS#12)
- Choose the .p12 file and enter the password
Sessions
Perform specific actions when sending an HTTP request, like adding a Header, cookie, etc.
Add a HTTP header to all requests (example with X-Forwarded-For)
- In the Settings window, click on Sessions.
- Under Session handling rules, click on Add.
- In the Details tab:
- Under Rule actions, click Add.
- Select Set a specific header value.
- Name: X-Forwarded-For
- Value: 127.0.0.1
- In the Scope tab:
- Under Tools scope, select all checkboxes.
- Under URL scope, select Include all URLs.
- In the Details tab:
Macros
A macro is a sequence of one or more requests. You can use macros within session handling rules to perform tasks such as logging in to the application, obtaining anti-CSRF tokens, etc.
- Scanning or sending (Repeater) a request that is in the middle of a process and the process needs to be started from the beginning every time for the scanned/sent request to be processed – or the other way around scanning/repeating a request in the beginning/middle of a process and the process needs to be finished to see the results.
- Scanning/Repeating a request that requires a CSRF token which needs to be fetched from somewhere for every request.
- Session timeouts that do not allow manual testing or scans to finish.
See example from PortSwigger’s lab Practitioner – Broken brute-force protection, IP block.
After creating the macro, do not forget to create a session handling rule to call it.
Dashboard & Scanner
Web vulnerability scanner. Pro version only.
BChecks
- BChecks (GitHub)
- BCheck definitions (PortSwigger)
- BCheck definition reference (PortSwigger)
- Adding custom scan checks (PortSwigger)
BChecks are custom scan checks that you can create and import from plain text files (.bcheck). Burp Scanner runs these checks in addition to its built-in scanning routine. These files use a custom definition language to specify the behavior of the check.
Import BChecks from Lisandre.com on GitHub.
Create or import BChecks
- Click on the Extensions->BChecks tab.
- Click on New to create a new BCheck, or click on Import to import a file.
Run BChecks
- Click on the Target->Site map tab.
- Right-click on the target host, and click New scan.
- Under Scan details, select Audit selected items.
- Under Scan configuration:
- Click on New.
- Enter configuration name “BChecks only”.
- Under Issues Reported:
- Select Select individual issues.
- Click in the list, Ctrl-A, right-click and unselect Enable.
- Click to select only BCheck generated issue.
- Select Save to library (for reuse) and click Save.
- Click OK.
Scan a specific request
Right-click on a request from the Proxy tab (or other modules) and select Do active scan. Burp Scanner will use its default configuration to audit only this request.
Scan defined insertion points
Option 1 (preferred)
- Install the Scan manual insertion point extension.
- Highlight any sequence of characters within a request (typically a parameter value), right-click and select Extensions > Scan manual insertion point.
Option 2
Use this option when there is more than one parameter to test in a request.
- Right-click on a request and Send to Intruder (Ctrl + I)
- Click Clear $ and select the parameters that need scanning. Click Add $.
- Right-click on the request within the Intruder, and select Scan defined insertion points.
- Click OK.
Target
Visualize the target application’s contents in a folder structure hierarchy that corresponds to the site’s URL. Shows all the content that has been discovered until now, by manually browsing the site’s pages.
The scope can be used as a filter in the Proxy -> HTTP history tab.
Add a target to scope
The scope defines on which target(s) the spider and testing will occur and to not accidentally include more targets.
Via the site map
- Browse the web application using Burp Suite
- Click on Target -> Site map
- Right-click on a target folder and choose Add to scope
Target Scope – Simple scope
Wildcards (*) expressions are not supported in URL prefixes for normal scope control. Regular expressions are NOT supported.
- Click on Target -> Scope settings
- Under Include in scope, click on Add
- In Host or IP range, enter a hostname.
- Click checkbox Include subdomains if you want the subdomains to be included in the scope.
Target Scope – Advanced scope
With advanced scope, regular expressions are supported.
- Click on Target -> Scope settings
- Click on Use advanced scope control
- Under Include in scope, click on Add
- In Host or IP range, enter a regular expression
All subdomains of test.com
.*\.test\.com$
(^|^[^:]+:\/\/|[^\.]+\.)test.*
Hostname is exactly something.else.com (no /something)
^something\.else\.com$
Hostname is exactly something.else.com + something.else.com/…
^something\.else\.com
ALL requests except some domains (like trackers):
- Include in scope:
- Prefix: .*
- Exclude from scope:
- Prefix: .*.mozilla.com
- Prefix: .*.mozilla.net
- Prefix: … load file burp-out-of-scope-advanced.txt (GitHub)
- Select Drop all out-of-scope requests
Generate report
Never send this report as is to a client, always look for false positive before sending.
- Click on Target -> Site map.
- Right-click on a target folder -> Issues -> Report issues for this branch.
When Burp is:
Certain: 90% of the time it is a real flaw
Firm: 60% it's not a false positive
Tentative: is probably false positive
Spider / Discover Content (hidden pages or directories)
- Content discovery (PortSwigger)
Select the options carefully or it could take many hours with all options checked and even bring the site down.
Download the common.txt file (like Dirbuster) from SecLists.
For authenticated spider:
- In the Settings window, click on Sessions.
- Under Session handling rules, click on Add.
- In the Details tab:
- Under Rule description, enter Spider (or any other name).
- Under Rule actions, click Add.
- Select Set a specific header value.
- Name: Authorization
- Value: Bearer <JWT value>
- Select Add if not present.
- Select Set a specific cookie or parameter value.
- Name: <cookie name>
- Value: <value>
- Select Add if not present.
- In the Scope tab:
- Under Tools scope, select Target.
- Under URL scope, select Include all URLs.
- In the Details tab:
In the Target->Site map tab, right-click on a target folder and select Engagement tools->Discover content. Use these configurations under the Config tab:
Option | Directories (~ 5 min) | Short Scan | Advanced Scan |
---|---|---|---|
Target | |||
Discover | Directories only | Files and directories | Files and directories |
Recurse subdirectories | (unselect, too long) | 16 | 16 |
Filenames | |||
Built-in short file list | Yes | ||
Built-in short directory list | Yes | ||
Built-in long list | Yes | ||
Built-in long directory list | Yes | Yes | |
Custom file list | |||
Custom directory list | |||
Names observed in use on target site | Yes | Yes | |
Derivations based on discovered items | Yes | Yes | |
File Extensions | |||
Test these extensions | Yes | ||
Test all extensions observed in use on target site, except for | Yes | Yes | |
Test these variant extensions on discovered files | Yes | Yes | |
Test file stems with no extension | Yes | Yes | |
Discovery Engine | |||
Case sensitivity | Auto-detect | Auto-detect | Auto-detect |
Add discovered content to suite site map | Yes | Yes | Yes |
Copy content from suite site map | Yes | Yes | Yes |
Spider from discovered content | Yes | Yes | Yes |
Number of discovery threads | 4 | 4 | 4 |
Number of spider threads | 2 | 2 | 2 |
Proxy
Main engine of Burp, which allows it to intercept and modify all web traffic.
Proxy listeners
- Click on Proxy -> Proxy settings
- Under Proxy Listeners, click on 127.0.0.1:8080 (checkmark will appear under Running). Add other listeners as needed.
Firefox
To prevent Firefox from sending requests to detectportal.firefox.com, enter about:config in the Firefox address bar and disable network.captive-portal-service.
# In Firefox, use add-on FoxyProxy:
# https://addons.mozilla.org/en-CA/firefox/addon/foxyproxy-standard/
Click the fox beside URL (right)
Manual Proxy Configuration
Host: 127.0.0.1 Port: 8080
Give proxy name in General Tab
Right click on the fox to select proxy.
Chromium
To use the Chromium browser that comes with Burp Suite:
- Click on Proxy -> Intercept
- Click on Open browser
Intercept
- Click on Proxy -> Proxy settings
- Intercept Client Requests: Select File extension + URL is in target scope
- Intercept Server Responses: Select URL is in target scope + was intercepted
- Response Modification: Select Unhide hidden form fields + Prominently highlight unhidden fields
- Click on Proxy -> Intercept
- Click on Intercept is off to start intercepting requests
- Click on Forward (many times) if the website is waiting for a response
To modify specific responses, like a JavaScript file, use the Response interception rule “URL Matches myfilename.js”.
Custom columns
In the Proxy->HTTP history tab, click the “…”-> Add custom column on the right of the filter (search bar) to create a personalized column that displays the data you want to see.
See Bambdas
return requestResponse.response().headerValue("X-Cache");
var value = requestResponse.response().headerValue("X-Cache");
if (value != null) { return value; } else { return ""; }
Add a filter on HTTP history
Basic filter
See Filtering the HTTP history (PortSwigger).
- Click on Proxy -> HTTP history
- Click on the search bar
- Click on tab Settings mode (by default)
- Select any needed filter, like Show only in-scope items
Bambdas
- Filtering the HTTP history with Bambdas (PortSwigger)
- Bambdas – the next big thing in customization (PortSwigger)
Montoya API available to write Bambdas: ProxyHttpRequestResponse and Utilities. Use Java operators: && (and), || (or), ! (not).
- Click on Proxy -> HTTP history
- Click on the search bar
- Click on tab Bambda mode
- Enter Java code to filter proxy entries.
Example:
var filterScope = true; var filterURL = true; var filterTime = true;
var filterStatus = true; var filterExtension = true; var filterNotes = true;
var filterSearchTerm = true; var filterEdited = true; var filterNoResponse = true;
var caseSensitive = false;
// Uncomment filters as needed
//filterSearchTerm = requestResponse.contains("admin", caseSensitive); // In request or response
//filterSearchTerm = requestResponse.hasResponse() && requestResponse.response().contains("admin", caseSensitive); // In response only
//filterScope = requestResponse.request().isInScope();
//filterURL = requestResponse.request().path().contains("admin");
//filterURL = !requestResponse.request().path().contains("path to exclude");
//filterTime = requestResponse.time().isAfter(ZonedDateTime.now().minusHours(1));
//filterStatus = requestResponse.hasResponse() && requestResponse.response().statusCode() == 200;
//filterExtension = !requestResponse.request().pathWithoutQuery().toLowerCase().matches(".*\\.(gif|jpg|png|css|otf|ttf|woff)$");
//filterNotes = requestResponse.annotations().hasNotes();
//filterEdited = requestResponse.edited();
//filterNoResponse = !requestResponse.hasResponse();
return filterScope && filterURL && filterTime && filterStatus && filterExtension && filterNotes && filterSearchTerm && filterEdited && filterNoResponse;
Example on WebSockets:
var filter = !message.contains("PING", false) && !message.contains("PONG", false);
return filter;
Intruder
Professional version for full functionality. Attacks in the Community Edition are time throttled.
Carry out automated, customized attacks against web applications. Web fuzzing (send unexpected input to target application). This process may help to identify web application security flaws.
- Official Documentation (PortSwigger)
Scan a specific parameter using the Intruder
See Dashboard & Scanner section.
Fuzzing values in parameters
# Burp Intruder is a tool for automating customized attacks against web applications.
# It is extremely powerful and configurable, and can be used to perform a huge range
# of tasks, from simple brute-force guessing of web directories through to active
# exploitation of complex blind SQL injection vulnerabilities.
Typical Use:
Enumerating identifiers
Harvesting useful data
Fuzzing for vulnerabilities
# Manually crawl website
Intruder -> Positions: Choose Sniper attack, add variable to last part of URL
Intruder -> Payloads: Simple list, Add from list: Directories - long
Click Start Attack
In the result window, order by length to find differences
Choose 2 requests with different lengths, right-click on raw request -> Send to comparer
### Attack types ###
- Sniper: use for 1 payload, e.g. fuzzing directory names, product numbers, etc. Most used.
- Battering ram: use single payload in many positions, e.g. insert email address in form field and query string
- Cluster bomb: use multiple UNRELATED payloads for each position (max 20), e.g. username & password
- Pitchfork: use multiple RELATED payloads for each position (max 20), e.g. username & ID in other field
When sessions or tokens are hidden fields in a form
- In the Positions tab, set variables on the sessions or tokens. Use attack type “Pitchfork” to set unique payload lists for each position.
- In the Options tab, under Grep – Extract, click Add. Scroll down to the hidden field containing the sessions or tokens. Do these steps as many times as needed.
- In the Payloads tab, select Recursive grep then select the grep extract.
Using simple lists
You need to replace the placeholders in predefined lists! There is NO standard in placeholder names (e.g. {domain} vs <yourdomain>).
- Select Simple list as the Payload type
- Click on Add from list and select Fuzzing – full
- Under Payload processing, click Add:
- Choose Replace placeholder with base value, leave {base} as the placeholder to replace (default)
- Choose Replace placeholder with collaborator payload, leave \{domain\} as the placeholder to replace (default)
- Choose Match/replace, match regex \{FILE\}, replace with ../../../../../../../../../../etc/passwd
- Choose Match/replace, match regex <youremail>, replace with your own email address.
Repeater
Manually modify and reissue web requests.
To search within Repeater tab names, use Ctrl + Shift + S (action “Search Tabs”)
1. Testing the logic flaws of a page
2. Checking for false positive issues after generating a report
3. Changing the parameter values (e.g. testing input-based vulnerabilities)
Right-click on the raw request -> Request in browser -> In current browser session
(will copy the URL in memory, just paste in browser)
original session: session cookie in the request will be used
current browser session: burp lets the browser attach the cookie
Collaborator
The Collaborator module acts as a web server. It can inspect requests (HTTP, DNS) and can be useful to test out-of-band vulnerabilities.
Unless you have configured Burp to use a private Collaborator server, Burp Scanner and the Burp Collaborator client will use oastify.com for their Collaborator payloads instead of burpcollaborator.net (former domain).
- Click on the Collaborator tab.
- Click on Copy to clipboard to obtain the URL of the Collaborator server.
- To test, paste the URL in a web browser, then click Poll now.
Error in Dashboard
The Burp Collaborator server used by Burp Collaborator client is not reachable, change the settings to use this feature.
The Burp Collaborator client was unable to connect to the Burp Collaborator server that it uses to perform OAST checks. As a result, these checks were skipped for t his scan.
- Click on Settings
- Click on Project->Collaborator
- Select Poll over unencrypted HTTP
Using nip.io
Find the Burp Collaborator IP address:
nslookup <BURP COLLABORATOR ID>.oastify.com
Use nip.io to resolve the IP address found. This can bypass some validations on the domain. Send the collaborator ID in the user Agent or this will not work.
curl -A <BURP COLLABORATOR ID> http://<BURP COLLABORATOR IP ADDRESS>.nip.io/
curl -A 2ilfvksuforj6d1asys5z2wujlpcd31s http://54.77.139.23.nip.io/
Sequencer
Analyzes the quality of randomness in an application’s session tokens or other important data items that are intended to be unpredictable.
Decoder
Allows for encoding and decoding data.
Comparer
Utility to perform visual diff between any two items of data, such as similar web responses.
Logger
Logger is a tool for recording network activity. Logger records all HTTP traffic that Burp Suite generates, for investigation and analysis, but is particularly useful for:
- Investigating what happened if Burp Suite is producing unexpected results.
- Looking at the details of what Burp Suite is sending when your work involves session handling.
- Making sure that long-term ongoing tasks (such as background scans) are still running.
- Analysis of any issues that need visibility into what Burp Suite is doing.
Organizer
- Burp Organizer (PortSwigger)
Extensions
Professional version only
“BApp Store” allows you to load Burp extensions, which extend Burp’s functionalities through using third-party apps.
Configure Jython – library for Java and Python
- Download the Jython standalone JAR file.
- In Burp Suite, click on Extender->Options.
- Under Python Environment, select the location of the Jython standalone JAR file.
Add extensions
Under BApp Store, add the following:
- AWS Security Checks
- Hackvertor
- SAML Raider
- WordPress Scanner
- Collaborator Everywhere
Add extension manually
- Download the .bapp file from BApp Store (PortSwigger).
- In the Extensions->BApp Store tab, click on Manual install… at the bottom of the screen.
- Choose the downloaded file.
HackVertor
Hackvertor will break Burp syntax parsing: syntax highlighting, automatic detection of injection points, automatic URL-encoding.
Chaining tags
<@base64><@gzip_compress>Hello!<@/gzip_compress><@/base64>
Generate fake data
Useful to generate unique values in APIs. You can generate fake data using Hackvertor (from com.github.javafaker).
Right-click -> Extensions -> Hackvertor -> Fake -> fake_address
For example, send a request to Burp Collaborator with the following User-Agent:
User-Agent: <@fake_hacker("Does the $adjective $noun $verb?","en-GB")/>
User-Agent: Does the back-end alarm calculate?
Use variables
Option 1 – Click on menu Hackvertor -> Global variables. Enter a variable name and value.
Option 2 – Click on tab Hackvertor -> Variables. Parameter value “true” means that the variable is global.
<@set_email(true)>myemail@example.com<@/set_email>
<@set_name(true)>John<@/set_name>
User-Agent: <@get_email/>
Generate a signed JWT (requires the secret key)
<@jwt('HS256','secretkey')>{"email":"<@get_email/>","uid":12345}<@/jwt>
Sign the body of a request
[...]
X-Token: <@set_token(false)>foobar123456<@/set_token>
X-Sig: <@hmac_sha1('<@get_token/>')><@get_body/><@/hmac_sha1>
[...]
<@set_body(false)>name=joe&surname=john&role=admin<@/set_body>
Fix common errors
Pop-up windows not showing buttons (Burp 2020.1)
- Install Java 9 or later. Download Java.
- Or use JDK for launching the JAR.
- Or this can happen when not enough RAM.
Environment variable
In Control Panel/System/Advanced System Settings, add new system variable JRE_HOME:
C:\Progra~1\Java\jre-9.0.4
Check Java version
java -version
A website with error in certificate can’t connect to proxy
- In the Settings window, click on Network->Connections.
- Under Upstream Proxy Servers, click Add.
- Destination host: myserver
- Proxy host: (leave empty)
- Proxy port: (leave empty)
Connection is not secure / Install Burp’s certificate
Install Burp’s certificate. See top of this page.
Received fatal alert: no_application_protocol
- Click on Project Options
- Click the HTTP tab
- Under the HTTP/2 section, unselect Enable HTTP/2
Out of memory
Start Burp with:
java -XX:MaxPermSize=1G -jar [burp_file_name.jar]
Usage
THIS SECTION REQUIRES SOME CLEANUP 😉
Starting Burp Suite Pro using the jar file.
java -jar -Xmx2G /[path]/burp.jar
#Java path
#C:\Program Files (x86)\Java\jdk1.8.0_201\src.zip\com\sun\security\auth\module
==========================
# Analyze target (identify all dynamic URLs and parameters)
==========================
Target -> Site map
Right-click on target folder -> Engagement tools -> Analyze target
==========================
# List comments, scripts, and references
==========================
Target -> Site map
Right-click on target folder -> Engagement tools -> Find comments
Right-click on target folder -> Engagement tools -> Find scripts
Right-click on target folder -> Engagement tools -> Find references
==========================
# Passive Scan (identify some vulnerabilities)
# Analyzes the HTTP messages for evidence of certain types of vulnerabilities
# Does not send any additional requests to the server
==========================
Target -> Site map
Right-click on target folder -> Passively scan this branch
==========================
# Actively Scan (web app vulnerability scan)
# Automates the fuzzing to find web application vulnerabilities
==========================
Target -> Site map
Right-click on target folder -> Actively scan this branch
Select options:
Remove duplicate items (same URL and parameters)
Remove items with media responses
Remove items with the following extensions: gif,jpg,png,css
==========================
# Run scanner for web specific vulnerabilities
# PROFESSIONAL VERSION ONLY
==========================
By default, passive scanning on all domains
Confidence in results can be "Certain", "Firm" or "Tentative"
Results can be exported
In Browser:
Select the Burp proxy configuration
Go to your_ip/mutillidae
In Burp Suite:
Click on Proxy Tab, the Intercept tab
Click on Intercept is on (to switch off)
Click on Scanner tab, then Live Scanning tab
Select Use suite scope [defined in Target tab]
Click on Target tab, then Site map tab
Expand your target
Right-click on target, click Spider this branch
Click on Spider tab, then Control tab to monitor progress
Click on Target tab, then Site map
Right-click on target, then Actively scan this branch
Click Next, review the list, then OK
Click Scanner, then Scan Queue to monitor the progress
Click Scanner tab, then Results
Right-click on root node, the Report selected issues to export results
==========================
# SQL Injection
==========================
In Browser:
Select the Burp proxy configuration
Go to your_ip/mutillidae
Click OWASP Top 10 -> A1 - Injection -> SQLi - Extract Data -> User Info
This page is vulnerable to SQL injection
Enter name & password and click View Account Details
In Burp Suite:
Click on Proxy tab, Intercept tab
(should see the request)
Right-click on the request, Copy to File
(enter file name)
Click on Intercept is on
Close Burp
==========================
# Session Tokens
==========================
# Session tokens are generally used for tracking sessions since by default HTTP is
# a stateless protocol. make sure session tokens are properly randomized and cannot be guessed.
To generate new session token:
In Browser:
Clear browser history including cookies.
Select the Burp proxy configuration
Go to your_ip/mutillidae
In Burp Suite:
Click on Proxy tab, then Intercept
(session token is not present)
Click on Forward
(PHPSESSID=your session token)
Click on Forward
(screen should be white when job done)
Click on HTTP history tab
Click on first host entry (top)
Click on Response tab, then Raw
Right-click within Raw section, and Send to Sequencer
Click on Sequencer tab
Select the session token
Click Start live capture
Click Analyze now
Play with the options...
==========================
# AWS
==========================
In BApp Store, install AWS Security Checks
==========================
# Bypass WAF
==========================
https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c
In BApp Store, install "Bypass WAF" extension.
==========================
# WSDL files
==========================
# Request WSDL file from developer. It contains information on how to call the service.
Open SOAP-UI
Click on SOAP
Select the WSDL file
In SOAP-UI Preferences, set Proxy to manual 127.0.0.1 port 8080
In Burp, set intercept on
Play query in SOAP-UI