From charlesreid1

Installing

Mac

Use the Mac installer provided by portswigger: https://portswigger.net/burp/communitydownload

Debian Linux

Dependencies

The jarwrapper library is required to install burpsuite:

sudo apt-get install jarwrapper

Installing burpsuite with KaliTools

Use KaliTools to install burpsuite on a non-Kali machine:

cd kali-tools
python3 kali.py burpsuite
cd dist/burpsuite
dpkg-buildpackage -us -uc -b
cd ../
sudo dpkg -i burpsuite_1.7.30-0kali1_all.deb
sudo apt-get upgrade burpsuite

Incompatible JRE

Ran into a problem with the Burp Suite community edition:

"Your JRE appears to be version 11.0.14 from Debian. Burp has not been fully tested on this platform and you may experience problems."

I used aptitude to install the openjdk-11-jre package, and that's the package causing the above error. It seemed like it should have been working fine. I tried upgrading jarwrapper, and that did the trick:

sudo apt-get -y upgrade jarwrapper

List of Features

Link to UI overview: https://www.youtube.com/watch?v=nECt-0zW0O4

Tabs:

  • Dashboard: view and configure automated tasks, scans; view results from scan
  • Target: view and explore all data captured from scans or Burp Proxy browser sessions
    • Target Scope: specify details about targets, allows driving highly configured scans
  • Proxy: intercept, view, and modify traffic via the browser
    • History: view all the requests made as part of the session
    • Options: define all of the settings of the proxy server
  • Intruder: automating custom attacks by sending a request into Intruder, and configuring details of the payload
  • Repeater: used to take a request, modify it, and send it, over and over
  • Sequencer: analyzes the randomness of various random data/tokens; collects large amount of data and runs statistical tests
  • Decoder: decode or encode data from various formats (URL encoding, base64 encoding, etc.)
  • Comparer: word- or byte-level comparison of two pieces of data
  • Extender: customizes Burp's behavior using extensions you wrote yourself using Burp's API, or extensions from the BApp Store

Menu:

  • Search: searches all of Burp's tools and items for particular expressions
  • Configuration Library: maintain separate configurations for different tools
  • Burp Infiltrator: dynamic analysis tool, can run a Burp-instrumented binary and disover potentially unsafe APIs on the server side
  • Burp Clickbandit: generating clickjacking attacks; copy script into browser, walk through sequence of actions you want victim to take, Clickbandit generates a PoC clickjacking attack
  • Burp Collaborator client: work manually with Burp Collaborator payloads

Usage

Proxy

The Burp Proxy is a proxy server built into Burp that has its own private certificate authority. It also has a built-in Chromium browser that passes all of its traffic through the proxy so that it can be inspected.

Burpsuite Proxy.png

Intercepting Traffic

One basic use of Burp is intercepting traffic.

To do this, go to Proxy > Intercept. You can open the Chromium browser included with Burp, which will use the Burp proxy.

When you open the browser, it will not intercept traffic by default, you have to click "Intercept Off" to switch it to "Intercept On".

Once you do that, you'll see each request come up as it is happening in the browser, and you can Forward the request or Drop it.

You will see all requests that are made as part of loading a page, so if there are multiple API calls being made, you'll see each one as a separate request.

Modifying Traffic

The content of requests can also be modified before the request is forwarded.

The first Burpsuite tutorial [1] on intercepting traffic demonstrates how this can be used to exploit a vulnerable e-commerce shopping site.

Intercept Rules

The Burp Proxy supports rules to filter which traffic is intercepted, so that if there are a very large number of requests, only the relevant requests are intercepted.

Go to Proxy > Options

The Options page has a section for client requests and a section for server responses. By default, only client requests are intercepted. You can enable server response intercepts here if you wish.

In those sections you can add rules to a list, to define what traffic gets intercepted. Each rule can be individually toggled on or off. Each rule has a logical operator that applies to it (and/or), a field to check for a match, and what conditions must be met for that field to be a match.

Rules are processed in order, top to bottom. No scope.

Useful Client Intercept Rules

A few useful intercept rules to have available to be enabled:

  • Match requests where the file extension does not match gif/jpg/png/css/js/html/etc
  • Match requests that contain parameters
  • Match any HTTP request that is not GET or POST
  • Only match URLs that are in the target scope

Burpsuite UsefulInterceptRules.png

Modifying Target Scope

If there is a particular URL that you want to ignore all requests for, like example.com/assets, then you can ignore those requests two different ways:

  • The first way is to create a rule that only matches requests where the URL does not contain /assets
  • The second way is to go to the Target tab, find the site example.com, right click on the site, and include it in the Target Scope. Then collapse the tree, and find the location to exclude, /assets. Right click on that folder and exclude it from the Target Scope. Now add an intercept rule that limits intercepted requests to ONLY URLs that are in the target scope.

Intercepted Request Actions

When a request is intercepted, there is an "Action" menu at the top that has a lot of useful functions.

Two submenus in the Action menu, "Don't intercept requests" and "Do intercept requests," will automatically create Intercept Rules based on various fields of the intercepted request - for example, the host, the IP, the file extension, or the directory in the URL.

This makes it easy to narrow in on the requests of interest: start by intercepting all requests, then use the Actions menu to filter out requests that aren't interesting.

Repeater

Burp Repeater is a tool for examining, editing, and resending HTTP requests.

Sending Requests to Repeater

The easiest way to send a request to Repeater is to use the right-click context menu.

Use the Burp Proxy browser and browse to a page of interest. Then go to Proxy > HTTP history, and find the request you want to repeat. Right click and choose "Send to Repeater".

How to Use Repeater

Repeater allows you to rapidly edit a request, and re-send it with one click of a button. The request and response are displayed side by side, and each request is in a separate tab.

Repeater won't automatically generate edits, or create a bunch of requests for you. It is intended to make the manual workflow of modifying requests and examining the responses easier.

Specific Types of Attack

SQL Injection

Can use Repeater to easily capture a vulnerable request, and use it to craft SQL injection queries. Repeater makes it easy to convert plain text SQL queries into URL-encoded queries.

Cross-Site Scripting

Cross-site scripting involves manipulating the page that the browser is loading, in order to allow an attacker to inject Javascript that is run by the victim's browser. This provides the attacker to compromise the user's interaction with that web application.

Links and Resources

PortSwigger Training

SQL injection training: Burp Suite/SQL Injection

Official Tutorials

Tutorial 1: intercepting HTTP traffic: https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic

  • Burp Proxy lets you intercept HTTP requests and responses sent between your browser and the target server
  • Enables studying behavior of websites when different requests are sent
  • Open Burpsuite and go to Proxy > Intercept
  • Click Open Browser, which opens a built-in, embedded browser
  • Can browse without intercept turned on, normal experience
  • Turning on intercept will show each request, give the option to forward or drop
  • Proxy also records a history of each request
  • Burp Proxy also lets you modify HTTP requests
  • (Tutorial requires setting up an account on portswigger and using an example vulnerable website)
  • Basically you can just edit the request when you see it, before you click Forward or Drop

Tutorial 2: Using Repeater to send repeated requests: https://portswigger.net/burp/documentation/desktop/getting-started/reissuing-http-requests

  • Open the Burp Proxy browser and browse to the vulnerable website
  • (Turn off Interception)
  • Go to a product page, and look at the HTTP request history
  • Find a request for a /product API endpoint
  • Right click the request and select "Send to Repeater"
  • Go to the Repeater tab
  • Can click Send with the existing request, and view the response
  • Can modify the request, hit Send, and view new response
  • Each response is saved
  • Tampering with parameters - setting parameter to string instead of integer leads to 500 error, and stack trace is shown
  • Stack trace shows version number of software package

Flags