21BCE5311 Ism Lab1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

Burp Suite: Introduction

21BCE5311
Utkarsh Agrawal

Exp. No.: 1

Aim: To study about the tool Burp Suite and intercept the connection between the system
and the internet.

Apparatus Required: Burp Suite, Foxy Proxy

Theory & Commands involved:

Burp Suite is an integrated platform for performing security testing of web applications.
Its various tools work seamlessly together to support the entire testing process, from
initial
ng
security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with
state-of- the-art automation, to make your work faster, more effective, and more fun.
It is the most popular tool among professional web app security researchers and bug bounty
hunters.

Procedure:

Step 1: Installing Burp Suite

Burp Suite comes installed by default on Kali Linux. If not install it with the command:
sudo apt install burpsuite

Open it up and click through the opening menus. Just use the defaults.
Step 2: Installing FoxyProxy

FoxyProxy is an advanced proxy management tool that completely replaces Firefox's


limited proxying capabilities.
Steps for installing in Firefox:
Open Add-ons and themes in Firefox.
Search for FoxyProxy and download the standard version.
Open FoxyProxy and click Add. Enter the details as shown in the below image.
When we use burp suite turn on this proxy setting from the top right.
Step 3: Installing Burp Suite CA Certificate

The reason for installing the Burp Suite CA certificate is to authenticate any source sending
traffic into the webserver and thus prevent any unsecured website from communicating with
your browser.
Steps to install Burp Suite CA certificate on the Firefox:
Launch Burp Suite and visit http://burpsuite on your Firefox and Chrome.
Check the top-right corner of the page and click CA Certificate and start downloading
the certificate authority into your system.

In Firefox, open Settings.


From the left navigation bar select the Privacy and Security
settings. In the Certificates section, click the View certificates
button.

In the next dialog box, click on the Authorities tab and click the Import button and open the
CA Certificate downloaded.
Step 3: Burp Suite Proxy

Burp Suite contains an intercepting proxy that lets the user see and modify the contents of
requests and responses while they are in transit.
It also lets the user send the request/response under monitoring to another relevant tool in
Burp Suite, removing the burden of copy-paste.
The proxy server can be adjusted to run on a specific loop-back IP and a port.
The proxy can also be configured to filter out specific types of request-response pairs.
How to use Burp Suite Proxy?
In Burp, go to the Proxy > Intercept tab and turn on Intercept.

In Firefox, open any URL (E.g., google.com). The Firefox will send a request but will then
be stuck waiting for a response.

In the Burp Suite, we can view the request sent.


If you click Forward, the request will be sent to the Server. The webpage will be visible in Firefox.
Similarly, if we drop the request in Burp Suite, the following page is visible in the browser.
Step 4: Burp Suite Repeater

Burp Repeater is a simple tool for manually manipulating and reissuing individual HTTP and
WebSocket messages, and analyzing the application's responses.
Repeater lets a user send requests repeatedly with manual modifications.
It is a very useful tool for tweaking and refining payloads designed to exploit Cross-Site
Scripting or SQL injection vulnerabilities, also known as XSS and SQLI respectively.
How to use Burp Suite Repeater?

To send a request to repeater tab, right-click the request in Proxy tab and click

Edit any field in the Request (E.g., change the Host to youtube from google) and
click send.
The response is visible in the response section.
Copy the link and open in browser.

There is also possibility for error. For e.g., change the host to facebook and click send.

Open the response in browser.


This time 404 error was obtained as response.
Conclusion:

Tools offered by Burp Suite

1)Spider:
Function: Crawls and maps the target website by following links to discover all accessible pages.
Use case: Helps in understanding the structure of the application and identifies potential vulnerabilities.

2)Proxy:
Function: Acts as an intermediary between the user's browser and the target server, allowing the user to
intercept and modify requests and responses.
Use case: Useful for manual inspection and modification of web traffic to identify and exploit vulnerabilities.

3)Intruder:
Function: Automates customized attacks by sending a large number of requests with varying parameters to the
target.
Use case: Used for identifying vulnerabilities like SQL injection, cross-site scripting, and other input-related
issues.

4)Repeater:
Function: Allows the user to repeat individual requests to the server, modify them on the fly, and observe the
responses.
Use case: Useful for testing and debugging, especially when fine-tuning payloads or verifying the impact of
changes.

5)Sequencer:
Function: Analyzes the quality of randomness in tokens or session identifiers by performing statistical
analysis.
Use case: Helps identify weak session management and authentication mechanisms by assessing the
predictability of generated tokens.

6)Decoder:
Function: Provides various decoding and encoding tools for transforming data between different formats.
Use case: Useful for analyzing and manipulating data, such as decoding Base64, URL encoding, or converting
between different character sets.

7)Extender:
Function: Allows users to enhance the functionality of Burp Suite by adding custom extensions.
Use case: Enables the integration of additional features or third-party tools to extend Burp Suite's capabilities.

8)Scanner:
Function: Automatically identifies and reports security vulnerabilities in web applications.
Use case: Streamlines the process of finding common vulnerabilities like SQL injection, cross-site scripting,
and more, by automating the scanning process.

Results:

Thus, burp suite is installed and its various features are studied.

You might also like