21BCE5311 Ism Lab1
21BCE5311 Ism Lab1
21BCE5311 Ism Lab1
21BCE5311
Utkarsh Agrawal
Exp. No.: 1
Aim: To study about the tool Burp Suite and intercept the connection between the system
and the internet.
Burp Suite is an integrated platform for performing security testing of web applications.
Its various tools work seamlessly together to support the entire testing process, from
initial
ng
security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with
state-of- the-art automation, to make your work faster, more effective, and more fun.
It is the most popular tool among professional web app security researchers and bug bounty
hunters.
Procedure:
Burp Suite comes installed by default on Kali Linux. If not install it with the command:
sudo apt install burpsuite
Open it up and click through the opening menus. Just use the defaults.
Step 2: Installing FoxyProxy
The reason for installing the Burp Suite CA certificate is to authenticate any source sending
traffic into the webserver and thus prevent any unsecured website from communicating with
your browser.
Steps to install Burp Suite CA certificate on the Firefox:
Launch Burp Suite and visit http://burpsuite on your Firefox and Chrome.
Check the top-right corner of the page and click CA Certificate and start downloading
the certificate authority into your system.
In the next dialog box, click on the Authorities tab and click the Import button and open the
CA Certificate downloaded.
Step 3: Burp Suite Proxy
Burp Suite contains an intercepting proxy that lets the user see and modify the contents of
requests and responses while they are in transit.
It also lets the user send the request/response under monitoring to another relevant tool in
Burp Suite, removing the burden of copy-paste.
The proxy server can be adjusted to run on a specific loop-back IP and a port.
The proxy can also be configured to filter out specific types of request-response pairs.
How to use Burp Suite Proxy?
In Burp, go to the Proxy > Intercept tab and turn on Intercept.
In Firefox, open any URL (E.g., google.com). The Firefox will send a request but will then
be stuck waiting for a response.
Burp Repeater is a simple tool for manually manipulating and reissuing individual HTTP and
WebSocket messages, and analyzing the application's responses.
Repeater lets a user send requests repeatedly with manual modifications.
It is a very useful tool for tweaking and refining payloads designed to exploit Cross-Site
Scripting or SQL injection vulnerabilities, also known as XSS and SQLI respectively.
How to use Burp Suite Repeater?
To send a request to repeater tab, right-click the request in Proxy tab and click
Edit any field in the Request (E.g., change the Host to youtube from google) and
click send.
The response is visible in the response section.
Copy the link and open in browser.
There is also possibility for error. For e.g., change the host to facebook and click send.
1)Spider:
Function: Crawls and maps the target website by following links to discover all accessible pages.
Use case: Helps in understanding the structure of the application and identifies potential vulnerabilities.
2)Proxy:
Function: Acts as an intermediary between the user's browser and the target server, allowing the user to
intercept and modify requests and responses.
Use case: Useful for manual inspection and modification of web traffic to identify and exploit vulnerabilities.
3)Intruder:
Function: Automates customized attacks by sending a large number of requests with varying parameters to the
target.
Use case: Used for identifying vulnerabilities like SQL injection, cross-site scripting, and other input-related
issues.
4)Repeater:
Function: Allows the user to repeat individual requests to the server, modify them on the fly, and observe the
responses.
Use case: Useful for testing and debugging, especially when fine-tuning payloads or verifying the impact of
changes.
5)Sequencer:
Function: Analyzes the quality of randomness in tokens or session identifiers by performing statistical
analysis.
Use case: Helps identify weak session management and authentication mechanisms by assessing the
predictability of generated tokens.
6)Decoder:
Function: Provides various decoding and encoding tools for transforming data between different formats.
Use case: Useful for analyzing and manipulating data, such as decoding Base64, URL encoding, or converting
between different character sets.
7)Extender:
Function: Allows users to enhance the functionality of Burp Suite by adding custom extensions.
Use case: Enables the integration of additional features or third-party tools to extend Burp Suite's capabilities.
8)Scanner:
Function: Automatically identifies and reports security vulnerabilities in web applications.
Use case: Streamlines the process of finding common vulnerabilities like SQL injection, cross-site scripting,
and more, by automating the scanning process.
Results:
Thus, burp suite is installed and its various features are studied.