This chapter will help testers calibrate Burp Suite settings at both the project and user levels for optimization against the target application. For example, tweaks to the Crawling and Auditing options can assist with less abusive and less noisy brute-forcing attacks. Likewise, testers can find themselves in interesting network situations when trying to reach a target. Thus, several features are included in Burp Suite for testing sites running over Hypertext Transport Protocol Secure (HTTPS) or accessing sites through a SOCKS proxy or a port forward. Many settings are available at both the project and user levels. Finally, Burp Suite provides out-of-the-box functionality to generate a report for found issues.

In this chapter, we will cover the following recipes:

• Establishing trust over HTTPS
• Setting project configurations
• Setting user configurations
• Crawling target sites
• Creating a custom scan script...

To complete the recipes in this chapter, you will need the following:

• OWASP Broken Web Applications (BWA)
• OWASP Mutillidae link
• Burp Suite Proxy Community or Professional (https://portswigger.net/burp/)
• Firefox browser (https://www.mozilla.org/en-US/firefox/new/)
• The FoxyProxy Standard add-on for the Firefox browser configured to allow Burp Suite to proxy traffic (https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/)
• The proxy configuration steps are covered in the Listening for HTTP traffic using Burp recipe of Chapter 1.

Since most websites implement (HTTPS, it is beneficial to know how to enable Burp Suite to communicate with such sites. HTTPS is an encrypted tunnel running over Hypertext Transport Protocol (HTTP).

The purpose of HTTPS is to encrypt traffic between the client browser and the web application to prevent eavesdropping. However, as testers, we wish to allow Burp Suite to eavesdrop since that is the point of using an intercepting proxy. Burp Suite provides a root Certificate Authority (CA) signed certificate. This certificate can be used to establish trust between Burp Suite and the target web application.

By default, Burp’s Proxy can generate a per-target CA certificate when establishing an encrypted handshake with a target running over HTTPS. That takes care of the Burp-to-web-application portion of the tunnel. We also need to address the browser-to-Burp portion.

To create a complete HTTPS tunnel connection between the client browser, Burp...

Project settings allow a tester to save or set configurations specific to a project or scoped target. These settings are stored within the Project file, which is created upon launching the Burp Suite application. There are multiple subsections available under the Project section, which include Tools, Project, Sessions, and Network. Many of these options are required for pentesters when they’re assessing specific targets, which is why they are covered here. As we iterate through each area, we will provide some recommendations that you may find helpful during your testing.

How to do it…

1. To access all Project level configurations, click the Settings gear icon in the top right-hand corner of Burp Suite:

Figure 3.12 – Project-level settings are available upon clicking Settings

2. A new pop-out window will appear. Make sure you have Project selected within the left-hand menu, at the top of...

User settings will be applied to all Burp Suite instances that run on your local machine. These settings allow a tester to set and save configurations to be used across all Burp Suite projects. There are multiple subsections available under the User options tab, which include Tools, Project, Sessions, Network, User Interface, Suite, Extensions, and Configuration Library. As we iterate through each area, we will provide some recommendations that you may find helpful during your testing:

Figure 3.64 – User configurations

How to do it…

To access all user-level configurations, click the Settings gear icon in the top right-hand corner of Burp Suite:

Figure 3.65 – User-level settings available via Settings

A new pop-out window will appear. Make sure you have User selected within the left-hand menu, at the top of the pop-out window:

Figure 3.66 –...

Crawling is a type of scan that’s used to map out a web application. This mapping exercise is necessary to uncover links, folders, and files present within the target application. While running, Burp Suite will add found assets to Target | Site map.

Crawling should occur before scanning since testers wish to identify all possible paths and functionality before looking for vulnerabilities. There are built-in Burp Suite scripts specific to crawling available in Configuration library, as shown in the following screenshot:

Figure 3.114 – Crawling scripts available in Configuration library

Getting ready

Using the OWASP Mutillidae II application found within the OWASP BWA VM, we will configure and use one of the built-in scripts to crawl through the application.

How to do it...

1. Ensure Burp Suite and the OWASP BWA VM are running and that you are either using Burp’s browser or have FoxyProxy turned on...

Burp Suite provides predefined tasks for crawling and auditing. Previously, we looked at the live crawl and audit tasks and how they work. However, if you want to create a custom scanning script, Burp Suite provides the mechanism for you to do so.

Getting ready

Using the OWASP Mutillidae II application found within the OWASP BWA VM as our target, we will create a scanning script with custom configurations and run this script against Mutillidae.

How to do it...

1. Right-click the target application and select Scan from the menu:

Figure 3.141 – How to configure a scan for the target application

2. In the New scan pop-out window, make sure the Crawl and audit radio button is selected and your target application is shown in the URLs to scan text area. Move down to the Scan configuration box:

Figure 3.142 – Select or use the default setting of Crawl and audit

Note...

Note

Reporting capabilities are only available in Burp Suite Professional.

In Burp Suite Professional, when the scanner discovers a potential vulnerability, the finding will be added to a list of issues under the Target tab, on the right-hand side of the UI:

Figure 3.149 – Issues

Issues are color-coded to indicate their severity and confidence level. An issue with a red exclamation point means it has a high severity and the confidence level is certain.

Items with a lower severity or confidence level will be low, informational, and yellow, gray, or black. These items require manual penetration testing to validate whether the vulnerability is present. For example, HTML does not specify charset is a potential vulnerability identified by the scanner. This could be an attack vector for XSS or it could be a false positive. It is up to the pentester and their level of experience to validate such an issue:

• Severity levels...