Burp Suite is a Java-based platform for testing the security of your web applications and has been adopted widely by professional enterprise testers.

The Open Web Application Security Project (OWASP) offers many resources to developers and testers for securing web and API applications. This book leverages test cases from OWASP with slight modifications for use in Burp Suite to give you hands-on practice. Toward the end of this book, more advanced concepts are included, giving you recipes to be applied in bug bounty hunting, penetration testing, and application security.

By the end of the book, you will be up and running with using Burp Suite to test the security posture of your web applications and APIs.

If you are a security professional, web pentester, or software developer who wants to adopt Burp Suite for testing application and API security, this book is for you.

Chapter 1, Getting Started with Burp Suite, provides the setup instructions necessary to proceed through the material of the book.

Chapter 2, Getting to Know the Burp Suite of Tools, begins by establishing the target scope and provides overviews of the most commonly used tools within Burp Suite.

Chapter 3, Configuring, Crawling, Auditing, and Reporting with Burp, helps testers to calibrate Burp Suite settings to be less abusive toward the target application.

Chapter 4, Assessing Authentication Schemes, covers the basics of authentication, including an explanation that it is the act of verifying that a person or object’s claim is true.

Chapter 5, Assessing Authorization Checks, helps you understand the basics of authorization, including an explanation that it how an application uses roles to determine user functions.

Chapter 6, Assessing Session Management Mechanisms, dives into the basics of session management, including an explanation that it is how an application keeps track of user activity on a website.

Chapter 7, Assessing Business Logic, covers the basics of business logic testing, including an explanation of some of the more common tests performed in this area.

Chapter 8, Evaluating Input Validation Checks, delves into the basics of data validation testing, including an explanation of some of the more common tests performed in this area.

Chapter 9, Attacking the Client, helps you understand how client-side testing is concerned with the execution of code on the client, typically natively within a web browser or browser plugin. You’ll learn how to use Burp Suite to test the execution of code on the client side to determine the presence of Cross-Site Scripting (XSS). You’ll also learn about using DOM Invader within the Burp Suite browser to uncover DOM-based vulnerabilities.

Chapter 10, Working with Burp Suite Macros and Extensions, teaches you how Burp Suite macros enable penetration testers to automate events such as logins or response parameter reads to overcome potential error situations. You will also learn about extensions as additional functionality to Burp Suite, especially a few choice ones for bug bounty hunting.

Chapter 11, Implementing Advanced Topic Attacks, provides a brief explanation of XXE as a vulnerability class targeting applications that parse XML and SSRF as a vulnerability class allowing an attacker to force applications to make unauthorized requests on the attacker’s behalf. You will also learn about hacking GraphQL and JSON Web Tokens (JWTs) using Burp Suite.

All the requirements are updated in the Technical requirements section for each of the chapters.

The following table is a list of software requirements. You will need the items in the table throughout the book. The preliminary steps of each recipe will inform you what software is required.

Each recipe contains a setup stage called Getting ready, which provides links and instructions for the required software prior to performing the individual steps.

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Allow the attack to continue until you reach payload 50.”

A block of code is set as follows:

<%@ page import="java.util.*,java.io.*"%>
  <%
  if (request.getParameter("cmd") != null) {
       out.println("Webshell cmd: " + request.getParameter("cmd")

Any command-line input or output is written as follows:

C:\Burp Jar Files>java -jar
burpsuite_pro_v2023.4.3.jar

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: “Select a tool from the drop-down listing and click the Lookup Tool button.”

Tips or important notes

Appear like this.

In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it works..., There’s more..., and See also).

To give clear instructions on how to complete a recipe, use these sections as follows:

Getting ready

This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.

How to do it…

This section contains the steps required to follow the recipe.

How it works…

This section usually consists of a detailed explanation of what happened in the previous section.

There’s more…

This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at customercare@packtpub.com.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com

Once you’ve read Burp Suite Cookbook - Second Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

1. Scan the QR code or visit the link below

https://packt.link/free-ebook/9781835081075

2. Submit your proof of purchase
3. That’s it! We’ll send your free PDF and other benefits to your email directly