You are getting closer and closer to becoming a pro in application security testing. This chapter is dedicated to an amazing application called Burp Suite. It is a mandatory tool for testing web application security. I'm not trying to sell you the application; rather, I'm giving you an honest opinion, based on my own experience as a web application penetration tester. Burp was written by PortSwigger Ltd. I can't thank them enough for allowing us to test web applications, making sure that they are secure against threats.

You're probably wondering, why Burp? Why not one of the fancy, expensive, single-button tools out there on the market?

First of all, just because they are expensive doesn't mean that they are good; secondly, don't be a slave to the Gartner charts. Big companies increase their prices when they appear at the...

Burp Suite is a simple platform for web application security testing. This application has many tools, combining to form a monster at your fingertips. It will help you to test every component of your web application.

Burp will be the key in cases where you need to check how strong your website security is, how predictable your session tokens are, or how valid the checkpoint data in your application is. Furthermore, Burp allows for detailed manual assessments and automated technique combinations, leading to enumerate and analyze web application security analysis.

Burp has two editions that are available for download:

• Burp Suite Community Edition (pre-installed on Kali)
• Burp Suite Professional Edition (requires a yearly license, around 350 USD per year)

In summary, Burp is a local web proxy that allows you to manually modify, intercept, and inspect...

Before I start to dig deeper into the functionality of each section, it is best to start with a simple example, so that you can quickly visualize how you can use this amazing application. "Not just talking but by doing!"

This is going to be an oversimplified example, so I will not go into too much detail. I want you to understand the big picture. Later in this chapter, you will learn the nitty-gritty details of the functionalities:

1. Fire Burp up, and open your browser in Kali Linux (I already set the Proxy settings in Firefox; I will show you how to do that later).
2. Browse to the Mutillidae home page; you will see that the page is not loading, and that's normal, because the Proxy in Burp has intercepted the request and is waiting for you to take action.
3. Switch to Burp, and you will see the web request in the Proxy/Intercept section. At this point...

In the previous section, you saw how an application can be mapped by using Burp in the Target tab. In this section, I want you to learn how Burp Target works (in a simplified way) so that you can handle the workflow when you're doing the pen tests.

The Burp Target tool offers you the following functionalities (I will only list the important ones):

1. Visualize the application structure using the Site Map tab.
2. Define the scope of your target website using Add To Scope.
3. Spider the web application to discover more contents using Spider this branch.
4. Search for hidden contents using the Discover Content functionality.
5. Conduct a passive scan, using Passively Scan this branch to identify some vulnerabilities.
6. List comments, scripts, and references by using the Engagement Tools menu.
7. Analyze the web application target to identify...

The Proxy tool is the heart of Burp. In summary, it intercepts all of the requests and responses that you try to manually visit using your browser. It operates as a web proxy server, and it sits as a man-in-the-middle between your browser and destination web servers. This lets you intercept, inspect, and modify the raw traffic passing in both directions (request/response):

I'm assuming that you are using Kali Linux for your web application penetration testing, so you will be using Firefox or Iceweasel as a browser. You can install Chrome, but the instructions that I'm using are for Firefox (if you're using Chrome, don&apos...

The idea here is simple: all you need to know is how to find all of the pages for the web application of your target scope. There are three ways to accomplish this task:

• Manually crawling by using the Intruder tool
• Automatically crawling by using Burp Spider
• Automatically finding hidden items by using the Discover Content tool

In some cases you want to run a manual crawling using one of the predefined dictionary file, to do this perform the following steps:

1. Select the root path; in our example, it's mutillidae, because this is our starting point for crawling. Next, right-click on the request and send it to the Intruder tab:
...

For an effective web application penetration test, you will need to perform both a manual test and an automated test. If you only do one of them, you're not doing the right thing. This has been a debate, and sometimes, I see teams relying on fancy, automated tools, because they lack the knowledge for manual tests. On the other hand, I've seen teams with sky high egos; they think that manual tests are for the elite, and that those tests should be enough. My philosophy is that you need both. In this section, I will show you the automated method to scan for vulnerabilities. The manual method will be covered in an upcoming chapter.

In Burp, the first type of scan is the passive scan, which involves analyzing the HTTP messages for evidence of certain types of vulnerabilities. It does not send any additional requests to the...

As the name suggests, the Repeater tab allows you to repeat web requests manually. Why? To check the web response. Most of the time, you will use the Send to repeater menu item to send the results to this section. After that, just click on the Go button, and you will be able to replay the request:

The following is the checklist that I implement when I want to use the Repeater tab:

1. Testing the logic flaws of a page
2. Checking for false positive issues after generating a report
3. Changing the parameter values (for example, testing input-based vulnerabilities)

Burp Intruder is a monster of automation, and it allows you to enumerate, fuzz, and harvest data from the target web application. In the old days, when I started using Burp, the first thing that I learned was to use the Intruder tool to brute-force login credentials. We will cover more examples in the upcoming chapters, but for this section, I want you to understand the basics of this tool:

One of the most confusing things for beginners are the attack types in the Intruder tool. I will do my best to explain them to you in a practical way, so they won't be an obstacle for you to use this section:

• Sniper: This is the most popular one, and you can use it...

Before I start on this section, I would like to inform you that I did not include the Sequencer, Decoder, and Comparer tabs in this chapter. In fact, I excluded them on purpose, because their usage is very straightforward. You will rarely use them in your daily career, so why waste your time?

Burp Extender is an important tab; it will allow you to include additional, powerful functionalities in Burp. For example, if you want to add the functionality to scan for outdated JavaScript libraries, then you can install the module Retire.js, and it will do the work for you. There is a tool for every need: WAF, errors, Java, .NET, SQLi, XSS, and so on.

Before starting to use the BApp Store, you will need to download the Jython standalone JAR from: http://www.jython.org/downloads.html.

Jython is a library for Java and Python, and some apps...

Congratulations! You now know the ins and outs of Burp. In future chapters, we will use Burp to conduct our Web Intrusion Tests. I invite you to start practicing and using Burp; it is your Swiss Army knife for every Web Application Intrusion Test. If you can afford to buy a license, do it now! It is worthwhile for practicing and enhancing your web application hacking skills.

In the next chapter, I will show you the basics of web application vulnerabilities: a nice, exciting topic that will allow you to enhance and deepen your penetration testing skills.