Burp Suite is a collection of tightly integrated tools that allow effective security testing of modern-day web applications. It provides a great combination of tools that allow automated and manual workflows to test, assess, and attack web applications of all shapes and sizes. Getting started with Burp is easy. With some application, we can become extremely comfortable and skilled at using the various powerful tools that are offered by Burp Suite.
Burp Suite is a piece of modern software written in the Java language. Java makes it cross-platform and extremely versatile for use both by novices and professionals. This chapter will get you started with Burp quickly while giving you enough information that will facilitate our journey of getting acquainted with Burp Suite. The tool, unlike point-and-click automated scanners, is meant to be used in a hands-on manner, and while it makes it easy to automate parts of the testing, a lot can be done by the tool in the hands of an expert. Since our aim is to optimize the way we use Burp, through this chapter, we will get to know a few tricks that will make it easy to start with.
Burp Suite is distributed as a single Java Archive (.jar
) file. The free version can be downloaded from http://portswigger.net/burp/downloadfree.html. There is no registration or form to fill out, but if you'd rather get the Pro version, which I highly recommend, then you need to buy it from the same website to be able to download it. There are significant differences between the free version and the Pro version, but if you are a serious tester looking for the best value-for-money scanner / web application security tool, it should be Burp Suite Pro.
The main differences between the free version and the Pro version of Burp Suite are:
Burp Scanner
The ability to save and restore your work
Engagement tools, such as Target Analyzer, Content Discovery, and Task Scheduler
These are the topics we'll be covering in this chapter:
Starting Burp from the command line
Setting memory options based on our requirement and system RAM
Troubleshooting any IPv6 error that occurs sometimes
Oracle Java 1.6 or above is currently required for the software to run.
Oracle Java 1.6+ is usually installed for Windows and Mac OS X. If your computer doesn't have it installed, go to http://java.com, choose the version of Java Runtime Environment (JRE) for your operating system, and follow the installation instructions.
The official documentation cautions users from double-clicking on the .jar
file. This is to ensure that we can clearly specify the amount of RAM allocated for the Burp process when we start it.
Some people have successfully run Burp with other flavors of Java, but for now, we will focus on running it well with Oracle Java 1.6 or above.
Burp doesn't have an elaborate setup process. Starting Burp is as simple as executing a command in your shell of choice.
Starting Burp requires Java to be already installed and configured on your computer. If your computer doesn't already have Java 1.6+, you can get it for free from http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html.
We need the JRE, so click on the Download button under JRE.
If your computer already has Java 1.6 or above installed, execute the following in your shell:
java -jar /path/to/burpSuite.jar
Those who have done Java programming will understand what is happening here. We are passing a JAR to the Java runtime. Please note there are no command-line options that need to be passed to Burp Suite.
If we start Burp Suite by double-clicking on the .jar
file, the Java runtime will allocate the maximum memory available to Burp on its own. The total amount allocated might vary based on the available system RAM. Since Burp Suite will capture hundreds and sometimes thousands of requests and responses of various sizes, it makes sense to allocate memory when we start the program.
There is the possibility that Burp Suite might crash if the total memory available is not enough. While doing a security assessment, we don't want to worry about disruption in our work or the feeling that we may lose valuable data about the assessment due to Burp Suite crashing. Therefore, it is prudent to specify how much system RAM is allocated to Burp Suite in the beginning itself.
We can use command-line flags provided by Java to ensure that Burp has enough, and more, memory to use while running our security assessment:
java -jar -Xmx2048M /path/to/burpsuite.jar java -jar -Xmx2G /path/to/burpsuite.jar
Both these commands will allocate 2 GB of RAM to Burp Suite. We can also pass options for gigabytes, megabytes, or kilobytes. You can read up more about this at the Oracle page at http://docs.oracle.com/cd/E13150_01/jrockit_jvm/jrockit/jrdocs/refman/optionX.html#wp999528.
This should be enough for most web applications that need to be tested. If you have more system RAM to spare, you can even increase it further. There is a small caveat you should know. If you increase the memory allocated to Burp Suite beyond 4 GB, the Java Virtual Machine (JVM) garbage collector (GC) will need to do more work. This has been known to adversely affect the performance of Java-based applications. Keeping that in mind, there are clear performance gains that can be achieved by increasing the minimum heap size from the default, which can be as low as 128 MB on older machines.
Sometimes, Java picks up the IPv6 address on the interface, and Burp is unable to make any connections to websites returning an IPv4 address. This results in a Java error, which is as follows:
java.net.SocketException: Permission denied
The browser also shows a cryptic error, which is as follows:
Burp proxy error: Permission denied: connect
If we ever encounter this error, all we need to do is tell Java that we want to use the IPv4 interface by passing the following parameter to the runtime:
java -Xmx2048M -Djava.net.preferIPv4Stack=true -jar /path/to/burpsuite.jar
This command and flag tells the Java runtime that we will prefer the IPv4 network stack to run the Burp Suite JAR file. Another option is to set a Java option environment variable.
Please note that by running the preceding command, the IPv6 interface will be disabled.
Many people have reported this as a bug on the Burp support forums. Most of the people who complained were using Microsoft Windows 7 64-bit operating system running a 32-bit version of the JVM.
The official documentation of Burp doesn't say anything about not working with JVMs apart from the official Oracle Java. There was a time when if we tried to run Burp Suite with OpenJDK, it would start off by giving a warning. But now, it runs perfectly without any warnings in Kali with OpenJDK.
Kali is a Linux-based distribution that has been specifically created for penetration testing and security testing of applications and networks. Previously, it was known as Backtrack. In the following screenshot, we can see that it runs the OpenJDK JRE and is able to run Burp Suite without any issues:
We have successfully managed to start Burp Suite. Usually, we just double-click on the application shortcut and get it working. However, if you want to utilize the full power of the application, we need to understand some of the underlying concepts of memory and networking.
In this chapter, you learned how to allocate and reserve a specified amount of RAM for use while Burp Suite runs. This will ensure that while doing a security assessment, memory issues will not hamper our progress in any way. We also saw an error that can crop up, which is quite difficult to understand unless you have seen it before.
Now that we have successfully started Burp Suite, in the next chapter, we will see how to configure our web browsers to send web traffic through it for interception and analysis.