Home Web Development Burp Suite Essentials

Burp Suite Essentials

By Akash Mahajan
books-svg-icon Book
eBook $19.99 $13.98
Print $32.99
Subscription $15.99 $10 p/m for three months
$10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime!
What do you get with a Packt Subscription?
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
BUY NOW $10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime!
eBook $19.99 $13.98
Print $32.99
Subscription $15.99 $10 p/m for three months
What do you get with a Packt Subscription?
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
  1. Free Chapter
    Getting Started with Burp
About this book
Publication date:
November 2014
Publisher
Packt
Pages
144
ISBN
9781783550111

 

Chapter 1. Getting Started with Burp

Burp Suite is a collection of tightly integrated tools that allow effective security testing of modern-day web applications. It provides a great combination of tools that allow automated and manual workflows to test, assess, and attack web applications of all shapes and sizes. Getting started with Burp is easy. With some application, we can become extremely comfortable and skilled at using the various powerful tools that are offered by Burp Suite.

Burp Suite is a piece of modern software written in the Java language. Java makes it cross-platform and extremely versatile for use both by novices and professionals. This chapter will get you started with Burp quickly while giving you enough information that will facilitate our journey of getting acquainted with Burp Suite. The tool, unlike point-and-click automated scanners, is meant to be used in a hands-on manner, and while it makes it easy to automate parts of the testing, a lot can be done by the tool in the hands of an expert. Since our aim is to optimize the way we use Burp, through this chapter, we will get to know a few tricks that will make it easy to start with.

Burp Suite is distributed as a single Java Archive (.jar) file. The free version can be downloaded from http://portswigger.net/burp/downloadfree.html. There is no registration or form to fill out, but if you'd rather get the Pro version, which I highly recommend, then you need to buy it from the same website to be able to download it. There are significant differences between the free version and the Pro version, but if you are a serious tester looking for the best value-for-money scanner / web application security tool, it should be Burp Suite Pro.

The main differences between the free version and the Pro version of Burp Suite are:

  • Burp Scanner

  • The ability to save and restore your work

  • Engagement tools, such as Target Analyzer, Content Discovery, and Task Scheduler

These are the topics we'll be covering in this chapter:

  • Starting Burp from the command line

  • Setting memory options based on our requirement and system RAM

  • Troubleshooting any IPv6 error that occurs sometimes

Oracle Java 1.6 or above is currently required for the software to run.

Oracle Java 1.6+ is usually installed for Windows and Mac OS X. If your computer doesn't have it installed, go to http://java.com, choose the version of Java Runtime Environment (JRE) for your operating system, and follow the installation instructions.

The official documentation cautions users from double-clicking on the .jar file. This is to ensure that we can clearly specify the amount of RAM allocated for the Burp process when we start it.

Some people have successfully run Burp with other flavors of Java, but for now, we will focus on running it well with Oracle Java 1.6 or above.

 

Starting Burp from the command line


Burp doesn't have an elaborate setup process. Starting Burp is as simple as executing a command in your shell of choice.

Starting Burp requires Java to be already installed and configured on your computer. If your computer doesn't already have Java 1.6+, you can get it for free from http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html.

We need the JRE, so click on the Download button under JRE.

If your computer already has Java 1.6 or above installed, execute the following in your shell:

java -jar /path/to/burpSuite.jar

Those who have done Java programming will understand what is happening here. We are passing a JAR to the Java runtime. Please note there are no command-line options that need to be passed to Burp Suite.

 

Specifying memory size for Burp


If we start Burp Suite by double-clicking on the .jar file, the Java runtime will allocate the maximum memory available to Burp on its own. The total amount allocated might vary based on the available system RAM. Since Burp Suite will capture hundreds and sometimes thousands of requests and responses of various sizes, it makes sense to allocate memory when we start the program.

There is the possibility that Burp Suite might crash if the total memory available is not enough. While doing a security assessment, we don't want to worry about disruption in our work or the feeling that we may lose valuable data about the assessment due to Burp Suite crashing. Therefore, it is prudent to specify how much system RAM is allocated to Burp Suite in the beginning itself.

Specifying the maximum memory Burp is allowed to use

We can use command-line flags provided by Java to ensure that Burp has enough, and more, memory to use while running our security assessment:

java -jar -Xmx2048M /path/to/burpsuite.jar
java -jar -Xmx2G /path/to/burpsuite.jar

Both these commands will allocate 2 GB of RAM to Burp Suite. We can also pass options for gigabytes, megabytes, or kilobytes. You can read up more about this at the Oracle page at http://docs.oracle.com/cd/E13150_01/jrockit_jvm/jrockit/jrdocs/refman/optionX.html#wp999528.

This should be enough for most web applications that need to be tested. If you have more system RAM to spare, you can even increase it further. There is a small caveat you should know. If you increase the memory allocated to Burp Suite beyond 4 GB, the Java Virtual Machine (JVM) garbage collector (GC) will need to do more work. This has been known to adversely affect the performance of Java-based applications. Keeping that in mind, there are clear performance gains that can be achieved by increasing the minimum heap size from the default, which can be as low as 128 MB on older machines.

 

Ensuring that IPv4 is allowed


Sometimes, Java picks up the IPv6 address on the interface, and Burp is unable to make any connections to websites returning an IPv4 address. This results in a Java error, which is as follows:

java.net.SocketException: Permission denied

The browser also shows a cryptic error, which is as follows:

Burp proxy error: Permission denied: connect

If we ever encounter this error, all we need to do is tell Java that we want to use the IPv4 interface by passing the following parameter to the runtime:

java -Xmx2048M -Djava.net.preferIPv4Stack=true -jar /path/to/burpsuite.jar

This command and flag tells the Java runtime that we will prefer the IPv4 network stack to run the Burp Suite JAR file. Another option is to set a Java option environment variable.

Please note that by running the preceding command, the IPv6 interface will be disabled.

Many people have reported this as a bug on the Burp support forums. Most of the people who complained were using Microsoft Windows 7 64-bit operating system running a 32-bit version of the JVM.

 

Working with other JVMs


The official documentation of Burp doesn't say anything about not working with JVMs apart from the official Oracle Java. There was a time when if we tried to run Burp Suite with OpenJDK, it would start off by giving a warning. But now, it runs perfectly without any warnings in Kali with OpenJDK.

Kali is a Linux-based distribution that has been specifically created for penetration testing and security testing of applications and networks. Previously, it was known as Backtrack. In the following screenshot, we can see that it runs the OpenJDK JRE and is able to run Burp Suite without any issues:

 

Summary


We have successfully managed to start Burp Suite. Usually, we just double-click on the application shortcut and get it working. However, if you want to utilize the full power of the application, we need to understand some of the underlying concepts of memory and networking.

In this chapter, you learned how to allocate and reserve a specified amount of RAM for use while Burp Suite runs. This will ensure that while doing a security assessment, memory issues will not hamper our progress in any way. We also saw an error that can crop up, which is quite difficult to understand unless you have seen it before.

Now that we have successfully started Burp Suite, in the next chapter, we will see how to configure our web browsers to send web traffic through it for interception and analysis.

About the Author
  • Akash Mahajan

    Akash Mahajan is an accomplished security professional with over a decade’s experience in providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organizations around the world. He has lots of experience in working with clients to provide innovative security insights that truly reflect the commercial and operational needs of the organization, from strategic advice to testing and analysis to incident response and recovery. He is an active participant in the international security community and a conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP the global organization responsible for defining the standards for web application security and as a co-founder of NULL India’s largest open security community. Akash runs Appsecco, a company focused on Application Security. He authored the book Burp Suite Essentials published by Packt Publishing in November 2014, which is listed as a reference by the creators of Burp Suite.

    Browse publications by this author
Latest Reviews (1 reviews total)
Burp Suite Essentials
Unlock this book and the full library FREE for 7 days
Start now