Everyone who doesn’t live under a rock, knows and probably used Burp Suite, by PortSwigger. Recently a Beta 2.0 version was released with multiple new features and a new dashboard to control all the processing running, from one tab. In this post I will write about some features of Burp, that I found useful and I use almost daily to make my life easier.
Having the right scope is the first thing to start with. By saying scope, you know that in tests, scope can vary from a simple page to a complete domain (the best case in my opinion).
Let’s say for example that the website in scope is
sub.example.com. To specify which domain is in scope, go to
Target tab and then
Scope. There is an option
use advanced scope control, and by enabling that you can customise the scope that you want want to have on your website, either it’s one domain or a subdomain. Click
Paste URL and Burp, will fill the fields for you. You will see something like that:
In case you don’t care about the Port or the File path, you can leave them empty and Burp will handle it as a wildcard.
You can limit Burp, to show only items in scope, by going to
HTTP history -> Click on
Filter field and enable
Show only in scope items. The same way can be done for
The main way I enumerated content is by using gobuster, useful for directory and DNS enumeration. Recently, I found out that Burp, for multiple versions now, gives the option to find content of the website using its
Discover Content functionality. This feature can be used by going to
Sitemap -> Right click on the domain in scope ->
Engagement tools and
There, you can specify what kind of enumeration you want to do, if it is files only, directories or both, what type of file extensions Burp should look for, depth, number of threads and more. The advantage that I can find in this way of enumerating instead of using another tool, is that you can have better project structure inside Site Map with every request and its response.
Intruder is used for brute forcing but mainly for brute forcing of parameters, that for enumeration. Something that we don’t see that often these days (luckily) is Basic Authorization. The way Basic authorization works is by sending user’s credentials in the following form username:password Base64 encoded. In case we know someones username (let’s say admin) and we want to brute force the password, a simple payload marker (§) won’t be enough.
The way Burp can process the payload before sending that is really straight forward. In Intruder go to
Payloads tab and scroll down to
Payload Processing. Add a new rule, select
Add prefix and write as prefix
admin: that we know that is the username. Then, add new rule and select
Base64-encode. This will Base64 encode the payload before sending it. Finally, because Base64 uses equal signs (=) to match the four bytes block size, on
Payload encoding field, remove the equal sign from the list of characters. This will prevent Burp from sending YWRtaW46YWRtaW4
%3d instead of YWRtaW46YWRtaW4
One small tweak that can save you some time, is to change the behaviour of a new Intruder window. By clicking
New tab behaviour ->
Copy configuration from last tab. Additionally, in case you believe something went wrong with Intruder, you can right click on the items that you are interested about and select
Request items again.
Proof of Concepts
Burp has a really helpful functionality, that just by doing a right click on the request that you would like to create a PoC, select
Engagemenet tools and
Generate CSRF PoC.
Burp gives the ability to create a proof of concept by using
Using shortcuts makes life so much easier. 90% of the time your hands are on a keyboard and it is easier to click 2 buttons that scrolling with the mouse. This is a list of shortcuts that will save you some time.
|CTRL + R||Send request to
|CTRL + I||Send request to
|CTRL + T||Turn Proxy On/Off||Go to
|CTRL + U||
|CTRL + H||
|CTRL + B||
|CTRL + Space||Issue repeater request||–|
Bellow is a list of the extensions I believe is work to give it a try.
|Active Scan++||Improves Passive and Active Scanner||Free|
|WSDLer||WSDL to SOAP requests||Free|
|Freddy||Exploit deserialization attacks||Pro|
|SQLipy||SQLmap on Burp||Free|
|TokenJar||Manage CSRF tokens and Session IDs||Free|
|J2EEScan||Tests J2EE applications||Pro|
|Logger++||Improves filtering process||Free|
|Brida||Bridge between Frida and Burp||Free|
|Request Minimizer||Minimizes long session cookies etc||Free|
|Sleepy Puppy||Detect delayed XSS vulnerabilities||Free|
|NoPE Proxy||Extension for Non HTTP Requests||Free|
|Reflected parameters||Checks for parameters that get reflected on the response||Pro|
|.NET beautifier||Make easily readable .NET by hiding ViewStates etc.||Free|
|JSON beautifier||Readable JSON strings||Free|
Keep in mind that multiple of those extensions require
Jython, that can be installed directly from Burp Suite.
Note: The title is just for fun of course, there is no Battle Royale on Burp Suite. I think so at least.