What is Burp Suite?
If we have a website or web applications then we use some tools to test the penetration of these applications and Burp or Burp Suite is the most popular set of tools for testing the penetration of web apps. Portswigger is the company which developed this tool, and the founder of this company is Dafydd Stuttard.
Apart from the features provided by the Burp Suite, we can add additional plugins to get more functionality. These other plugins are called BApps, and by installing them, we can enhance the capability of the Burp Suite. It is the most popular tool for web security used by researchers because it is very easy to use, which makes it better as compared to other tools. There are other tools also in the market which are free of cost available, like OWASP ZAP etc., but they do not provide too much functionality. For the community edition, Burp Suite is free of cost. For the professional edition, it charges around 399$ per year, and for the enterprise edition, it charges around 3999$ per year.
Now, we will discuss the tools provided by the Burp Suite:
This feature is used to target a particular web application for web security. By targeting the web applications, our purpose is to get the endpoints of the web applications. By getting the endpoints of web applications, we can easily analyze the functionality and vulnerabilities of the web applications. This is called the recon process, and during this process more, we get endpoints and more attack surfaces we get so that we can easily resolve the problem during web testing.
Burp Suite has a proxy feature which gives the user some more freedom in terms of request-response. It allows users to see the data or contents of the request and response, and users can also modify these contents. It also allows users to send the new request and responses to the server under another tool of the Burp Suite. This proxy server is run on a specific IP address and port number. Users can also filter out some particular pairs of request-response.
This tool takes some data sets through an input point, and it gives some output values. After observing these values, we determine the failure or success of the system and the content length. If there is a failure, then we change the content. So this tool is used for some specific attacks like:
This tool allows the users to send the requests to the server multiple times with modifications in content. It is used for the following objectives:
This tool is used to check the randomness of the token generated by the web server. The web server generates some random tokens for authentication purposes in security. These tokens must be random so that every character in the token has a fair chance. So sequencer checks the probability of each character in the token. If any token has any character with a probability of less than some threshold, then the token will be rejected. So sequencer filters out the weak token and strong tokens. Cookies and anti-CSRF are general examples of these tokens.
This tool comes with many encoding schemes like URL, Base64, and HTML etc., which are applied to the chunks of the data which is placed in the request header.
Apart from the features provided by the Burp Suite, we can add additional plugins to get more functionality. These other plugins are called BApps, and by installing them, we can enhance the capability of the Burp Suite. The installation and uninstallation can be monitored in the extender Window of the Burp Suite.
This scanner tool scans the complete website, and then it finds out the vulnerabilities of the website with the correct information. This scanner tool is not available in the community edition.