What is Burp Suite?

If we have a website or web applications then we use some tools to test the penetration of these applications and Burp or Burp Suite is the most popular set of tools for testing the penetration of web apps. Portswigger is the company which developed this tool, and the founder of this company is Dafydd Stuttard.

Apart from the features provided by the Burp Suite, we can add additional plugins to get more functionality. These other plugins are called BApps, and by installing them, we can enhance the capability of the Burp Suite. It is the most popular tool for web security used by researchers because it is very easy to use, which makes it better as compared to other tools. There are other tools also in the market which are free of cost available, like OWASP ZAP etc., but they do not provide too much functionality. For the community edition, Burp Suite is free of cost. For the professional edition, it charges around 399$ per year, and for the enterprise edition, it charges around 3999$ per year.

Now, we will discuss the tools provided by the Burp Suite:

1. Spider

This feature is used to target a particular web application for web security. By targeting the web applications, our purpose is to get the endpoints of the web applications. By getting the endpoints of web applications, we can easily analyze the functionality and vulnerabilities of the web applications. This is called the recon process, and during this process more, we get endpoints and more attack surfaces we get so that we can easily resolve the problem during web testing.

2. Proxy

Burp Suite has a proxy feature which gives the user some more freedom in terms of request-response. It allows users to see the data or contents of the request and response, and users can also modify these contents. It also allows users to send the new request and responses to the server under another tool of the Burp Suite. This proxy server is run on a specific IP address and port number. Users can also filter out some particular pairs of request-response.

3. Intruder

This tool takes some data sets through an input point, and it gives some output values. After observing these values, we determine the failure or success of the system and the content length. If there is a failure, then we change the content. So this tool is used for some specific attacks like:

Attacks on passwords and pins are called brute force attacks.
Attacks on the field which are vulnerable, and these are called dictionary attacks.

4. Repeater

This tool allows the users to send the requests to the server multiple times with modifications in content. It is used for the following objectives:

To check whether the user has given the verified value or not.
If the values are verified, then how much verified are they?
The values the server expects as the request from the user.
If there are some unexpected values, then how does the server handle these values?
To identify the session cookies among all present cookies.
Is the sanitization scheme applied by the server or not, and if applied, then what scheme is used?

5. Sequencer

This tool is used to check the randomness of the token generated by the web server. The web server generates some random tokens for authentication purposes in security. These tokens must be random so that every character in the token has a fair chance. So sequencer checks the probability of each character in the token. If any token has any character with a probability of less than some threshold, then the token will be rejected. So sequencer filters out the weak token and strong tokens. Cookies and anti-CSRF are general examples of these tokens.

6. Decoder

This tool comes with many encoding schemes like URL, Base64, and HTML etc., which are applied to the chunks of the data which is placed in the request header.

7. Extender

8. Scanner

This scanner tool scans the complete website, and then it finds out the vulnerabilities of the website with the correct information. This scanner tool is not available in the community edition.

Next TopicWhat is Open with

← prev next →