Welcome to Makeinfo šŸ‘‹/šŸš§Developer Blog/
šŸ”Burp Suite - a security tool
Search
šŸ”
Burp Suite - a security tool
Burp Suite is a web framework toolkit used by web app security professionals. This application has many tools . installing add-ons from Burp Store's app store called BApp can extend capabilities.
Burp Suite application allows manually modify, intercept and inspect HTPP/S and requests and responses between a user's browser and the testing. There are two Burp Suite editions:
  • Burp Suite Community Edition - This is the most basic version and is free to use. It does have good tools and features requires for basic manual testing like interception, tamper, and relay requests using repeater; encode and decode data etc.
  • Burp Suite Professional Edition - It comes with advanced features that significantly improves the ability to find potential vulnerabilities.
Ā 
Ā 
Target : This tool allows to visualize the target application's contents in a folder structure hierarchy that corresponds to the site's URL structure.
Proxy: This tool allows it to intercept and modify all web traffic.
Spider: It is a web crawler tool used to locate contents and functionalities.
Intruder: It is also called to web fuzzer. This tool is used for doing automated, customized attacks against web applications. It typically involves sending unexpected input to the target application this involves doing brute force or dictionary attacks on password forms, pin forms ..etc
Repeater: It modifies and reissue web requests.
  • Verifying whether the user-supplied values are being verified.
  • If user-supplied values are being verified, how well is it being done?
  • What values is the server expecting in an input parameter/request header?
  • How does the server handle unexpected values?
  • Is input sanitation being applied by the server?
  • How well the server sanitizes the user-supplied inputs?
  • What is the sanitation style being used by the server?
  • Among all the cookies present, which one is the actual session cookie.
  • How is CSRF protection being implemented and if there is a way to bypass it?
Sequencer: This tool is used for analyzing application's session token authentication.It can be used to find out the weak tokens and enumerate their construction.
Decoder: This tool is for decoding and encoding data.
Comparer: This is for comparing two items of data. For example, pairs of similar HTTP messages.
  • When looking for username enumeration conditions, you can compare responses to failed logins using valid and invalid usernames, looking for subtle differences in the responses.
  • When anĀ Intruder attackĀ has resulted in some very large responses with different lengths than the base response, you can compare these to quickly see where the differences lie.
  • WhenĀ comparing the site mapsĀ orĀ Proxy historyĀ entries generated by different types of users, you can compare pairs of similar requests to see where the differences lie that give rise to different application behavior.
  • When testing forĀ blind SQL injectionĀ bugs using Boolean condition injection and other similar tests, you can compare two responses to see whether injecting different conditions has resulted in a relevant difference in responses.
Extender: This extends Burp's functionalities using third-party apps.
Ā 
Ā 
Ā 
Copyright 2021 Makeinfo