Getting Started with Burp Suite
Burp Suite is a very powerful tool for manipulating websites to find vulnerabilities. The community edition will work fine but is much slower than the Professional version. You can use the community edition to learn however if you are serious you should support the product and purchase it ($400/year). Worth mentioning, the Enterprise version has CI Integration which is really useful for DevSecOps.
Installation/Upgrading on Debian/Ubuntu
Installation is fairly easy, you just need to make sure Java 8 is installed and then install BurpSuite.
Upgrading on Kali/Parrot OS/Debian/Ubuntu
If you are using Kali/Parrot OS and you just want to upgrade Burp Suite running the command below will do that.
sudo apt-get install burpsuite
Fresh installs require a little more work. You will need to verify that Java 8 is installed.
# if it is not then install it...
sudo apt-get install openjdk-8-jre
Downloading and installing Burp Suite on Windows is as easy as downloading and installing.
FoxyProxy Browser Extension
This is the best browser extension to use for switching between proxies. There are others out there but this one is the easiest to set up and use. It’s very intuitive.
FoxyProxy settings for Burp Suite is really easy… Set the “Proxy Type” to “HTTP”, “Proxy IP Address” to “127.0.0.1” and the “Port” setting to “8080”.
Installing the Root Certificate
You will need to install the root certificate for SSL in order to use Burp Suite on a website that is using an SSL.
Burp Suite Payloads
You’ll need these for LFI, SQLi, User-Agents and XSS testing. These are free text files that are payloads that Burp will run against a website or endpoint to test.
Burp Suite: Intercept, Repeater and Manual Manipulation
Being able to intercept and manipulate requests is one of Burp Suite’s hallmark functionalities. This is great for tampering with product pricing or a shopping carts total to see if the backend is even validating products and totals. Imagine being a hacker and changing the price of your order or gaining administrative access by tampering with post variables.
Burp Suite: Brute Forcing with rockyou.txt
Burp Suite can even brute force forms by using a wordlist dictiionary like rockyou.txt. This is a feature that you should only use in Burp Suite Professional. The community edition will work but it’s extremely slow because it has a speed reduction by design.
In this demonstration, I’ll be using VulnHub: DC 4.
First, you’ll need to make sure your traffic is being proxied through Burp Suite.
Capturing a Request
To start off, I will enter some random information into the username and password field such as “admin” and “password”. With Burp Suite listening for proxied traffic I should be able to intercept a request.
Great! I’ve intercepted a request to Burp Suite.
Right click anywhere in the center and then select “Send to Intruder” from the context menu.
Configuring the Intruder (Clusterbomb)
The first thing I’m going to do is clear the predefined fields (teal blue highlighted fields). Then reapply that to admin and password. The PHPSESSID is fine and we do not want that to change. We only want to map data to the username and password field.
Your settings should look like this now. You will also need to select “Cluster bomb“. This allows for multiple payloads.
Setting up the Payloads
At this point, there will be 2 payloads. The first payload set should be “admin” and “administrator” since we don’t know the admin’s username. The 2nd payload will be the passwords. Loading the rockyou.txt is possible if you have enough ram, however it’s an incredible amount of passwords in the dictionary and will slow down Burp Suite enormously.
Running the Attack
Everything is ready for the attack. Once the attack has been started you can see that it will alternate between “admin” and “administrator” while trying each password once. Once the HTTP status and Content Length changes we will know that something has happened. Looking at the image below, I see that the content length is 660 which is not like the others. I also noticed that all of the HTTP statuses after a certain point were 200 (success). By clicking on the request 925, I can also see in the HTML response that it says “You are currently logged in”.
I tried logging in with “admin” and “happy” and it worked. Password cracked!
Burp Suite: SQL Injection
Manual SQL injection testing can be done using a payload or in an automated fashion the scanner will check.