Burp Suite Walkthrough

Burp Suite is one of the best tools available for web application testing. Its wide variety of features helps us perform various tasks, from intercepting a request and modifying it on the fly, to scanning a web application for vulnerabilities, to brute forcing login forms, to performing a check for the randomness of session tokens and many other functions. In this article we will be doing a complete walkthrough of Burp Suite discussing all its major features.

Burp Suite是如今最好的web應用測試工具之一。它的多種特性能夠幫助咱們完成不一樣的工做，如攔截和修改請求，掃描web應用的漏洞，暴力破解，執行session tokens的隨機性檢查，以及其它不少功能。在這篇文章中，咱們會作一個Burp Suite的完整攻略，討論它全部的主要功能。

Burp Suite (free edition) is available by default in Backtrack 5. The professional edition can be downloaded from here. Some of the features that are not available in the free edition are Burp Scanner, Task Scheduler, Target Analyzer, etc. Overall it has the following features.

Burp Suite（免費版）在Backtrack 5中是默認存在的。專業版能夠在這裏下載。在免費版中沒有的特性是Burp Scanner, Task Scheduler, Target Analyzer, 等等。 總的來講它有以下功能：

1) Proxy - Burp Suite comes with a proxy, which runs on port 8080 by default. Using this proxy, we can intercept and modify the traffic as it flows from the client system to the web application. In order to use this proxy, we have to configure our browser to use this proxy. We can also drop the packets if we want so that they do not reach their intended destination, or redirect the traffic to a particular host, etc.

1）Proxy -Burp Suite 帶有一個代理，默認運行在8080端口。經過這個代理，咱們能夠攔截和修改客戶端和web應用之間的報文。要使用proxy功能，咱們必須配置咱們的瀏覽器使用這個代理。咱們能夠丟棄數據包，若是不想讓它們到達目的地的話，或者是轉發報文到特定的主機，等等。

2) Spider - The spider feature of Burp Suite is used to crawl web applications looking for new links, content, etc. It automatically submits login forms (through user defined input) in case it finds any, and looks for new content from the responses. This information can then be sent to the Burp Scanner to perform a detailed scan on all the links and content provided by the spider.

2）Spider -Burp Suite的爬行器功能主要是用來抓取web應用的新連接，內容，等等。爬行器爬行，從響應中尋找新的內容時，會自動的提交登錄表單(經過用戶定義的輸入)。爬行器獲取的全部連接和內容，會被髮送到Burp Scanner來進行詳細的掃描。

3) Scanner - It is used to scan web applications for vulnerabilities. The type of scanning can be passive, active or user-directed. Some false positives might occur during the tests. It is important to remember that no automated scanner is 100 percent accurate in its results. Unfortunately Burp Scanner is not available with the free edition that is included in Backtrack 5.

3）Scanner -它用來掃描web應用的漏洞。掃描類型有被動，主動，後者是用戶自定義。在測試過程當中會有誤報，要記住自動掃描器的結果不是百分百精確的。不幸的是Burp Scanner在Backtrack 5自帶的免費版中是不提供的。

4) Intruder - This feature can be used for various purposes like exploiting vulnerabilities, fuzzing web applications, carrying out brute force attacks etc.

4) Intruder - 這個特性有多種用途，如發現漏洞，對web應用模糊測試，進行暴力破解等等。

5) Repeater - This feature is used to modify and send the same request a number of times and analyze the responses in all those different cases.

5) Repeater - 這個特性用來對相同的請求修改和發送屢次，並分析全部這些不一樣狀況下的響應。

6) Sequencer - This feature is mainly used to check the randomness of session tokens provided by the web application. It performs various advanced tests to figure this out.

6) Sequencer - 這個特性主要用來檢查web應用提供的會話令牌的隨機性。爲了計算出會話令牌，它會執行多種高級測試。

7) Decoder - This feature can be used to decode data to get back the original form, or to encode and encrypt data.

7) Decoder-這個特性用來解碼數據，從而獲得數據的原始形式。或者用來編碼和加密數據。

8) Comparer - This feature is used to perform a comparison between any two requests, responses or any other form of data. This feature could be useful when comparing the responses with different inputs.

8) Comparer - 這個特性用來進行兩個請求，響應或者任何其餘形式數據的比較。用它來比較兩個不一樣輸入的響應是頗有用的。

1) Proxy

The proxy feature allows us to intercept and modify requests. In order to intercept the requests and manipulate them, we must configure our browser to direct its traffic through Burp’s proxy, which is 127.0.0.1:8080 by default.

Once this is done, open up Burp Suite. Go to Proxy, then Intercept and make sure Intercept is on.

Go to the alerts tab, we can see that a proxy service is running on port 8080. We can also change this configuration by going to the options tab under proxy.

Let’s have a look at all the options we have while running the proxy. Go to the options tab under proxy.

Here we can edit the port the proxy is listening on, and even add a new proxy listener. Burp also has option of presenting certificates to SSL protected websites. By default, Burp creates a self-signed CA certificate upon installation. The current checked option, i.e generate CA-signed per-host certificates will generate a certificate for the particular host we are connecting to signed by Burp’s CA certificate. The only thing with which we are concerned here is to decrease the number of warnings which a user gets when connecting to a SSL protected website.

If we don’t check the listen in loopback interface only option then this means that the burp proxy can serve as a proxy for other systems on the network too. This means any computer in the same network can use this Burp proxy as a proxy and relay its traffic through it.

若是咱們不選擇listen in loopback interface only 選項，BurpSuite能爲網絡中的其它系統作代理。這意味着局域網中的其它計算機也可使用BurpSuite做爲proxy，轉發他們的通訊。

The support invisible proxying for non-proxy-aware client option is used for clients that do not know that they are using a proxy. This means that the option for proxy is not set in the browser, but somewhere else, e.g., in the hosts.txt file. The only issue with this is that the request in this case will be a bit different than the requests when the proxy option is set in the browser itself, and hence Burp needs to know if it is receiving traffic from a non-proxy aware client. The redirect to host, redirect to port option will redirect the client to the host and port we specify in that option.

對於不知道本身在使用一個代理的客戶端，可使用invisible proxying for non-proxy-aware client 選項。這意味着代理不是被設置在瀏覽器上，而是設置在其它地方，向上host.tx這個文件。惟一須要指出的是，請求在這種狀況下，和代理設在瀏覽器自身相比會有一點不一樣，從此BurpSuite須要知道他接收的瀏覽來自一個non-proxy aware client。選項redirect to host, redirect to port 會重定向收到的請求到咱們設定的主機和端口。

Similarly we can intercept requests and responses based on the rules we specify here. This could be a handy feature when we want to intercept only some of the requests in a very high traffic environment.

一樣咱們能夠根據設定的規則攔截請求和響應。當咱們想從一個流量很高的環境中攔截某些請求時，這是一個頗有方便的選項。

There are options for modifying HTML received from the response. We can unhide hidden form fields, remove JavaScript, etc. Similarly there is an option for finding a specific pattern and replacing it with a custom string. We need to specify regular expressions here. Burp will parse the request or response looking for this pattern and will replace it with the custom string.

這裏有選項能夠修改響應中收到的HTML內容。咱們可以取消隱藏域，刪除js等等。一樣這裏有一個選項能夠定義一個特定的格式，而且用自定義字符串取代它。在這裏咱們須要定義正則表達式，BurpSuite會解析請求和響應，找到符合格式的內容，並用自定義字符串取代它。

Now that we have set up Burp Suite and the configurations in our browser properly, we can intercept requests. Please note that whenever we send a request, it will be intercepted by Burp Suite and we will have to forward it manually. Hence it is advisable to keep the 「intercept is on」 option checked only when you really want to see the contents of the packets going through.

如今咱們已經設置好了BurpSuite和瀏覽器，能夠攔截請求了。須要注意的是，當咱們發送一個請求時，BurpSuite都會攔截它，咱們必須手動放通。從此只在你真的想要看包的內容時，纔將「intercept is on」選項打開是一個明智的選擇。

Open up your browser and start browsing. We will see that the request is being intercepted by Burp Suite. Hence our proxy is working. We can right click on it and send the request to various other tools in Burp Suite for analysis.

打開你的瀏覽器開始瀏覽，咱們會看到請求被BurpSuite攔截了。此後proxy就在工做了。咱們能夠右鍵點擊請求，將它發送到BurpSuite其它的工具上進行分析。

2) Spider

Burp Spider is used for mapping web application. It will automatically crawl the web application looking for links and will submit any login forms it finds and hence provide a detailed analysis of the whole application. These links can then be passed over to Burp Scanner to perform a detailed scan using the information provided by the scanner. In this case I will be using the spider tool on DVWA (Damn Vulnerable Web Application). To do that simply go to the application DVWA using your browser, make sure intercept is on in Burp Suite, and get the request intercepted by Burp Suite. Right click on the intercepted request, and click on send to spider.

Burp Spider 用來探索web應用。它會自動爬行web應用尋找連接，提交登錄表單，從而提供一個web應用的詳細分析結果。這些連接能夠被髮送到Burp Scanner來進行一個詳細的掃描。在這個例子中，咱們將會在DVWA上使用爬蟲工具。在瀏覽器中打開DVWA應用，確保BurpSuite的攔截是生效的。在被攔截的請求上點擊右鍵，選擇send to spider.

Once you do this, an alert will pop up asking us to add the item to the scope. Click on Yes. A scope basically defines the target region on which we want to run our tests.

當你這樣作的時候，會有一個彈出框是否把item加入到scope。點擊yes。一個scope主要定義了咱們想進行測試的目標區域。

If we go to the target tab under site map, we will see that the url has been added in the target. Also we can see that some other targets like http://google.com have been added to the targets list. Burp Suite automatically adds targets as we browse the web while using Burp’s proxy. We can add the targets to our scope by right clicking on any target and clicking on add item to scope.

當咱們進入target頁簽下的site map，咱們會看到那個url被加入到target裏面了。同時咱們會看到一些targets像http://google.com 也被加入了目標列表。BurpSuite會自動的添加目標，當咱們使用BurpSuite作爲代理進行網頁瀏覽時。咱們能夠添加目標到咱們的scope，經過右鍵點擊任意target，選擇add item to scope.

If we go to the Scope tab we find that the application dvwa has been added to the scope.

若是咱們切換到scope頁籤，會發現應用DVWA已經被添加到scope中了。

Go to the Spider tab now and click on options. Here we can set various options while running the Burp Spider on the application. We can ask it to check for the robots.txt file, in which it will try to crawl to the directories that the website administrator has not allowed to be indexed for search engines. Another important option is passively spider as you browse. Basically Burp Spider can be run both in passive and active mode. This asks Burp Spider to keep scanning for new links and content as we browse the web application using Burp’s proxy.

Another important option is application login. Whenever Burp Spider hits a login form while crawling, it can automatically submit the credentials that we provide to it here. I have asked Burp Spider to submit the credentials admin/password as these are the credentials used in DVWA. Hence Burp Spider will submit these credentials automatically and keep crawling ahead looking for extra information. You can also change the thread count if you want.

To begin spidering an application, just right click on the target to reveal the branch for DVWA (in this case dvwa) and click on spider this branch.

想開始一個應用的爬行，只須要右鍵點擊目標，選擇spider this branch.

This will start the Burp Spider. If we go to the Spider control tab, we can see the requests being made. We can also define a custom scope for Burp Spider.

這將會開始爬行，若是咱們切換到spider的control頁籤，咱們會看到有請求產生。咱們也能夠爲Burp Spider自定義一個範圍。

Once it has finished running, we will see a lot of new URL’s for dvwa branch. This provides us very useful information about the web application. We can then send these URLs to other Burp tools like Burp Scanner (available only in the professional edition) and scan it for vulnerabilities.

一旦掃描完成，咱們會看到dvwa分支有不少新的url。這爲咱們提供了應用的一些有用的信息。咱們能夠把這些url發送到其它的工具像Burp Scanner（只在專業版中才有） ，並用它來掃描漏洞。

3) Intruder

Burp Intruder can be used for exploiting vulnerabilities, fuzzing, carrying out brute force attacks and many other purposes. In this case we will be using the Intruder feature in Burp Suite to carry out a brute force attack against DVWA. Browse over to DVWA and click on Brute Force. Enter any username/password, make sure Intercept is on in Burp Suite, and click on Login.

Burp Intruder能被用來探測漏洞，模糊測試，進行暴力破解等其餘許多目的。在這個例子中咱們用Burp Suite的Intruder特性來對DVWA進行暴力破解。使用瀏覽器打開DVWA並點擊Brute Force.輸入任意username/password，確保BurpSuite的攔截功能是打開的，並點擊login。

The request will be intercepted by Burp Suite, right click on it and click on send to intruder.

請求會被BurpSuite攔截，在它上面右鍵點擊並選擇send to intruder。

This will send the request information to the Intruder. Go to the Intruder tab. Now we will have to configure Burp Suite to launch the brute force attack. Under the target tab, we can see that it has already set the target by looking at the request.

這將會把請求信息發送到Intruder。切換到Intruder標籤。如今咱們必須配置BurpSuite來進行暴力破解。在target標籤下，咱們能夠看到經過查看請求,它已經設定了目標地址。

Go to the positions tab now, here we can see the request which we had previously sent to intruder. Some of the things are highlighted in the request. This is basically a guess by Burp Suite to figure out what will be changing with each request in a brute force attack. Since in this case only username and password will be changing with each request, we need to configure Burp accordingly.

如今切換到positions頁籤，這裏能夠看到咱們以前sent to intruder的請求。請求中的有一些東西已經被高亮顯示了。這些是BurpSuite猜想的在暴力破解中會被改變的參數。因爲在這個例子中只有username和password會在每一個請求中被改變，咱們須要手動的配置BurpSuite。

Click on the clear button on the right hand side. This will remove all the highlighted text. Now we need to configure Burp to only set the username and password as the parameters for this attack. Highlight the username from this request (in this case 「infosecinstitute」) and click on Add. Similarly, highlight the password from this request and click on Add. This will add the username and password as the first and second parameters. Once you are done, your output should look something like this.

點擊右邊的clear按鈕。這會移除全部的高亮文字。如今咱們須要配置BurpSuite，只將username和password設置未攻擊的參數。選中username的值，點擊add按鈕。一樣的，選中password的值，點擊add。這樣會分別將username和password做爲第一和第二個參數。但你完成後，你的界面應該相似這樣。

The next thing we need to do is set the attack type for this attack, which is found at the top of the request we just modified. By default it is set to Sniper. However, in our case we will be using the attack type 「Cluster Bomb」. According to Burp’s documentation from portswigger.net here is the difference between the different types of attack.

接下來咱們須要設定攻擊類型，這個選項能夠在剛咱們修改的請求上面看到。默認的是Sniper。可是，在咱們的例子中咱們會使用「Cluster Bomb"這個攻擊類型。按照Burp’s documentation from portswigger.net ，這裏是不一樣攻擊類型的區別。

Sniper – This uses a single set of payloads. It targets each position in turn, and inserts each payload into that position in turn. Positions which are not targeted during a given request are not affected – the position markers are removed and any text which appears between them in the template remains unchanged. This attack type is useful for testing a number of data fields individually for a common vulnerability (i.e., cross-site scripting). The total number of requests generated in the attack is the product of the number of positions and the number of payloads in the payload set.

Sniper –這裏使用了一個載荷集。它的目標依次在每一個位置上，並依次在那個位置上插入payload。在一個請求中，未被測試的位置不受影響-位置標籤會被刪除，他們在模板中定義的文本也不會發生改變。這種攻擊類型對測試一個單獨的數據字段比較有用，它們有同一種類型的漏洞(如跨站腳本注入)。攻擊產生的總請求數，爲產品的位置數乘以payload的數目。

battering ram – This uses a single set of payloads. It iterates through the payloads, and inserts the same payload into all of the defined positions at once. This attack type is useful where an attack requires the same input to be inserted in multiple places within the HTTP request (i.e., a username within the cookie header and within the message body). The total number of requests generated in the attack is the number of payloads in the payload set.

battering ram – 這裏使用一個載荷集。它迭代每一個載荷，一次將相同的載荷插入全部定義的位置中。在一個HTTP請求中，當相同的輸入要被插入不一樣的地方時，當這種攻擊類型頗有用（例如，一個在cookie頭和消息體中的用戶名）。攻擊產生的總請求數，是載荷集中載荷的數目。

pitchfork – This uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 8). The attack iterates through all payload sets simultaneously, and inserts one payload into each defined position. For example, the first request will insert the first payload from payload set 1 into position 1 and the first payload from payload set 2 into position 2. The second request will insert the second payload from payload set 1 into position 1 and the second payload from payload set 2 into position 2, and so on. This attack type is useful where an attack requires different but related input to be inserted in multiple places within the HTTP request (i.e., a username in one data field, and a known ID number corresponding to that username in another data field). The total number of requests generated by the attack is the number of payloads in the smallest payload set.

pitchfork – 這裏使用多個載荷集。對於每一個定義的位置（最多8個），會有不一樣的載荷集。這種攻擊同時對載荷集進行迭代，將一個載荷插入每一個定義的位置。例如。起一個請求會將第一個載荷集中的第一個載荷插入位置1，將第二個載荷集中的第一個載荷插入位置2.第二個請求會將將第一個載荷集中的第2個載荷插入位置1，將第二個載荷集中的第2個載荷插入位置2.以此類推。。當不一樣可是相關的輸入，被插入一個HTTP請求中的多個地方時，這種攻擊類型比較有效(例如，第一個位置是用戶名，另外一個位置是一個已知的，和這個用戶名相關的ID數字)。攻擊產生的總請求數，是最小的載荷集中，載荷的數目。

cluster bomb – This uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 8). The attack iterates through each payload set in turn, so that all permutations of payload combinations are tested. For example, if there are two payload positions, the attack will place the first payload from payload set 1 into position 1, and iterate through all the payloads in payload set 2 in position 2; it will then place the second payload from payload set 1 into position 1, and iterate through all the payloads in payload set 2 in position 2. This attack type is useful where an attack requires different and unrelated input to be inserted in multiple places within the HTTP request (i.e., a username in one parameter, and an unknown password in another parameter). The total number of requests generated by the attack is the product of the number of payloads in all defined payload sets – this may be extremely large.

cluster bomb – 這使用多個載荷集。對於每一個定義的位置（最多8個），會有不一樣的載荷集。攻擊會根據每一個載荷集來迭代，從而使載荷組合的全部排列方式都被測試到。例如，若是有兩個載荷位置，攻擊會將第一個載荷集中的第一個載荷放到位置1，而後迭代載荷集2中的全部載荷。接着會將載荷集1中的第二個載荷放到位置1，而後迭代載荷集2中的全部載荷。當不一樣和無關的輸入，被插入一個HTTP請求中的多個地方時，這種攻擊類型比較有效（例如，用戶名是一個參數，未知的密碼是另外一個參數）。攻擊產生的總請求數，是產品在載荷集中定義的全部載荷數目的乘積，這可能會很是大。

As we can see in the image below, our attack type is set to 「Cluster Bomb」.

以下圖片所示，咱們的攻擊類型被設置爲「Cluster Bomb」.

Go to the payload tab, make sure payload set 1 is selected, click on load and load the file containing a list of usernames. In my case I am using a very small file just for demonstrations purposes. Once you load the file all the usernames will be displayed as shown in the image below.

到payload頁籤，確保載荷集被選中，點擊load並加載包含username列表的文件。出於示範的目的，在個人例子中使用了一個很是小的文件。當你加載文件後，全部的用戶名會下面的圖片那樣顯示。

Similarly select payload set 2, click on load and load the file containing a list of passwords.

一樣選擇載荷集2，點擊load並加載包含密碼列表的文件。

Go to the options tab now and make sure 「store requests」 and 「store response」 options are set under results. Have a look at all the options and see if you need or don’t need any of these options.

如今切換到options頁籤，確保「store requests」 and 「store response」選項被選中。查看options選項看你是否要勾選這些選項。

All right we are now set to launch our attack. Click on Intruder on the top left and click on start attack. We will see a window pop up with all the requests being made.

如今咱們準備開始攻擊。點擊Intruder菜單並點擊start attack。咱們將會看到一個彈出窗口，包含全部請求。

So how do we know which request is successful? Usually a successful request will have a different response than an unsuccessful request or will have a different status response. In this case we see that the request with the username 「admin」 and the password 「password」 has a response of different length than the other responses.

咱們如何知道哪一個破解請求是成功的？一般一個成功請求和一個失敗請求的響應會有所不一樣。在這個例子中咱們看到用戶名是admin密碼是password的請求，它的響應和其它響應的長度不一樣。 

Let’s click on the request with a different response size. If we click on the response section, we see the text 「Welcome to the password protected area admin」 in the response. This confirms that the username/password used in this request is the correct one.

讓咱們點那個個響應大小不一樣的請求。當咱們點到響應頁籤時，咱們看到響應中有「Welcome to the password protected area admin",這確認了這個請求中的用戶名/密碼是正確的一個。

I recommend you explore Burp Intruder in more detail as it is one of the most powerful features available in Burp Suite.

我建議你使用更多Burp Intruder的功能，由於它是BurpSuite最強的特性之一。

4) Repeater

With Burp Repeater, we can manually modify a request, and resend it to analyze the response. We need to send a request to Burp Repeater for this. The request can be sent to it from various places like Intruder, proxy, etc.

Let’s send a request to Repeater from the Intruder attack we just performed on DVWA. To send the request to the Intruder, just right click on the request and click on Send to Intruder.

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.
The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

• Get CWAPT Certified
• Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
• Learn how to exploit and defend real-world web apps: not just silly sample code
• Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
• Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

VIEW WEB APP PEN TEST

If we go to the Repeater tab, we can see the request there. We also see that there are 3 tabs with the name 1, 2 and 3. In Burp Repeater, a tab is used for each request.

We can also see the params, header, hex and raw format of the request. We can modify any of these before sending the request.

Let’s just change the username, password to the correct one, i.e., username=admin and password=password and click on Go. This will send the request.

We can analyze the response in the response section. Again we have the option to see the params, header, hex and raw format of the response. The render option displays the page as if it were displayed in a browser, though it is not fully reliable.

5) Sequencer

Burp Suite Sequencer is used to figure out the randomness of the session tokens generated by a web application. This is because session tokens are usually used to authenticate a user, and hence should not be compromised. It is important for a web application to have a high degree of randomness for session tokens, so that brute force attacks are not successful against it. We need to send a request which returns a session token to the sequencer, the Sequencer then repeatedly sends the request, thus obtaining a high number of session IDs. It then passes these session IDs through various statistical tests to determine the randomness.

Let’s send a request that returns a session token to the Sequencer. Right click on the request and click on Send to Sequencer.

In sequencer we can see that it automatically identified the ID parameter. We can also use manual selection to select it ourselves, or we can use the cookie and form field drop box to select the value which we think is the session token.

Click on start capture to start the process.

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.
The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

• Get CWAPT Certified
• Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
• Learn how to exploit and defend real-world web apps: not just silly sample code
• Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
• Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

VIEW WEB APP PEN TEST

We can see the requests being made and the different tokens being received. It is good to have a sample size of at least 100-200 tokens before starting the analysis. However, the more no of tokens, the better would be the test results. Once you think you have captured enough tokens, click on Analyze now. We will see that Burp Sequencer is now performing all the tests.

The results are displayed as shown in the figure below. As we can see, the overall randomness within the sample is estimated to be excellent. You can switch between tabs to see the results of different types of analyses.

Burp Suite will still continue to capture tokens so that you can again perform the test once you have collected more tokens. Examining the different types of test and how they work is beyond the scope of this article. To understand how Burp Sequencer actually works, read this article.

6) Comparer

Burp Suite Comparer tool is used to do a comparison between two pieces of data, which could be requests, responses, etc. We must provide the Comparer tool with two pieces of data in order to do that. In this case we will be giving the Comparer tool a successful response and an unsuccessful response from the brute force attack against DVWA which we carried out earlier. Make sure the response tab is selected while sending it to the comparer so that we send the responses and not the requests. Right click on an unsuccessful response and click on send to comparer, do the same for the successful response (which is the response for request #11 in the figure below).

Go to the comparer tab. Here we can see the two responses which we had sent to it earlier. Click on the first response (#3) on the top half, and on the second response (#4) on the bottom half. Now the two responses have been selected to carry out the comparison.

We have two ways of performing a comparison between the two responses – through words or through bytes. Click on words to perform a comparison by words. The result is pretty clear. While one response has a 「Username and/or password incorrect」 message, the other one has a 「Welcome to the password protected area admin」 message.

Similarly, comparing by using bytes returns the following output. By now you must have begun to understand the importance of this tool.

7) Decoder

Burp Suite Decoder can be used to decode encoded data and get it back into its canonical form. It can also be used to encode and encrypt data to get the encoded and encrypted forms. We can manually paste data into the decoder or send an encoded request to it. In this case I will be sending an HTML Basic authentication request that contains the username and password in base64 encoded form to the decoder. Right click on the request and click on Send to Decoder

Highlight the encoded form and click on decode as and then click on base64

Burp Decoder decodes the base64 encoded string and gives us the username/password in plaintext.

You should check out the Smart Decode feature too in Burp Suite, in which Burp decoder intelligently guesses the encoding used and decodes it. Though it is not fully reliable and some mistakes might occur.

8) Scanner

Burp Scanner is one of the most powerful web application scanners. Though, like any other web application scanner, it is not perfect and some false positives may occur. Burp Scanner is not available with the free edition. You can find more information about Burp Scanner here.

Conclusion

In this article we looked at almost all the popular features of Burp Suite – proxy, scanner, sequencer, repeater, etc. The extent to which it can be helpful in Web application testing is only up to the imagination of the user which makes it a valuable tool for web application testing.

INTERESTED IN LEARNING MORE? CHECK OUT OUR ETHICAL HACKING TRAINING COURSE. FILL OUT THE FORM BELOW FOR A COURSE SYLLABUS AND PRICING INFORMATION.

References

1. PortSwigger Website
   http://portswigger.net/burp/
2. Hacking Web Authentication – Part 1
   http://resources.infosecinstitute.com/authentication-hacking-pt1/
3. Burp Sequencer 101
   http://blog.portswigger.net/2008/05/burp-sequencer-101.html
4. Burp Scanner
   http://portswigger.net/burp/scanner.html