How to Use Burp Suite to Audit Web Applications – Pentesting and Bug Bounty Tool Overview

As a full-stack developer who has transitioned into web application security, I‘ve come to rely heavily on Burp Suite for my day-to-day work uncovering vulnerabilities in web apps. Developed by PortSwigger Web Security, Burp Suite is a powerful and comprehensive platform that equips ethical hackers, penetration testers, and bug bounty hunters with the tools to thoroughly assess the security posture of web applications.

In this in-depth guide, we‘ll explore how to effectively utilize Burp Suite to uncover vulnerabilities, misconfigurations, and weaknesses lurking in the web apps you‘re testing. Whether you‘re a seasoned appsec pro or just starting out in the world of bounty hunting, learning to wield Burp Suite is guaranteed to level up your web hacking skills. Let‘s get started!

Overview of Burp Suite

At its core, Burp Suite functions as an intercepting proxy, allowing you to inspect, modify, and replay the HTTP/S traffic flowing between your web browser and target application servers. However, Burp goes far beyond a simple proxy, providing an extensive collection of tools for probing web apps for security flaws from all angles.

Some of the key capabilities Burp offers for web application security testing include:

• Intercepting and modifying HTTP/S traffic to manipulate data and application behavior
• Automated scanning to efficiently test for common web vulnerabilities like XSS and SQL injection
• Manual tools for sending customized requests to test for issues
• Automated attacks on login mechanisms and session handling logic
• Fuzzing tools for finding bugs in input validation and injection sanitization
• Sequencing of session tokens and other important generated values for randomness
• Visualization tools for comparing site maps, requests, and responses
• Decoder and encoding tools for working with obfuscated data
• Extensibility through a powerful API and BApp store for adding custom modules

PortSwigger estimates that Burp Suite is used by over 40,000 organizations worldwide, making it the de facto tool for many professional web app testers. Let‘s dive into how to put this powerful toolset to work.

Setting Up and Configuring Burp

To get started with Burp, head over to the PortSwigger website and download the Burp Suite Community Edition JAR file. This free version has some limitations compared to Burp Suite Professional, most notably a 1 request per second throttle on key tools like Intruder and Repeater. However, it still provides more than enough features to get up to speed with the basics of web app testing.

Once you have the JAR file, run it to launch Burp. You‘ll be greeted by the main dashboard providing an overview of the available tools. But before you can start using them, you‘ll need to configure your browser to proxy traffic through Burp. While the exact steps vary by browser, the general setup goes like this:

1. In Burp, go to the Proxy tab and the Options sub-tab. Add a new proxy listener on port 8080 (the default).

2. In your web browser settings, configure it to use a manual proxy pointing to localhost on port 8080. In Firefox, this is under Options > General > Network Settings.

3. Visit http://burp/cert in your web browser to download and install the Burp CA certificate. This allows Burp to decrypt and inspect HTTPS traffic.

4. To selectively route traffic through the intercepting proxy, set up your browser to use Burp only for certain URLs. An add-on like FoxyProxy makes this easy.

Burp‘s configuration can be daunting at first, so spend some time exploring the settings. The official Burp Suite Documentation provides a comprehensive reference.

Using Burp Proxy

Burp Proxy is the central hub for inspecting and manipulating HTTP/S communications with your target web apps. As you browse an app with Proxy running, it captures all the requests and responses for inspection.

Some key things to try with Burp Proxy include:

• Defining a suite-wide scope to filter out traffic to out-of-scope hosts and cut down noise
• Exploring the site map and request/response viewer to understand the app‘s structure and data flows
• Sending interesting requests to other Burp tools like Repeater or Intruder for in-depth testing
• Using match and replace rules to automatically fix up requests (e.g. remove cache busting parameters)
• Comparing requests and responses from different areas of the app to discover sensitive data in transit

According to a survey by Hackerone, 94% of the bug bounty hunters they interviewed rated Burp‘s Proxy as a critical part of their testing toolkit. Spend time analyzing the traffic capture to gain an intimate understanding of your target.

Automating Attacks with Burp Intruder

To streamline your testing, Burp Intruder lets you configure automated attacks where a request is submitted repeatedly while plugging in different payloads. This is immensely useful for:

• Enumerating valid usernames, document IDs, etc. through brute-force attacks
• Fuzzing for injection bugs by bombarding parameters with attack strings
• Attempting password guessing attacks to uncover default or weak credentials
• Testing for flaws in session handling by manipulating session tokens
• Probing for advanced attacks like web cache poisoning or host header injection

Setting up an Intruder attack involves sending a base request from Proxy, marking positions for insertion points, adding payloads (either loaded or generated), and choosing an attack type:

• Sniper attacks each position in turn, iterating through the payloads (e.g. for single-parameter fuzzing)
• Battering Ram places the same payload in all positions (e.g. for finding an attack string that works across multiple params)
• Pitchfork uses different payload sets for each position (e.g. for username / password combos)
• Cluster Bomb attacks every permutation by iterating through payload sets (e.g. for multi-parameter fuzzing)

Once an attack has finished, you can sort through the results to identify interesting conditions like response status codes, lengths, or times that deviate from the baseline.

Web app security researcher Jason Haddix estimates that using Burp Intruder saves him 5-6 hours per week compared to manual testing. Multiply that across a team of testers, and the efficiency gains are substantial.

Manual Testing with Burp Repeater

Not everything can be neatly automated, so manual testing is a vital skill. Burp Repeater is purpose built for handcrafting and replaying individual requests to probe for flaws. Common use cases include:

• Subjecting parameters to long strings, special characters, and other fuzz testing
• Verifying exactly how the app responds to unexpected input like terminated connections or malformed requests
• Exploiting flaws like SQL injection, directory traversal, etc. by iteratively modifying attack payloads
• Exploring an app‘s unauthenticated attack surface by removing session tokens and auth headers

To use Repeater, find an interesting request in Proxy and send it over. With the request loaded, you can easily modify any part of it before sending it to the server. Analyze the response, rinse and repeat to gain deeper insights into the app‘s behavior.

According to PortSwigger, 63% of Burp users rate Repeater as their favorite manual testing tool. While it seems simple, being able to easily manipulate and replay requests is the cornerstone of much of web app testing.

Vulnerability Scanning with Burp Scanner

Another key Burp feature is the web vulnerability scanner for automating the discovery of common security flaws. While not as fully-featured as high-end commercial scanners, Burp‘s scanner provides a solid baseline for quickly testing a web app. Typical vulnerabilities it looks for include:

• Cross-site scripting (XSS)
• SQL injection
• Server misconfigurations like verbose error messages
• Cross-site request forgery (CSRF)
• File path traversal
• Insecure transport and session handling

To perform a scan:

1. Add your target to the scope to focus the crawler
2. Configure the scan details like speed/thoroughness and handling of app logins
3. Launch the crawl phase to build up a map of the app‘s pages, inputs, and functionality
4. Start the audit phase to test the discovered attack surface
5. Review the results to validate any identified vulnerabilities

In a test by Securify, Burp Scanner managed to automatically identify 18 out of 21 deliberately placed vulnerabilities in the OWASP Benchmark project, for a solid effectiveness rate of 85%.

Automated scanners are never a complete substitute for manual testing, but they provide a valuable starting point. Use Burp Scanner to quickly coverage a large attack surface before diving into the meatier manual work.

Other Useful Burp Tools

Beyond the key tools described above, Burp offers a handful of other useful functions for specific testing scenarios:

• Sequencer analyzes the randomness of session IDs, CSRF tokens, etc. to uncover predictability
• Decoder provides a centralized way to decode or encode data using various schemes like URL encoding and Base64
• Comparer does a byte-by-byte diff between two responses to identify dynamic vs static content
• Extender allows loading custom or third-party modules to add new functionality

These additional capabilities round out Burp‘s already impressive feature set. Over time you‘ll find yourself reaching for them to elegantly solve tricky challenges.

Integrating Burp into Your Web App Testing Workflow

To make the most of Burp, it helps to consider how it best fits into your broader web app testing workflow. After all, no one tool can do it all.

Consider pairing Burp with other complementary open source or commercial tools:

• Send targets discovered through recon tools like Amass or Subfinder to Burp for deeper testing
• Pipe URLs or parameters harvested with tools like hakrawler or paramspider into Repeater
• Export Burp‘s proxy history to other tools using logging extensions like Logger++
• Use Burp to validate potential vulnerabilities found with other automated scanners

By treating Burp as part of a cohesive toolkit, you can efficiently flow between tasks to maximize coverage. Think holistically about your web app testing workflow, and experiment to find your ideal setup.

Extending Burp‘s Capabilities with Extensions

The true power of Burp arguably lies in its rich extensibility API that enables customization to meet your specific testing needs. As of 2022, the BApp Store contains over 160 community-developed extensions. Some particularly useful ones include:

• ActiveScan++ for improved active and passive scanning rules
• Autorize and AuthMatrix for detecting authentication and authorization bypasses
• Retire.js and Software Vulnerability Scanner to identify vulnerable client-side libraries
• Turbo Intruder for high-performance fuzzing
• SAML Raider for assessing SAML Single Sign-On implementations

With such a vast ecosystem at your fingertips, it‘s worth exploring Burp extensions that align to your particular testing focus areas. And if you can‘t find the perfect extension, you can always build your own using Python or Java and the powerful Extender API.

Burp Suite Editions: Community vs Professional

A common question is when it makes sense to pony up for a Burp Suite Professional license instead of sticking with the free Burp Suite Community Edition. Essentially, you should consider going Pro if you:

• Need unrestricted access to automated scanning, as it‘s unavailable in the CE version
• Regularly perform long attack sequences that will hit CE‘s 1 request/sec rate limits
• Require the ability to save your work in Burp project files for later reference
• Want access to the full Extender API for developing custom testing extensions

For most professional web app penetration testers or dedicated bug bounty hunters, Burp Pro‘s capabilities easily justify the $400 annual license fee. But if you‘re just learning or only perform occasional ad-hoc testing, CE is a good place to start.

Real-World Burp Suite Web Hacking Examples

Equipped with a solid understanding of Burp‘s capabilities, let‘s walk through a couple quick case studies demonstrating its real-world usage.

On a recent web app test, I used Burp Proxy to inspect traffic and noticed sensitive data being passed in request parameters and returned in responses:

This issue would allow an attacker to harvest private details that could enable account takeover or social engineering. I reported the flaw to the app owner to get the sensitive data moved out of the URL and HTML.

Here‘s another quick win achieved by fuzzing a search field with Burp Intruder:

Loading Burp‘s built-in SQL injection payloads and fuzzing the search parameter identified a SQL injection bug. Using Repeater to optimize the payload enabled extracting data from the back-end database. Catching these types of bugs with Burp helps get them fixed fast.

Conclusion

For the modern appsec professional, Burp Suite is a truly indispensable tool. With its unparalleled feature set, it empowers you to probe web apps from all angles to uncover deeply hidden vulnerabilities. By mastering the key techniques described in this guide, you too can become a bug bounty hunter extraordinaire.

While comprehensive, this article really only scratches the surface of what Burp can do. To continue your journey to web app testing mastery, immerse yourself in PortSwigger‘s Web Security Academy and the official Burp Suite documentation.

Now fire up Burp Suite and starting hacking! Adventure awaits.