April 1, 2021
Burp Suite Tutorial Part 2: Essential Shortcuts in Burp Suite Proxy for More Productivity
April 1, 2021
Enhancing Productivity with Burp Suite Shortcuts
Improving skills in Burp Suite can prove incredibly helpful while testing web applications and becoming a better pentester. Particularly, while testing larger web applications, using the right hotkeys in Burp Suite can be a great way to optimize manual application security audits. Not just penetration testers, bug bounty hunters too can hugely benefit by adopting the right methodology to use Burp Suite while hunting for bugs. This Burp Suite Tutorial aims to explain some essential shortcuts in the Burp Suite Proxy tool and how to benefit from them while testing applications using Burp Suite.
Shortcuts in the Burp Proxy
Knowing the right shortcuts in Burp Suite is a great way to save time because clicking and scrolling through several tabs and menus can be a very tedious and time-consuming task.
What are hotkeys in Burp Suite?
Hotkeys are keyboard shortcuts that bind to a specific manual action (or functionality) and easily trigger complex actions. Two commonly used keyboard shortcuts are Ctrl + C and Ctrl + V for copy and paste.
Use Case 1: Quickly Forwarding requests in the Proxy
Instead of clicking on the Forward button each time for every intercepted request, the Ctrl + F hotkey can be used to forward the intercepted request, as shown below. Ultimately, this is a better approach as manually clicking on that button often becomes annoying and error-prone.
Note: Ctrl + F is the default hotkey to Forward an intercepted message, but since Burp Suite offers a lot of flexibility in terms of configuration, it can be further customized or changed under User Options > Misc > Edit Hotkeys if desired, as per convenience. Use case 2: Quickly dropping irrelevant requests in Burp Proxy, with customized hotkey binding.
While there's no dedicated or default hotkey to drop requests, it becomes very inconvenient to use the Drop button to Drop or discard the requests one doesn't need. Especially in bigger engagements, it's quite annoying to click on the Drop button every time, so a hotkey can be assigned to this manual action to make this process faster.
To utilize the Drop intercepted message shortcut, Ctrl + L, for example, can be used to bind to Drop Intercepted Message in the HotKeys section of User Options (Misc. options).
Once this is done, requests can be Dropped using the keyboard shortcut Ctrl + L instead of clicking on the Drop button every time a request is intercepted, making it easier to discard uninteresting requests and focus on the useful ones.
Case 3: Deleting Lines in the Burp Proxy
Ctrl + D is a neat default keyboard shortcut for deleting entire lines in the Burp Proxy. Instead of selecting the whole line and deleting it, hit Ctrl + D on a particular line in the Burp Proxy to delete that line. This can help quickly remove parts of the Intercepted HTTP request and forward it to the server.
It becomes quite handy when one needs to check application behavior by quickly deleting the Authorization header manually. Thus, it is quite useful to check for such bugs where the application doesn't validate a particular HTTP header like Authorization header or CSRF header, which leads to authentication bypass and CSRF bypass.
Burp Proxy is a very useful and powerful feature within Burp Suite. Using certain shortcuts, Burp Suite can be further optimized to work more efficiently and test applications faster while performing penetration tests, as demonstrated.
While Burp documentation exists, it's quite overwhelming to go through it. Burp has so many configurations and options that digging through the different features (e.g., altering a setting, finding an instruction set) takes a long time and can be frustrating. So this tutorial hopefully makes things easier for Burp Suite users. Taking online courses are a great way to delve deeper into tools like Burp Suite Pro and gain technical cybersecurity skills in a self-paced manner.