S3SS10N Wednesday – Burp Suite Basics

Join Cybrary

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here
< Back to S3SS10NS

S3SS10N Wednesday – Burp Suite Basics

Published: December 28, 2016 | By: Zack Meyers | Views: 6434
save
This post has been saved to your profile

This Weeks S3SS10N Wednesday


In this Session Wednesday video, Zack Meyers takes us on a tour of Burp Suite. If you’re unfamiliar with Burp, then you’re in for a real treat! Burp is a soup-to-nuts penetration testing tool for sniffing out and exploiting vulnerabilities in web applications. Zack kicks things off with a quick overview of the basics of Burp and getting a test environment configured.

The test environment consists of Kali Linux and a vulnerable target running as VMs. Zack explains how to install and launch Burp – either from the command line via a Java jar file or from the toolbar, as is the case on Windows machines. There are both a free and paid ($349/yr.) version of Burp Suite. The paid version has a non-throttled version of the brute force Intruder feature of Burp.

Zack then reviews the multitude of tabs in the Burp UI:

  • Target
  • Proxy
  • Spider
  • Intruder
  • Repeater
  • Sequencer
  • Encoder/Decoder
  • Comparer
  • Extender

The primary tabs discussed in this session are the Target, Proxy, and Spider tabs. The Burp proxy is unique in that it has the capability to not only capture data packets but to also intercept and hold them. This allows you to examine and potentially modify packets prior to sending them on to the target. This is a very powerful feature for web app penetration testing.

You also have the option to allow the proxy to communicate with a web browser – either Iceweasel or Firefox – or simply examine the HTTP requests and responses between Burp and the target VM in a separate pane of the Burp UI.

Assessment and mapping of the target’s potential attack surface are accomplished by deploying Burp’s spider feature. The spider works similarly to a search engine spider such as Googlebot. It crawls the directory structure of the host target, enumerating folders, and files on its journey. The crawl process results in the buildout of a sitemap representing the host’s directory structure.

Zack concludes the session by touching on some of the vulnerabilities that are possible to uncover and probe using just the basic tabs of Burp. The spider can reveal folders that have directory listing enabled. This can potentially uncover files prying eyes weren’t meant to see. Finally, password fuzzing using the brute force capabilities of the Repeater and Intruder tabs in the Burp Suite is discussed.

< Back to S3SS10NS

About This S3SS10N Wednesday's Contributor

Zack Meyers
Zach is an Offensive Security Engineer at BreakPoint Labs with Andrew McNicol. Get to know him more in this S3SS10N.
Enjoy this S3SS10N Wednesday? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter Google+ LinkedIn Email
Join Cybrary
7 Comments
  1. anyone tell me that how i make my network card in monitor mode because i try my best but i failed please help me

  2. I always used W3AF but I will try Burp Suite as alternative.
    Thanks for the tutorial, Zack Meyers 😀

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel