Cybersecurity
Tools
Burp Suite

Burp Suite

About

Burp or Burp Suite is a set of tools used for penetration testing of web applications. It aims to be an all-in-one set of tools and its capabilities can be enhanced by installing add-ons. For the purpose of this tutorial, we will be using the free community version, but for more advanced features, you can purchase the professional version. During this tutorial, we will be using tools:

  • Proxy
  • Intruder

Proxy is an intercepting proxy that gives us the power to see and modify the contents of the requests and responses while they are in transit.
Intruder is a tool that allows us to perform automated attacks on web applications. It allows us to brute-force on login forms, and dictionary attacks on fields suspected of being vulnerable to XSS or SQL injection, ...

Setting up

  1. Open the burpsuite app (Community edition is preinstalled on Kali Linux)
  2. Create a Temporary project
  3. For the configuration, keep "Use Burp defaults" checked and click "Start Burp"
  4. New project is created and Burp Suite is ready to use

Proxy

  1. Go to the proxy tab in the top menu. Intercept should be set to off.
Burp start
  1. Click on the "Open browser" button in the top right corner.
    This will open a new browser window with Burp Suite as a proxy.
    You can also use your favorite browser and set the proxy to Burp Suite, but it required some additional configuration.
  2. Go to the website you want to test. In our case: http://localhost:3001/ (opens in a new tab)
    The app (server and client) should be running.
  3. Turn the Intercept on.
    Now, every request and response will be intercepted by Burp Suite.
  4. In the HackHealt app, click on "Login" button
  5. In the Burp Suite, in the HTTP history tab, you can see all requests and responses made.
  6. Try to log in with the correct credentials.
    After hitting the "Login" button, nothing really happens in the HackHealth app.
    In Burp Suite, in Intercept tab, you can see that the request was intercepted.
    You can see all the details and by pressing "Forward" button (2 times), you can send the request to the server and the dashboard appears.

πŸ’‘

You have successfully intercepted a request and seen, how much information we were able to get from it. You can play a little more with a Proxy tool, but we will use it later on (and also with Intruder tool)

Sources

Static Code AnalysisBrute-force attack