Red Team Toolkit
  • 👊Welcome!
  • Methodology
    • MITRE
    • NIST
    • OWASP
    • PTES
    • SANS
  • Reconnaissance
    • DNS Recon
    • Open Source Intelligence
    • Web Application Recon
  • Initial Access
    • Phishing
    • Web Authentication Bypass
    • Network Services Attacks
    • Breaching Active Directory
    • Windows Exploits
    • Linux Exploits
    • SQL Injection
    • XSS
    • Burp Suite
    • Hyrdra
    • Metasploit
    • Nessus
    • Wordlists
    • OWASP ZAP
  • Discovery
    • NMAP
    • PowerView
    • Active Directory Enumeration
    • Windows Post Exploitation Discovery
    • Linux Post Exploitation Discovery
    • Other Scanning Methods
  • Privilege Escalation
    • Password Cracking
    • AD Privilege Escalation
    • Local Windows Privilege Escalation
    • Linux Privilege Escalation
    • Mimikatz
  • Movement
    • Movement
    • Evasion
  • Collection
    • Persistence
    • Exfiltration
  • Other
    • Bookmarks
    • OpeSec
Powered by GitBook
On this page
  • Background
  • Installation
  • Usage
  • Resources

Was this helpful?

  1. Initial Access

Burp Suite

This document contains

Burp Suite is web application penetration testing framework written in Java

Background

Burp Suite is a comprehensive platform for web application security testing. It provides a range of features, including a web proxy, web spider, vulnerability scanner, and manual testing tools, to help security professionals and ethical hackers test the security of web applications.

Installation

  • Burp Suite installers: https://portswigger.net/

  • FoxyProxy used to send requests to burp suite proxy: https://getfoxyproxy.org/

  • Installing certificates: http://burp/cert

Usage

  • Burp Suite Features

    • Proxy: intercept requests

    • Repeater: modify requests

    • Intruder: bruteforce/spray endpoints

    • Decoder: decode/encorde payloads

    • Comparer: compare data

    • Sequencer: test for randomness

    • Extender: use other modules written for Burp Suite

  • Burp Suite Installers

  • Burp Proxy

    • Burp Proxy intercepts website requests so they can be utilized in Burp Suite

    • Use FoxyProxy to send browser requests to Burp Suite using the following settings (Use Proxy IP: 127.0.0.1 & Port: 8080 in FoxyProxy to send request to Burp Suite)

    • For SSL use http://burp/cert, download cacert.der, add this certificate to about:preferences in FireFox or Chrome

    • Use the Burp Browser by first going to Project options -> Misc -> Embedded Browser and checking the option Allow the embedded browser to run without a sandbox

    • Right Click and select Add to Scope while in the Target Tab and add an Add rule in Proxy Options to ensure that URLs are in the target scope to help filter captured traffic

  • Jython Interpreter in Burp extender

Resources

  • Burp Suite Documentation

  • Sans Burp Suite Cheat Sheet

  • Burp Suite for Pentesters

  • https://github.com/xl7dev/BurpSuite/blob/master/CheatSheet.md

The official Burp Suite documentation: https://portswigger.net/burp/documentation PortSwigger's blog: https://portswigger.net/blog/ The Burp Suite community: https://portswigger.net/community/ The Burp Suite support center: https://portswigger.net/support The Burp Suite YouTube channel: https://www.youtube.com/channel/UCxlIPvCvSo2QZmI1cgL9d9g The Burp Suite User Group on LinkedIn: https://www.linkedin.com/groups/4503164/ OWASP's Burp Suite page: https://owasp.org/www-project-web-security-testing-guide/v2/5-Web_Application_Penetration_Testing/02-Application_Discovery/01-Reconnaissance/03-Proxies Online courses and tutorials: Udemy, Pluralsight, and Coursera offer courses on Burp Suite and web application security.

PreviousXSSNextHyrdra

Last updated 1 year ago

Was this helpful?