In this Burp Suite Tutorial, we are going to elaborately describe the Burp Suite tool and its features that are bundled in a single suite made for Web Application Security assessment as well as Penetration testing.

It’s a java executable and hence it’s cross-platform. Kali Linux comes with Burp Suite free edition installed. There is also a professional version available.

The main features of Burp Suite are that it can function as an intercepting proxy. Burp Suite intercepts the traffic between a web browser and the web server.

This Burp Suite Tutorial helps you to understand the tools associated with the Burp Suite and how it is essentially used in the web penetration testing industry.

Burp Suite Tutorial

Other Features of Burp Suite:

  • Application-Aware Spider: Used for spidering/crawling a given scope of pages.
  • Scanner: Automatically scans for vulnerabilities just like any other automated scanners
  • Intruder: Used to perform attacks & brute-forces on pages in a highly customizable manner.
  • Repeater: Used for manipulating and resending individual requests.
  • Sequencer: Used mainly for testing/fuzzing session tokens.
  • Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.
  • Comparer & Decoder used for misc purposes that might come along the way when you conduct a Web Security test

Burp Suite Tutorial – Spidering a Website

A web crawler is a bot program that systematically browses the pages of a website for the purpose of indexing. Precisely a web crawler maps the structure of a website by browsing all its inner pages. The crawler is also referred to as a spider or automatic indexer.

Burp Suite has got its own spider called the burpspider. The burp spider is a program that crawls into all the pages of a target specified in the scope. Before starting the burp spider, the Burp suite has to be configured to intercept the HTTP traffic.

Burp Suite Interface & Options

Like any other GUI/Windows tool, Burp Suite contains a standard menu bar, 2 rows of tabs & different set of panels as seen below.

Burpsuite
Burp suite Window

The above figure shows the options & details about the target. In the above figure there are mainly 4 sections. They are described against the corresponding numbers as follows:

  1. Tool & Options selector Tabs – Select between Various tools & settings of Burp Suite
  2. Sitemap View – Displays the sitemap once spider has started
  3. Requests Queue – Displays the requests being made
  4. Request/Response Details – The HTTP requests made & the responses from the servers.

Burp Suite Tutorial Lab 1 : Spidering a website

Spidering is a major part of recon while performing Web security tests. It helps the pentester to identify the scope & architecture of the web application. As described earlier, Burp Suite has its own spider called the burp spider which can crawl into a website.

Scenario: Attacker – Kali Linux VM, IP = 192.168.0.105

Target – OWASP Broken Web Application VM, IP = 192.168.0.160

Download OWASPBWA Here

Burp Suite TutorialStep 1: Setup Proxy

First, this Burp Suite Tutorial helps to check details under the proxy tab in the Options sub-tab. Ensure IP is localhost IP & port is 8080.

burpsuite
Proxy Options & Information

Also, ensure that Intercept is ON in the Intercept Sub-Tab

burpsuite
Turning ON intercept

Then on IceWeasel/Firefox, Goto Options > Preferences > Network > Connection Settings.

Choose Manual Proxy Configuration

Burpsuite
Setting Proxy in IceWeasel

If you want, you can try installing proxy add-ons. Here is one such.

Install the proxy selector from add-ons page and go to preferences

burpsuite
Setting Up Addons

Goto Manage Proxies & add a new proxy filling out the relevant information. It’s simple.

burpsuite
Configuring Addon Proxy

Click the Proxy Selector button at the Top right & select the Proxy you just created.

burpsuite
Setting Up Addons

Burp Suite Tutorial – Step 2: Getting Content into Burp Suite

After you have set up the proxy, go to the target normally by entering the URL in the address bar. You can notice that the page will not be loading up. This is because Burp Suite is intercepting the connection.

burpsuite
Page Loading

Meanwhile, in Burp Suite, you can see the request details. Click forward to forward the connection. Then you can see that the page has loaded up in the browser.

burpsuite
burp intercepting
Burp Suite Tutorial
Page Loaded

Coming back to Burp Suite, you can see that all sections are populated.

burpsuite
Sitemap, Requests & Request/Response Details

Step 3: Scope Selection & Starting Spider

In this Burp Suite Tutorial, Now narrow down the target as you want. Here the target/Mutillidae is selected. Right-click the Mutillidae from the sitemap & select Spider from the Here option

burpsuite
Selecting the target

After the spider starts, You get a prompt as shown in the following figure. It’s a login form. If you know the details, fill in as needed & thus the spider wil be able to crawl from the inside also. You can skip this step by pressing the Ignore Form button.

Burp Suite Tutorial
Submitting a Login form

Step 4: Manipulating Details

Now you can see as the spider runs, the tree inside of the Mutillidae branch gets populated. Also, the requests made are shown in the queue and the details are shown in the Request tab.

Burp Suite Tutorial
More details get Populated

Move on to different Tabs and see all the underlying information.

burpsuite
Interesting Cookie information
Burp Suite Tutorial
Response Details from the target
Burp Suite Tutorial
The page source

Finally, check if the spider is finished by viewing the Spider tab.

burpsuite
Spider Status

This Burp Suite Tutorial is a very basic & starting point of a web security test. Spidering is an important part of the recon during the test and by clearly executing this, we can understand the architecture of the target site.