Web Application Penetration Testing With Burp Suite

2/14/2022by admin

Explain Burp Suite and its purpose in web application security. Configure FoxyProxy and Firefox browser to use Burp as a proxy. Intercept HTTP requests from a browser and send them to the Burp Suite Repeater. Analyze HTTP requests, sniff credentials, and alter the request with Burp Suite Intercept. Most security professionals use Burp Suite. It is a very popular tool to perform Web application penetration testing. It is an integrated platform for performing security testing of Web applications, and in most of the cases we can use the same to test Web services and mobile applications by proper configuration and integration with some other tools.

  1. Burp Suite Tool
  2. Web Application Penetration Testing With Burp Suite Download
  3. Web Application Penetration Testing Using Burp Suite Udemy
  4. Web Application Penetration Testing With Burp Suite Free
  5. Web App Penetration Testing With Burp Suite
  6. Burp Suite Modes

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp Suite allows you to combine manual and automated techniques to enumerate, analyses, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
BurpSuite allow us to forward all of the web traffic from your browser through BurpSuite so that you can see each HTTP Request and Response and manipulate it to your heart’s content. We will configure burp suite with firefox or Iceweasel in Kali Linux or Backtrack.

Let’s get started into the steps of configuring Burp Suite:

1. Open Firefox or Iceweasel and Click on Edit then Preference

2. Preference Window will be open Now go to Advance → Network → Setting

3. Select Manual Proxy then write localhost or 127.0.0.1 in HTTP Proxy area and port should be 8080. Use this proxy server for all protocols by checking the box. Clear the No Proxy field then Finally Click OK.

A. GUI Method
Application → Kali Linux → Web Application → Web Vulnerability Scanners → burpsuite
B. Open Terminal and type burpsuite.jar and Press Enter
  1. If you are running burpsuite first time in your Kali Linux you will see this window Click on I Accept.

6. Burp Suit has been opened. Now Click on Proxy Tab then Click on Option Subtab and watch carefully local host interface running box should be check in Proxy Listeners.

Web Application Penetration Testing With Burp Suite
7. Scroll down in the same tab (Proxy Tab → Option subtab)
→ Select URL Match type and keep Clicking UP button till URL Match type reach at the top.
Web application penetration testing using burp suite udemy
→ Check Box ‘Intercept requests based on the following rules.’
  1. As we can see URL match type now at the top. Now select ‘File Extension’ and click on Edit.
9. Edit Window will be open. Here we will add ‘jpeg’ file extension. You can add or remove file extension as per your need. So, Write code and click on OK.
10. Scroll Down in the same tab (Proxy Tab → Option subtab)
→ Check Box ‘Intercept Responses based on the following rules.’
→ Select URL Match type and keep Clicking UP button till URL Match type reach at the top.
12. We will Add file extension match type according to below details:
Web app penetration testing with burp suite
Match type : File Extension
Match condition: (^gif$ ^jpg$ ^png$ ^css$ ^js$ ^ico$ ^jpeg$)
  1. Select ‘File extension’ and keep Clicking UP button till ‘File extension’ reach at the 2nd top.

Burp Suite Tool

15. Now Open Your Firefox or Iceweasel and write www.google.com in the web address area. You may see a message ‘This Connection is Untrusted’ if you’re using Google over HTTPS.
Burp
You can add an exception everytime this happens when you’re using a proxy, but that can be irritating. We can also set Firefox or Iceweasel to trust the burp certificate so that we don’t get this error.The Pro version of burp allows us to get the certificate easily, but in the free version we have to do little work. You can browse any https enable website for doing this. After opening https enable website Click on ‘I Understand the Risks

16. Click on Add Exception…

17. Click on View

  1. Click on Details Tab, Select PortSwigger CA then Click on Export.
  1. Choose Your Save location, (must remember the location where you are saving your certificate.) Click on Save.
  1. Open Your Browser Click on Edit then Click on Preferences.
  1. Click on Advance Tab then Click on Encryption Subtab and Click on View Certificates.
  1. Click on Authorities Tab then Click on Import.

23. Find the location where you saved your PortSwiggerCA. If you are unable to view saved file from the location, change your file type as ‘All File’. Select your PortSwiggerCA and Open It.

  1. A new window will appear, Check box ‘Trust this CA to identity websites’ then Click on OK.

Web Application Penetration Testing With Burp Suite Download

  1. If you will scroll down your Certificates Name You will Notice your Added Certificate there. Click OK. Now, you should be able to navigate to any SSL site in burp without being prompted to trust the certificate.

26. Here we want to make is to disable Google Safebrowsing. Safebrowsing is enabled for a reason but it can cause unwanted traffic during tests so we will disable it. Go to Security Tab and uncheck two boxes ‘Block Reported Attack sites’ and ‘Block Reported web forgeries’ Click Close

That’s it 🙂

Trust the industry standard

Burp Suite Enterprise Edition contains the same scanner that sits at the core of Burp Suite Professional. With scan routines battle-hardened by thousands of pentesters, your shift toward automation is in safe hands.

Extend your coverage

Burp Suite's pioneering multi-AST technology maximizes signal to noise ratio, for more coverage with less friction. It's security that works at every stage, from development through to deployment.

Scale your scanning securely

Web Application Penetration Testing Using Burp Suite Udemy

Application

Web Application Penetration Testing With Burp Suite Free

Scale testing to match your application portfolio growth rate with Burp Suite's agent-led scanning model. With role-based access control (RBAC) and single sign-on as standard, no matter the size of your web estates, access security doesn't have to be an issue.

Web App Penetration Testing With Burp Suite

Maximize your ROI

Burp Suite Modes

Use automated scanning to prioritize penetration testing expertise where it's most essential, increasing your security ROI. Catch low-hanging fruit by automating scans, to amplify the impact of manual testing.

Comments are closed.