In order for us to properly showcase the functions of Burp Suite, we need a target web application. We need to have a target which we are legally allowed to attack.
Know Your Enemy
is a saying derived from Sun Tzu's The Art of War. The application of this principle in penetration testing is the act of attacking a target. The purpose of the attack is to uncover weaknesses in a target which can then be exploited. Commonly referred to as ethical hacking, attacking legal targets assists companies to assess the level of risk in their web applications.
More importantly, any penetration testing must be done with express, written permission. Attacking any website without this permission can result in litigation and possible incarceration. Thankfully, the information security community provides many purposefully vulnerable web applications to allow students to learn how to hack in a legal way.
A consortium group, Open Web Application Security Project, commonly referred to as OWASP, provides a plethora of resources related to web security. OWASP is considered the de facto standard in the industry for all things web security-related. Every three years or so, the group creates a listing of the Top 10 most common vulnerabilities found in web applications.
Throughout this book, we will use purposefully vulnerable web applications compiled into one virtual machine by OWASP. This setup enables us to legally attack the targets contained within the virtual machine.