This chapter provides overviews of the most commonly used tools within Burp Suite. The chapter begins by establishing the Target scope within the Target Site Map. This is followed by an introduction to the Message Editor. Then, there will be some hands-on recipes using OWASP Mutillidae II to get acquainted with Proxy, Repeater, Decoder, and Intruder.

To complete the recipes in this chapter, you will need the following:

• Burp Proxy Community or Professional (https://portswigger.net/burp/)
• The Firefox browser configured to allow Burp to proxy traffic (https://www.mozilla.org/en-US/firefox/new/)

Now that we have traffic flowing between your browser, Burp, and the OWASP BWA virtual machine, we can begin setting the scope of our test. For this recipe, we will use the OWASP Mutillidae II link (http://<Your_VM_Assigned_IP_Address>/mutillidae/) available in the OWASP BWA VM as our target application.

Looking more closely at the Target tab, you will notice there are two subtabs available: Site map and Scope. From the initial proxy setup between your browser, Burp, and the web server, you should now have some URLs, folders, and files shown in the Target | Site map tab. You may find the amount of information overwhelming, but setting the scope for our project will help to focus our attention better.

On almost every tool and tab within Burp Suite that display an HTTP message, you will see an editor identifying the request and response. This is commonly referred to as the Message Editor. The Message Editor allows viewing and editing HTTP requests and responses with specialties.

Within the Message Editor are multiple subtabs. The subtabs for a request message, at a minimum, include the following:

• Raw
• Headers
• Hex

The subtabs for a response message include the following:

• Raw
• Headers
• Hex
• HTML (sometimes)
• Render (sometimes)

The Raw tab gives you the message in its raw HTTP form. The Headers tab displays HTTP header parameters in tabular format. The parameters are editable, and columns can be added, removed, or modified in the table within tools such as Proxy and Repeater.

For requests containing parameters or cookies, the Params tab is present...

Repeater allows for slight changes or tweaks to the request, and it is displayed in the left-hand window. A Go button allows the request to be reissued, and the response is displayed in the right-hand window.

Details related to your HTTP request include standard Message Editor details such as Raw, Params (for requests with parameters or cookies), Headers, and Hex.

Details related to the HTTP Response include standard Message Editor details including Raw, Headers, Hex, and, sometimes, HTML and Render.

At the bottom of each panel is a search-text box, allowing the tester to quickly find a value present in a message.

Repeater allows you to manually modify and then re-issue an individual HTTP...

Burp Decoder is a tool that allows the tester to convert raw data into encoded data or to take encoded data and convert it back to plain text. Decoder supports several formats including URL encoding, HTML encoding, Base64 encoding, binary code, hashed data, and others. Decoder also includes a built-in hex editor.

As a web penetration test progresses, a tester might happen upon an encoded value. Burp eases the decoding process by allowing the tester to send the encoded value to Decoder and try the various decoding functions available.

The Burp Intruder allows a tester to brute-force or fuzz specific portions of an HTTP message, using customized payloads.

To properly set up customized attacks in Intruder, a tester will need to use the settings available in the four subtabs of Intruder:

A tester may wish to fuzz or brute-force parameter values within a message. Burp Intruder eases this process by providing various intruder attack styles, payloads, and options.

1. Browse to the login screen of Mutillidae and attempt to log into the application. For...