You're reading from Burp Suite Essentials Discover the secrets of web application pentesting using Burp Suite, the best tool for the job

Product type Paperback

Published in Nov 2014

Publisher Packt

ISBN-13 9781783550111

Length 144 pages

Edition 1st Edition

Tools

Burp Suite

Concepts

Web Programming

Author (1):

Akash Mahajan

View More author details

Table of Contents (13) Chapters

Preface

1. Getting Started with Burp

2. Configuring Browsers to Proxy through Burp FREE CHAPTER

3. Setting the Scope and Dealing with Upstream Proxies

4. SSL and Other Advanced Settings

5. Using Burp Tools As a Power User – Part 1

6. Using Burp Tools As a Power User – Part 2

7. Searching, Extracting, Pattern Matching, and More

8. Using Engagement Tools and Other Utilities

9. Using Burp Extensions and Writing Your Own

10. Saving Securely, Backing Up, and Other Maintenance Activities

11. Resources, References, and Links

Index

What this book covers

Chapter 1, Getting Started with Burp, starts with an introduction to Burp Suite. We will cover some of the advanced flags that can be passed to the software when we invoke it from the command line. By the end of this chapter, you will have a pretty good idea of running Burp Suite in various operating systems, while being able to tweak it for maximum performance.

Chapter 2, Configuring Browsers to Proxy through Burp, explains that interception proxies work best when used with a browser software. Even though it is quite simple to get Burp working with a browser, advanced users can use additional browser extensions to perform powerful and customized integrations. By the end of this chapter, you will have configured your browser to use Burp as an interception proxy. Additionally, using browser extensions, you will create a powerful chain of tools to perform web security testing.

Chapter 3, Setting the Scope and Dealing with Upstream Proxies, shows how more and more complex web applications are being tested, including the ones that run primarily on mobile platforms. How does one configure Burp Suite to intercept in such cases? Testing web applications available on the Internet is quite simple with Burp, but how do we test applications that are inside corporate networks, running on company intranets? By the end of this chapter, you will know how to work with SSH port forwarding, SOCKS-based proxies, and intercept HTTP traffic coming from mobile devices.

Chapter 4, SSL and Other Advanced Settings, teaches that SSL-enabled applications sometimes require additional configuration. Usually, you add the Burp Suite CA certificate to your browser and start testing, but sometimes this is not desirable or possible at all. Some additional settings make it possible for nonbrowser-based HTTP applications and thick clients to be tested. By the end of this chapter, you will be able to set up and test SSL-enabled applications without any errors. You will also be able to test thick clients or clients that are not proxy-aware.

Chapter 5, Using Burp Tools As a Power User – Part 1, shows that Burp Suite is powerful due to its amazing set of tools. We will start with Target, covering Site map and Scope, and then we will move to Proxy, which is the workhorse for testers. Then, we will move to the attack tool of choice, Intruder. After Intruder, we will cover the Scanner tool and discuss when we should use the Scanner tool. We will end the chapter with the Repeater tool, which supercharges the manual testing part by making it dead simple to repeat requests and see responses.

Chapter 6, Using Burp Tools As a Power User – Part 2, covers the other tools that make up the Burp Suite software and shows us how tools such as Spider, Sequencer, Decoder, Comparer, and Alerts work in sync to provide us with what we need to test web applications.

Chapter 7, Searching, Extracting, Pattern Matching, and More, explains that the suite of tools provided by Burp is quite powerful in terms of performing the heavy lifting of crafting HTTP requests and responses based on our actions on the web applications. An important aspect of this power is the ability to match, extract, find, grep, and search all the requests and responses based on our requirements. In this chapter, you will learn the various ways in which we can search, extract, and pattern match data in requests and responses, which allow us to complete our testing.

Chapter 8, Using Engagement Tools and Other Utilities, covers something called the engagement tools of Burp suite. These tools allow us to automate some of the more mundane and boring parts of the security testing process. Engagement tools is a Pro-only feature of Burp Suite. Apart from the engagement tools, we will look at some smaller utilities that aid the testing process such as Search, Target Analyzer, Content Discovery, Task Scheduler, CSRF PoC Generator, and Manual Testing Simulator.

Chapter 9, Using Burp Extensions and Writing Your Own, shows that not only does Burp Suite come with its own rich set of tools, but it also provides API interfaces to extend its functionality. Many security researchers have written extensions that enhance the native functionality or add to the already rich toolset. By the end of this chapter, you will be able to use Burp Extensions and even write a sample extension in Python.

Chapter 10, Saving Securely, Backing Up, and Other Maintenance Activities, states that Burp Suite is just like any other testing tool. As with any software, it is imperative that you make regular backups and carry out other maintenance activities. By the end of this chapter, you will have all the knowledge about ensuring that your Burp Suite data is backed up properly and securely and how you can run scheduled tasks for backup and other maintenance activities.

Chapter 11, Resources, References, and Links, provides a number of great resources and references that you can rely on. It provides you with the primary references that you should follow to get more insight into how web security practitioners use Burp. We will list useful and informative resources for application security as well.