If you're looking for a good web application vulnerability scanner then Burp Suite Stands in the first place, its features and built-in automated scanners makes it a super fan of hackers.
As a beginner there might be a lot of issues with Burp Suite, a few years back, I too came across the same situation that I wanted to learn how hackers hack websites and get paid for bug bounty, but there is a lack of improper knowledge in me, thus I was failed to do so😞
I don't want everyone to face the same, so In this tutorial am going to teach you the basic concepts a beginner web pentester worries about.
In this tutorial, you're going to learn
- What is Burp Suite
- Installing Burp Suite
- Burp Suite Pro Vs Free Version
- How To Use Burp Suite
- Burp Suite Modules
- Advanced Scanning With Burp Suite
- Burp Suite Automated Scanning
What is Burp Suite?
Burp Suite is a java based framework used for web application vulnerability scanning, and it comes with a collection of vulnerability scanning tools, it's goal is to intercept the traffic between the web browser and the server.Why Burp Suite
Well that's the common question newbies asks the most,
Burp Suite Comes with a collection of scanners for various vulnerabilities also it has automation features, real-time traffic interactions between the browser and the server that makes us easy to understand better,
Burp Suite is a good tool for professional security researchers but what about others?
For that one of my friends did a survey in a Black hat Hackers Group, here is the results
Yup Burp Suite Stands Out.
Note: Don't mind you can use only Burp Suite For Attacking Web Applications, You Can Use Many Others Vulnerability Scanning tools during your penetrating attacks.
Burp Suite pro vs Free
This is a quite tricky question that Popups while using Burp Suite,With The Free Version, you can't be able to avail
- Automate Scannings
- Scheduled & Repeat Scanning
- Advanced Manual Tools
How does Burp Suite work
How to use Burp Suite
Burp Suite Installation
However the installations process is very easy, you have to choose your operating system and Download Burp Suite on Official Portswigger website.
Now you have installed Burp Suite and looking for attacking web applications, but before that, you have to do some configuration to Burp Suite and your Browser to make sure it works, it's a simple set-up as follows.
Burp Suite Modules
Burp suite interface is very easy to understand that anyone can easily understand and analyze the traffic packets send through your browser to the server,
Burp suite also comes with many Modules that confuse the newbies,
Here are the modules to keep in mind
Spider:
This Module is Useful for scanning and scrapping the given pages.Intruder:
This module is used for Repetitive tasks such as brute force attacksRepeater:
This module is used for Repetitive tasks by sending requests to the destination pageSequencer:
This module is used for Fuzzing Session CookiesDecoder:
The decoder is a useful module for encoding and decoding hex, HTML, binary, and many other hashesScanner:
This module is used for automating attacks against any page.Let's see
How To Configure Burp Proxy on Browser
The first thing is to Choose A Browser Which you're going to configure with Burp Proxy, in this guide am going to choose Firefox, which's a good browser for hackers, but you can choose any other browsers
Step 1: Open Firefox
Step 2: Click On Three dots in the Main Menu, then click on Settings
Step 3: After That Click on Advanced then click on Network Proxy
Step 4: Now tick on Manual Configuration, then in the Proxy area type 127.0.0.1 and in the port as 8080
You can achieve the same with Foxy Proxy Addon, install it and configure it as shown screenshot, when you like to use click on the top Icon of Foxy Proxy and change the Settings
Burp Suite SSL Settings
This is what happens when you try to access HTTPS sites.
Burp Suite Works as HTTP proxy but what about the servers which use advanced technology such as SSL 😟
Burp Suite Works even on HTTPS😇
But before that we have installed some Certificates, follow below steps to do so.
Step1: Open Web Browser
Step2: Now In The Address Bar Type http://burp
You will be shown a page
Step3: Now click on CA Certificate, after that a file will be downloaded
Step4: Now you have to import the file to Firefox certificates
For that open Firefox then go to Options click on Privacy and Security now scroll down and click on View Certificates
Step5: Now Click on Import then select the downloaded file then click on OK
That's it you have successfully Configured SSL on Burp Suite, Now Go back and try opening an https site,
Burp Suite SSL pass-through
You can read more about the burp suite SSL on Portswigger blogFurther Reading
▶ How To Hack WiFi Password In 2019 (Ultimate Guide)
▶101 Nmap Tutorial: A Simple Guide For Beginners
Attacking web applications with burp suite
Also, you can use localhost web apps to practice,
Let's see
How to configure burp suite for localhost application
If you're on Windows, Linux then you have to use WAMP, LAMP
Most of the people face the problem that the interceptor is not working for localhost applications, this usually happens if there is a configuration problem in the browser
Follow Below Steps To Fix this
1. (for firefox) go to about:config and change network.proxy.allow_hijacking_localhost to true
2. try http://127.0.0.3.:80 instead of http://127.0.0.3:80 (dot added after IP address)
Advanced web application penetration testing with burp suite
And If you want to be a master web hacker then you must try these vulnerable web applications