Burp Suite Tutorial For Beginners

Burp Suite Tutorial For Beginners


If you're looking for a good web application vulnerability scanner then Burp Suite Stands in the first place, its features and built-in automated scanners makes it a super fan of hackers.


As a beginner there might be a lot of issues with Burp Suite, a few years back, me too came across the same situation that I wanted to learn how hackers hack websites and get paid for bug bounty, but there is lack of improper knowledge in me, thus I was failed to do so😞

I don't want everyone to face the same, so In this tutorial am going to teach you the basic concepts a beginner web pentester worries about.

In this tutorial, you're going to learn
  • What is Burp Suite
  • Installing Burp Suite
  • Burp Suite Pro Vs Free Version
  • How To Use Burp Suite
  • Burp Suite Modules
  • Advanced Scanning With Burp Suite
  • Burp Suite Automated Scanning

What is Burp Suite?

Burp Suite is a java based framework used for web application vulnerability scanning, and it comes with a collection of vulnerability scanning tools, it's goal is to intercept the traffic between the web browser and the server.



Why Burp Suite


Most of the people questioning about why They Should Use Burp Suite while there are a lot of web vulnerability scanners out there,

Well that's the common question newbies asks the most,


Burp Suite Comes with a collection of scanners for various vulnerabilities also it has automation features, real-time traffic interactions between the browser and the server that makes us easy to understand better,

Burp Suite is a good tool for professional security researchers but what about others?

For that one of my friends did a survey in a Black hat Hackers Group, here is the results


Burp Suite vs Other Tools


Yup Burp Suite Stands Out.

Note: Don't mind you can use only Burp Suite For Attacking Web Applications, You Can Use Many Others Vulnerability Scanning tools during your penetrating attacks.

Burp Suite pro vs Free

This is a quite tricky question that Popups while using Burp Suite,
With The Free Version, you can't be able to avail
  • Automate Scannings
  • Scheduled & Repeat Scanning
  • Advanced Manual Tools

How does Burp Suite work


How does burp suite works
Burp Suite Working Process


Burp Suite Works as an Interception Proxy Between your Browser and the Server, when you make a request via the Browser, First it goes to Burp Proxy then the Server, and it gets a response from the server then passes to Browser.

How to use Burp Suite


Burp Suite Installation


If you're using Kali Linux then Burp Suite is Pre-installed with the free version, for other operating systems you can download and install Burp Suite from the Portswigger website.

However the installations process is very easy, you have to choose your operating system and Download Burp Suite on Official Portswigger website.

Now you have installed Burp Suite and looking for attacking web applications, but before that, you have to do some configuration to Burp Suite and your Browser to make sure it works, it's a simple set up as follows.

Burp Suite Modules

Burp Suite Modules
Burp Suite Modules


Burp suite interface is very easy to understand that anyone can easily understand and analyze the traffic packets send through your browser to the server,

Burp suite also comes with many Modules that confuse the newbies,
Here are the modules to keep in mind

Spider:

This Module is Useful at scanning and scrapping the given pages.

Intruder:

This module is used for Repetitive tasks such as brute force attacks

Repeater:

This module is used for Repetitive tasks by sending requests to the destination page

Sequencer:

This module is used for Fuzzing Session Cookies

Decoder:

The decoder is a useful module for encoding and decoding hex, HTML, binary, and many other hashes

Scanner:

This module is used for automating attacks against any page.
Let's see

How To Configure Burp Proxy on Browser


To make Burp Suite Works, you must have to do some sort of configuration
The first thing is to Choose A Browser Which you're going to configure with Burp Proxy, in this guide am going to choose Firefox, that's a good browser for hackers, but you can choose any other browsers

Step 1: Open Firefox
Step 2: Click On Three dots in the Main Menu, then click on Options
Step 3: After That Click on Advanced then click on Network Proxy
Step 4: Now tick on Manual Configuration, then in the Proxy area type 127.0.0.1 and in the port as 8080

Burp Suite Proxy Settings
Configure Burp Proxy on Firefox

Burp Suite SSL Settings


Burp Suite SSL Error
Burp Suite SSL Error


This is what happens when you try to access HTTPS sites.

Burp Suite Works as HTTP proxy but what about the servers which use the advanced technology such as SSL 😟

Burp Suite Works even on HTTPS😇

But before that we have installed some Certificates, follow below steps to do so.

Step1: Open Web Browser
Step2: Now In The Address Bar Type http://burp
You will be shown a page

Burp CA Certificates


Step3: Now click on CA Certificate, after that a file will be downloaded
Step4: Now you have to import the file to Firefox certificates

For that open Firefox then go to Options click on Privacy and Security now scroll down and click on View Certificates


Import Burp Certificate on Firefox
Import Burp SSL Certificate


Step5: Now Click on Import then select the downloaded file then click on OK
That's it you have successfully Configured SSL on Burp Suite, Now Go back and try opening an https site,

Burp Suite SSL pass-through

You can read more about the burp suite SSL on Portswigger blog

Further Reading


How To Hack WiFi Password In 2019 (Ultimate Guide)

101 Nmap Tutorial: A Simple Guide For Beginners

Best Hacking Apps For Android (2019 Update)



Attacking web applications with burp suite


Now We have ready to attack web applications, now you have to choose a target site and do some practice,
Also, you can use localhost web apps to practice,

Let's see

How to configure burp suite for localhost application


If you're on Kali Linux then you have to install the Apache Server on your Machine to get started, if you still don't know then check out this tutorial on installing Apache on Kali

If you're on Windows, Linux then you have to use WAMP, LAMP

Most Of the People Faces the problem that the interceptor is not working for localhost applications, this usually happens if there is a configuration problem in the browser

Follow Below Steps To Fix this

1. (for firefox) go to about:config and change network.proxy.allow_hijacking_localhost to true

2. try http://127.0.0.3.:80 instead of http://127.0.0.3:80 (dot added after IP address)

Advanced web application penetration testing with burp suite


Though Attacking Web Applications Is not an easy job, it requires a lot of practice, for that you have to learn and practice a lot,

And If you want to be a master web hacker then you must try these vulnerable web applications



Conclusion:

Hope you guys got a clear understanding on How Burp Suite Helps us to attack web applications in a secure environment if you still have any queries then feel free to comment below.

Post a Comment

0 Comments