Skip to main content

Security Testing with Burp Suite

By June 2, 2023June 14th, 2023Blogs, Security Testing, Testing

Introduction

Burp Suite is an integrated platform for performing security testing and penetration testing of web applications. Burp Suite Tool is used by security professionals, penetration testers, and web developers worldwide to check vulnerabilities in applications. Burp Suite tool is mostly used for security testing, every organization uses Burp Suite Tool to secure their application.

With the help of the Burp Suite Tool, you can perform various types of security testing, including vulnerability identification, exploitation, and web application scanning. A useful tool for testing the different applications. The application has features like intercept, intruders, Scanner, and Repeater which are very important for penetration testing tools.

Below are some of the important and mostly used features of the Burp Suite Tool:

Intercept:

Burp Suite has an interception proxy feature that allows you to inspect, intercept, and modify the request and response between your browser and target application. With the help of the intercept feature, you can modify requests and responses in real time and it’s allowing you to identify and test for vulnerabilities in the application. This interception proxy run on a specific IP Address and Port Number.

Scanner:

In Burp Suite Scanner feature is an automated vulnerability scanner tool that helps to identify and exploit web applications vulnerabilities and provides Issue remediation and some reference to fix the issue. The scanner sends many different requests to target applications and it automatically identifies the common exploit and vulnerabilities. The scanner performs various types of attacks like SQL injection, XSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery), etc. This scanner tool is not available in the Burp Suite Community Edition, but It is available in the Burp Suite Professional Edition.

Intruder:

To use the intruder feature, select the target input field, Customize the payload list, configure the attack settings, and click on start attack which gives some output values. Once observing these values, we determine the failure or success of the system and the content length. We can perform SQL Injection, XSS, and other vulnerabilities on applications. So, this tool used for an attack on Passwords and Pins is called a brute force attack. An Attack on fields that are vulnerable. Also, it is used for Dictionary Attacks.

Repeater:

It is the most powerful tool in Burp Suite where we can send multiple requests on individual HTTP requests to target applications and we can verify the response to check the vulnerabilities of the application. Where users can easily modify and resend requests to the server to explore and verify the application behaviour.

Examples:

How To Use Intercept Feature:

  • Open the Burp Suite application.
  • Click on the next button.

  • Then Click on the Start Burp button.

  • Click on the Proxy tab.

  • Switch on the interception toggle button.
  • Click on the Open Browser button.

  • It will launch the browser.
  • Enter your application URL.
  • Start exploring your application.
  • You can see this intercepted request on the Proxy > Intercept tab in the burp suite tool.
  • The request is held here so that you can study/analyze it before forwarding it to the target server.
  • Here we can edit the request like a parameter or request body values and forward the request to the target application and will see the application behavior.

  • Click on the forward button several times until the page load in the burp browser.

How To Use Intruder Feature:

  • Open the burp suite tool.
  • Click on the proxy tab.
  • Switch on the interception toggle button.
  • Click on the Open Browser button.
  • It will launch the browser.
  • Enter your application URL.
  • Start exploring your browser.
  • You can see this intercepted request on the Proxy > Intercept tab.
  • You can see your request is held in the request window.
  • Now Click on the Action Button.
  • Select the intruder option from the action list.

  • Click on the intruder tab.
  • You can see HTTP Request in the intruder tab.
  • Select the parameter or you can select request body values.
  • Click on add button.
  • After that Click on the Payload tab.

  • On the payload tab you can add payload and set payload type.
  • You can add XSS Payload, CSRF Payload, SQL Injection, etc.
  • Then Click on start attack.

  • Look for any irregular responses from the result window.

 

How To Use Repeater Feature:

  • Open the burp suite tool.
  • Click on the proxy tab.
  • Switch on the interception toggle button.
  • Click on the Open Browser button.
  • It will launch the browser.
  • Enter your application URL.
  • Start exploring your browser.
  • You can see this intercepted request on the Proxy > Intercept tab.
  • You can see your request is held in the request window.
  • Now Click on the Action Button.
  • Select the Repeater option from the action list.

  • Click on the Repeater tab.
  • You can see HTTP Request in the Repeater tab.
  • Edit the parameter or Request Body values.
  • Click On Send Button.
  • View the response from the server. (You can resend this request as many times as you like, and the response will be updated each time).

 

Generating Report:

Once your scanning is done generate the proper report to forward the report with your team to resolve those issues. Generating Report option is available in Burp Suite Professional Edition it is not available in Community Edition. Once your scanning is done and got some vulnerable requests. Then pass those HTML reports to developers to resolve those issues.

In the HTML report, all things are mentioned like,

  1. What kind of issue is there.
  2. On which HTTP request?
  3. Solution for that specific issue.
  4. Some reference links are also mentioned in HTML Report.

Below steps are mentioned on how to generate the HTML Report:

Steps:

  • Once your scanning is done click on target tab.
  • Select the vulnerable request from the left side.
  • Right Click on it and select the Issue option.
  • Then click on Report issues for this host.
  • Select the location where you want to save the report in your system and give the appropriate name to the file.
  • You can select which kind of issues you want to show in the HTML report file like High, Medium, Low issues or High, Medium issues etc. from Summary bar chart.
  • Then Click on next.
  • View and share report with your team.

We at Varseno, can run security testing using Burpsuite for all business websites to improve their reliability, scalability and stability. Reach out to us to improve your website functionalities in terms of security.

Sales Inquiry
close slider