Burp Suite Practical Guide
Vibe Prompt
“Help me use Burp Suite to intercept an HTTP request, modify a parameter, and resend it to test whether the server validates the input.”
Core Features Overview
| Feature | Purpose | Typical Use Case | |---------|---------|------------------| | Proxy | Intercept and modify HTTP/HTTPS traffic | Inspect and tweak every request before it reaches the server | | Repeater | Manually resend altered requests | Test parameter tampering, SQL injection, or authentication bypass | | Intruder | Automate brute‑force or enumeration attacks | Test password strength, IDOR, or payload combinations | | Scanner | Automated vulnerability detection (Professional edition) | Quickly identify XSS, SQLi, CSRF, and other common flaws | | Decoder | Encode/decode data (URL, Base64, Hex) | Decode obfuscated parameters or payloads | | Comparer | Compare two requests or responses | Spot subtle differences between normal and malicious traffic | | Sequencer | Analyze randomness of tokens | Determine if session tokens are predictable | | Extender | Add custom extensions | Extend Burp’s capabilities with Python, Java, or Ruby scripts |
Intruder Attack Modes
| Mode | Description | Example Scenario | |------|-------------|------------------| | Sniper | One parameter, one payload at a time | Testing a single password field for weak values | | Battering Ram | Multiple parameters share the same payload | Sending the same malicious string to several fields simultaneously | | Pitchfork | Multiple payload lists run in parallel | Testing username/password combinations from separate lists | | Cluster Bomb | Cartesian product of all payload lists | Exhaustive brute‑force across all parameters |
Vibe Prompt – Python Intruder Script
“Help me write a simple Intruder script in Python to test an API’s rate limiting.”
import requests
import concurrent.futures
import time
# Target endpoint
url = "https://api.target.com/login"
# Generate a list of candidate passwords
payloads = [f"password_{i}" for i in range(100)]
def try_password(pwd):
"""Send a POST request with the given password."""
start = time.perf_counter()
r = requests.post(url, json={"username": "admin", "password": pwd})
elapsed = time.perf_counter() - start
return pwd, r.status_code, elapsed
# Use a thread pool to send requests concurrently
with concurrent.futures.ThreadPoolExecutor(max_workers=10) as executor:
results = list(executor.map(try_password, payloads))
# Filter successful attempts
success = [r for r in results if r[1] == 200]
print(f"Number of successful logins: {len(success)}")
print(f"Average response time: {sum(r[2] for r in results)/len(results):.3f}s")
What This Script Does
- Generates 100 password candidates (
password_0topassword_99). - Sends concurrent POST requests to the login endpoint.
- Measures HTTP status codes and response times.
- Reports how many attempts succeeded and the average latency.
Why Rate‑Limiting Matters
- Business Impact: Prevents credential stuffing attacks that can compromise user accounts and expose sensitive data.
- Financial Return: Reducing breach risk saves potential regulatory fines, litigation costs, and reputational damage.
- Developer Value: Demonstrates how to automate security testing, saving time and ensuring consistent coverage.
How to Integrate with Burp Intruder
- Export the payload list to a file (
payloads.txt). - In Burp Intruder, load the file as a payload source.
- Configure the attack type (e.g., Sniper for a single field).
- Run the attack and analyze the results in the Intruder tab.
Course Summary
You’ve completed an advanced penetration testing module! Key takeaways:
- ✅ Mastered Burp Suite’s core functionalities.
- ✅ Executed Intruder attacks with various modes.
- ✅ Leveraged SQLMap for automated injection testing.
- ✅ Compiled comprehensive penetration testing reports.
Key Points Checklist
- ✅ Expand each section with concrete learning objectives.
- ✅ Include comparative tables, code snippets, and flow diagrams.
- ✅ Ensure depth and practical value for developers and security teams.
Detailed Burp Suite Core Functions
| Feature | Purpose | Shortcut |
|---------|---------|----------|
| Proxy | Intercept browser traffic (HTTP/HTTPS) | Ctrl+P |
| Repeater | Manual request replay | Ctrl+R |
| Intruder | Automated parameter enumeration | Ctrl+I |
| Decoder | Encode/decode data | Auto‑detect |
| Sequencer | Token randomness analysis | Ctrl+S |
| Scanner | Automated vulnerability scan | Professional only |
| Comparer | Compare two items | Ctrl+C |
Proxy Configuration Steps
- Launch Burp Suite → Proxy → Intercept tab.
- Verify the listener is set to
127.0.0.1:8080. - Install Burp’s CA certificate in your browser to enable HTTPS decryption:
- Navigate to
http://burpand downloadcacert.der. - On macOS: double‑click → Keychain Access → set to “Always Trust”.
- Navigate to
- Configure your browser to use
127.0.0.1:8080as the HTTP/HTTPS proxy. - Ensure Intercept is on to start capturing traffic.
Repeater Usage Tips
# 1. Right‑click a request in Proxy → Send to Repeater
# 2. Modify parameters or headers as needed
# 3. Click “Send” to replay
# 4. Observe response changes
Common Test Scenarios
- IDOR: Change resource IDs to access unauthorized data.
- JWT Removal: Delete the token to test authentication enforcement.
- HTTP Method Manipulation: Switch from GET to POST to test method restrictions.
- SQLi Payloads: Inject
' OR '1'='1to test injection points.
Burp Suite: The Swiss Army Knife of Web Penetration Testing
Burp Suite is the industry‑standard tool for web security assessment. Its central pillar is the Intercepting Proxy, which sits between the browser and the server, allowing you to pause, inspect, and modify traffic before it reaches its destination.
When to Use Each Feature
| Feature | When to Use | |---------|-------------| | Proxy | Every time you need to see raw HTTP traffic or tweak a request. | | Repeater | After intercepting a request you suspect is vulnerable; you want to experiment with different payloads. | | Intruder | When you need to automate a large number of requests, such as brute‑forcing passwords or enumerating IDs. | | Scanner | For a quick sweep of the application to surface obvious vulnerabilities. | | Decoder | When you encounter encoded data that needs to be decoded for analysis. |
Typical Workflow Diagram
Browser → Burp Proxy (Intercept & Modify) → Server
↓
Repeater (Manual Replay)
↓
Intruder (Automated Attack)
↓
Scanner (Automated Scan)
Transition to the Next Chapter
Burp Suite equips you with the tools to discover vulnerabilities, but finding a flaw is only the first step. The next chapter will guide you through exploiting those vulnerabilities: crafting proof‑of‑concept (PoC) payloads, building custom exploits, and turning a theoretical weakness into a demonstrable attack. By mastering both detection and exploitation, you’ll be able to validate the severity of findings, provide actionable remediation, and ultimately protect your organization from real‑world threats. Stay tuned as we dive into the art of turning a discovered flaw into a fully‑functional exploit.