Burp Suite Essentials

Burp Suite Essentials

by Akash Mahajan
Released November 2014
Publisher(s): Packt Publishing
ISBN: 9781783550111

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Discover the secrets of web application pentesting using Burp Suite, the best tool for the job

In Detail

This book aims to impart the skills of a professional Burp user to empower you to successfully perform various kinds of tests on any web application of your choice. It begins by acquainting you with Burp Suite on various operating systems and showing you how to customize the settings for maximum performance. You will then get to grips with SSH port forwarding and SOCKS-based proxies. You will also get hands-on experience in leveraging the features of Burp tools such as Target, Proxy, Intruder, Scanner, Repeater, Spider, Sequencer, Decoder, and more. You will then move on to searching, extracting, and matching patterns for requests and responses, and you will learn how to work with upstream proxies and SSL certificates. Next, you will dive into the world of Burp Extensions and also learn how to write simple extensions of your own in Java, Python, and Ruby.

As a professional tester, you will need to be able to report your work, safeguard it, and sometimes even extend the tools that you are using; you will learn how to do all this in the concluding chapters of this book.

What You Will Learn

  • Get to grips with the user-driven workflow so that you can test any kind of web application
  • Get acquainted with the use of each of the components in Burp?Target, Proxy, Intruder, Scanner, and Repeater
  • Search, extract, and match patterns for requests and responses using response extraction rules, URL-matching rules, and Grep - Match
  • Set up and test SSL-enabled applications without any errors
  • Intercept SSL traffic from all kinds of web and mobile applications
  • Develop customized Burp Extensions to suit your needs using Java, Python, and Ruby

Table of contents

  1. Burp Suite Essentials
    1. Table of Contents
    2. Burp Suite Essentials
    3. Credits
    4. About the Author
    5. Acknowledgments
    6. About the Reviewers
    7. www.PacktPub.com
      1. Support files, eBooks, discount offers, and more
        1. Why subscribe?
        2. Free access for Packt account holders
    8. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Errata
        2. Piracy
        3. Questions
    9. 1. Getting Started with Burp
      1. Starting Burp from the command line
      2. Specifying memory size for Burp
        1. Specifying the maximum memory Burp is allowed to use
      3. Ensuring that IPv4 is allowed
      4. Working with other JVMs
      5. Summary
    10. 2. Configuring Browsers to Proxy through Burp
      1. Configuring widely used browsers to proxy through Burp Suite
        1. Microsoft Internet Explorer
        2. Google Chrome
        3. Mozilla Firefox
          1. Fine-grained proxy configuration
            1. Setting up FoxyProxy
          2. Mozilla Plug-n-Hack extension
        4. Exclusive Firefox profile
      2. Summary
    11. 3. Setting the Scope and Dealing with Upstream Proxies
      1. Multiple ways to add targets to the scope
        1. Loading a list of targets from a file
      2. Scope and Burp Suite tools
      3. Scope inclusion versus exclusion
      4. Dropping out-of-scope requests
      5. Dealing with upstream proxies and SOCKS proxies
        1. Types of proxies supported by Burp
        2. Working with SOCKS proxies
          1. Using SSH tunneling as a SOCKS proxy
        3. Setting up Burp to be a proxy server for other devices
      6. Summary
    12. 4. SSL and Other Advanced Settings
      1. Importing the Burp certificate in Mozilla Firefox
      2. Importing the Burp certificate in Microsoft IE and Google Chrome
      3. Installing the Burp certificate in iOS or Android
      4. SSL pass-through
      5. Invisible Proxy
      6. Summary
    13. 5. Using Burp Tools As a Power User – Part 1
      1. Target
        1. Site map compare
      2. Proxy
      3. The Message Analysis tab
      4. Actions on the intercepted requests
        1. Response interception and modification
        2. Using the Proxy history tab
      5. Intruder
      6. Scanner
        1. Scanning optimization and requests
        2. When to scan
      7. Repeater
      8. Summary
    14. 6. Using Burp Tools As a Power User – Part 2
      1. Spidering
      2. Sequencer
        1. Analysis of the tokens
        2. Sample analysis
      3. Decoder
      4. Comparer
      5. Alerts
      6. Summary
    15. 7. Searching, Extracting, Pattern Matching, and More
      1. Filtering
        1. Illustration
      2. Matching
      3. Grep - Match and Grep - Extract
      4. Summary
    16. 8. Using Engagement Tools and Other Utilities
      1. Search
      2. Target Analyzer
      3. Content Discovery
      4. Task Scheduler
      5. CSRF proof of concept Generator
      6. Summary
    17. 9. Using Burp Extensions and Writing Your Own
      1. Setting up the Python runtime for Burp Extensions
      2. Setting up the Ruby environment for Burp Extensions
      3. Loading and installing a Burp Extension from the Burp App Store
        1. Using BApp files
      4. Loading and installing a Burp Extension manually
      5. Managing Burp Extensions
        1. Memory issues with Burp Extensions
      6. Writing our own Burp Extensions
        1. A simple Burp Extension in Python
      7. Noteworthy Burp Extensions
      8. Summary
    18. 10. Saving Securely, Backing Up, and Other Maintenance Activities
      1. Saving and restoring a state
      2. Automatic backups
      3. Scheduled tasks
      4. Logging all activities
      5. Summary
    19. 11. Resources, References, and Links
      1. Primary references
        1. Learning about Burp
      2. Web application security testing with Burp
      3. Miscellaneous security testing tutorials with Burp Suite
      4. Pentesting thick clients
      5. Testing mobile applications for web security using Burp Suite
      6. Extensions references
      7. Books
      8. Summary
    20. Index

Product information

  • Title: Burp Suite Essentials
  • Author(s): Akash Mahajan
  • Release date: November 2014
  • Publisher(s): Packt Publishing
  • ISBN: 9781783550111