Burp Suite: Web Interception & Testing

Burp Suite (developed by PortSwigger) is the world's leading toolkit for web security testing. It acts as an HTTP/HTTPS proxy (Man-in-the-Middle) between your browser and the server, allowing you to intercept, pause, modify, and analyze absolutely all requests and responses before they reach their destination.

1. Initial Setup and Proxy

# 1. Default listener in Burp:
127.0.0.1:8080

# 2. Configure the CA certificate (Essential for intercepting HTTPS):
# With the proxy active in your browser, visit:
http://burpsuite
# Download the "CA Certificate", import it into your browser 
# and check "Trust this CA to identify websites".

Advanced Proxy Options: Match and Replace

In Proxy -> Options you can set automatic "Match and Replace" rules. For example, automatically change any User-Agent header to a mobile one, or automatically change a hidden field isAdmin=false to isAdmin=true in all requests on the fly.

2. Target Scope and Site Map

As you browse through the proxy, Burp passively builds a Site Map in the Target tab. It is crucial to configure the Scope.

Add the target URL to the Scope.
Toggle "Show only in-scope items" in the HTTP history to filter out noise from third-party trackers.

3. Repeater — The Manual Laboratory

The Repeater is where pentesters spend 80% of their time. It allows you to take an intercepted request, send it to an isolated tab (Ctrl + R), and modify it endlessly to see how the server responds.

# Typical techniques in Repeater:
# - Test SQL injections (adding ' or " to parameters).
# - Change HTTP methods (Convert GET to POST/PUT) to test WAF bypasses.
# - Test IDORs (Insecure Direct Object Reference) by changing IDs.
# - Test CORS vulnerabilities by manipulating the Origin header.

🔴 Burp Suite Mastery Simulator

A Senior pentester left you some half-finished notes regarding a web audit using Burp Suite. It's up to you to configure the correct modules of the tool to fully compromise the server.

>_ START CTF 18 CHALLENGE

4. Intruder — Offensive Automation

The Intruder automates customized attacks. It works by marking positions in the request with the § symbol and feeding it payload lists (wordlists).

Intruder Attack Types:

Sniper: One payload iterating over positions one by one.
Battering ram: Same payload injected into ALL positions at once.
Pitchfork: Multiple lists, iterating synchronously (L1[1] with L2[1]).
Cluster bomb: Multiple lists, testing ALL possible combinations (classic login brute force).

5. Sequencer — Entropy Analysis

The Sequencer is a mathematical module that analyzes the "randomness" (entropy) of session tokens (e.g., PHPSESSID or CSRF tokens). It captures thousands of tokens and determines if they are predictable.

6. Decoder and Comparer

Decoder: A Swiss army knife for transforming data (URL encode, Base64, Hex, Gzip).

Comparer: A visual diff tool. Used to analyze Blind vulnerabilities to see if a single byte in the response changed.

7. BApp Store (Extensions)

The Extensions tab allows installing plugins that give Burp "superpowers". The essentials are:

Autorize: The ultimate tool for finding Broken Access Control (IDOR/BOLA).
Turbo Intruder: Extremely fast HTTP attacks, capable of finding Race Conditions.
Param Miner: Discovers hidden, undocumented API parameters.