What is Burp Suite?

Burp Suite is an integrated platform for performing security testing of web applications.  Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp Suite has a large array of features, including but not limited to:

• Interception Proxy: Designed to give the user control over requests sent to the server.
• Repeater: The ability to rapidly repeat/modify specific requests.  Another frequently used feature of Burp is “Repeater”, commonly used when validating results or manually searching for additional findings. Simply right-click the request body and select “Send to Repeater”.  Within the Repeater interface, you can modify the request and quickly resend it at the web application.  Reflective XSS can be quickly tested with some sort of HTML/JavaScript injected into the payload that is parsed without input validation, for example, modifying the XSS payload to simply “alert(“XSS”)”:
• Intruder: Feature that allows automation of custom attacks/payloads.  Another option is leveraging Burp’s Intruder which can take a request and allows the user to define various injection points that can be modified to put in different payloads. One common use case will be to iterate through parameter values in a request to see how the web application responds (example: get /product.php?item=1) you may have intruder check 1-1000 and compare some of the differences in the responses. You can also define the resource that is being requested as the position to modify.
• Decoder: Decode and encode strings to various formats (URL, Base64, HTML, etc.).  When you begin testing with web applications you’ll find that you very often need to decode or encode strings into different formats. This can be especially useful when trying to bypass simple filters to prevent web application attacks or when participating in CTFs.
• Comparer: Can highlight differences between requests/responses.  Burp’s Comparer feature allows you to quickly compare requests or responses to highlight the differences.
• Extender: API to extend Burps functionality, with many free extensions available via the BApp store.  The Extender feature offers a powerful API to develop additional functionality with Burp using a scripting language. Many of the extensions are written in Python, and are offered for free via Burp’s App store. One very useful extension is Carbonator, which allows you to fully automate Burp from Spider > Scan > Report from the command-line.
• Spider and Discover Content feature: Crawls links on a web application, and the discover content can be used to dynamically enumerate unlinked content.  Activating Burp’s spider will crawl the linked content on the web application, going down a depth of 5 links down by default, but these options can be configured under the “Spider” tab. As you interact with the web application, all of the requests and responses will be logged under the “Proxy” tab. You can highlight a request to help it stand out, and even leave comments for later analysis:
• Scanner (Pro Only): Automated scanner that checks for web application vulnerabilities (XSS, SQLi, Command Injection, File Inclusion, etc.).  I’ve not used this but others say: After initial reconnaissance and mapping, start an active scan which will have Burp test the discovered content for various vulnerabilities. This largely works by Burp inputting content (HTML, JavaScript, SQL syntax, OS commands, etc.) and monitoring how the web application responds. As with any web application vulnerability scanner, Burp will report a number of false positives that will require manual validation. To start the active scanner, right click the URL or resource on the site map and select “Actively scan this host”, this will prompt a scanning wizard.

For a good tutorial on Burp Suite, see Udemy’s free video course:

https://www.udemy.com/burp-suite/learn/v4/overview

Use the following resources for Burp Suite: