(../../index.

html)

login
(../../users/)

BurpSuite,theleadingtoolkitforwebapplicationsecuritytesting
AboutBurp(../)

SuccessStories

Download

BuyBurp

(../successstories.html) CONTACT(../../contact.html)
(../download.html)
(../../buy/)
BLOG(http://blog.portswigger.net)
SupportCenter(https://support.portswigger.net/)

SUPPORT
(https://support.portswigger.net/)

GettingStarted(https://support.portswigger.net/customer/portal/articles/1816883gettingstartedwithburpsuite)

Documentation(./) KnowledgeBase(../../KnowledgeBase/Issues/) Training(../../training/) Troubleshooting(suite_troubleshooting.html) Extensibility(../extender/)

Home(../../) > Burp(../) > SupportCenter(https://support.portswigger.net/) > Documentation(./) > UsingBurpSuite(suite_usingburp.html)

UsingBurpSuite

SupportCenter

ThesectionsbelowdescribetheessentialsofhowtouseBurpSuitewithinyourweb
applicationtesting.Formuchmoreinformationaboutgeneraltechniquesandmethodologies
forwebapplicationtesting,pleaserefertoTheWebApplicationHacker'sHandbook
(http://mdsec.net/wahh/),whichwascoauthoredbythecreatorofBurpSuite.

Gethelpandjointhe
communitydiscussionsat
theBurpSuiteSupport
Center.

Note:BeforestartingtouseBurp,youfirstneedtogetBurprunning,configuredisplay
settings,configureyourbrowserandBurptoworktogether,andideallyinstallBurp'sSSLCA
certificateinyourbrowser.Ifyouneedhelpwithanyoftheseareas,pleaseseethehelpon
GettingstartedwithBurpSuite(suite_gettingstarted.html).
AlsointheBurpSuiteSupportCenter(https://support.portswigger.net/):
UsingBurpSuite(https://support.portswigger.net/customer/portal/topics/720229
usingburpsuite/articles)

TestingWorkflow

HowdoI?
(https://support.portswigger.net/customer/po
howdoi/questions)

Featurerequests
(https://support.portswigger.net/customer/po
feature
requests/questions)

Bugreports
(https://support.portswigger.net/customer/po
bug
reports/questions)

Burpisdesignedtosupporttheactivitiesofahandsonwebapplicationtester.Itletsyou
combinemanualandautomatedtechniqueseffectively,givesyoucompletecontroloverallof
theactionsthatBurpperforms,andprovidesdetailedinformationandanalysisaboutthe
applicationsyouaretesting.

VisittheSupportCenter
(https://support.portswigger.net/)

SomeusersmaynotwishtouseBurpinthisway,andonlywanttoperformaquickandeasy
vulnerabilityscanoftheirapplication.Ifthisiswhatyouneed,pleaserefertoUsingBurpasa
PointandClickScanner(scanner_pointandclick.html).

Friday,October21,2016

ThediagrambelowisahighleveloverviewofthekeypartsofBurp'suserdrivenworkflow.
Clickoneachareaofthediagramformoredetail:

ThisreleaseaddsanewBurp
Collaboratorclientforusein
manualtesting,somenewAPIs
forusingBurpCollaborator
capabilitieswithinBurp
extensions,andanewBurp
extensionthatdemonstrates
usageoftheAPIs.

1.7.09

Seeallreleasenotes
(http://releases.portswigger.net)

(http://twitter.com/Burp_Suite)

ReconandAnalysis
TheProxytool(proxy_using.html)liesattheheartofBurp'sworkflow.Itletsyouuseyour
browsertonavigatetheapplication,whileBurpcapturesallrelevantinformationandletsyou
easilyinitiatefurtheractions.Inatypicaltest,thereconandanalysisphaseinvolvesthe
followingtasks:
ManuallymaptheapplicationUsingyourbrowserworkingthroughBurpProxy,
manuallymaptheapplication(target_using.html#manualmapping)byfollowinglinks,
submittingforms,andsteppingthroughmultistepprocesses.Thisprocesswillpopulate
theProxyhistory(proxy_using.html#history)andTargetsitemap(target_sitemap.html)
withallofthecontentrequested,and(viapassivespidering
(spider_options.html#passive))willaddtothesitemapanyfurthercontentthatcanbe
inferredfromapplicationresponses(vialinks,forms,etc.).Youshouldthenreviewany
unrequesteditems(target_using.html#unrequesteditems)(showningrayinthesitemap),
andrequesttheseusingyourbrowser.
PerformautomatedmappingwherenecessaryYoucanoptionallyuseBurpto
automatethemappingprocessinvariousways.Youcan:
Carryoutautomaticspidering(spider_using.html)torequestunrequesteditemsinthe
sitemap.BesuretoreviewalltheSpidersettings(spider_using.html#settings)before
usingthistool.
Usethecontentdiscovery(suite_functions_contentdiscovery.html)functiontofind
furthercontentthatisnotlinkedfromvisiblecontentthatyoucanbrowsetoorspider.
Performcustomdiscovery(intruder_using.html#uses_enumerating)usingBurp
Intruder,tocyclethroughlistsofcommonfilesanddirectories,andidentifyhits.
Notethatbeforeperforminganyautomatedactions,itmaybenecessarytoupdatevarious
aspectsofBurp'sconfiguration,suchastargetscope(target_using.html#scope)and
sessionhandling(options_sessions.html).
Analyzetheapplication'sattacksurfaceTheprocessofmappingtheapplication
populatestheProxyhistory(proxy_using.html#history)andTargetsitemap
(target_sitemap.html)withalltheinformationthatBurphascapturedabouttheapplication.
Bothoftheserepositoriescontainfeaturestohelpyou(proxy_using.html#history)analyze
(target_using.html#attacksurface)theinformationtheycontain,andassesstheattack
surfacethattheapplicationexposes.Further,youcanuseBurp'sTargetAnalyzer
(suite_functions_targetanalyzer.html)toreporttheextentoftheattacksurfaceandthe
differenttypesofURLstheapplicationuses.

ToolConfiguration

Burpcontainsawealthofconfigurationoptions(options.html),whichitisoftennecessaryto
useatdifferentstagesofyourtesting,toensurethatBurpworkswithyourtargetapplication
inthewayyourequire.Forexample:
DisplayYoucanconfigurethefont(options_display.html#messagedisplay)and
characterset(options_display.html#charsets)usedtodisplayHTTPmessages,andalso
thefont(options_display.html#ui)inBurp'sownUI.
TargetscopeThetargetscope(target_scope.html)configurationtellsBurptheitems
thatyouarecurrentlyinterestedinandwillingtoattack.Youshouldconfigurethisearlyin
yourtesting,asitcancontrolwhichitemsaredisplayedintheProxyhistory
(proxy_history.html#filter)andTargetsitemap(target_sitemap.html#filter),which
messagesareintercepted(proxy_options.html#interception)intheProxy,andwhichitems
maybespidered(spider_control.html#scope)andscanned
(scanner_initiatingscans.html#live_active).
AuthenticationIftheapplicationserveremploysanyplatformlevel(HTTP)
authentication,youconfigureBurptohandletheauthentication
(options_connections.html#platformauth)automatically.
SessionhandlingManyapplicationscontainfeaturesthatcanhinderautomatedor
manualtesting,suchasreactivesessiontermination,useofperrequesttokens,and
statefulmultistageprocesses.YoucanconfigureBurp(options_sessions.html)tohandle
mostofthesesituationsseamlessly,usingacombinationofsessionhandlingrules
(options_sessions.html#sessionrules)andmacros(options_sessions.html#macros).
SavingandrestoringstateYoucansaveBurp'scurrentstate
(suite_functions_savingstate.html#saving)atanytime,andrestore
(suite_functions_savingstate.html#restoring)itlater.
TaskschedulingYoucanconfigureBurptoscheduletasks
(suite_functions_taskscheduler.html)atgiventimesorintervals,toallowyoutoworkwithin
specifiedtestingwindows.

VulnerabilityDetectionandExploitation
Aftercompletingyourreconandanalysisofthetargetapplication,andanynecessary
configurationofBurp,youcanbeginprobingtheapplicationforcommonvulnerabilities.Atthe
stage,itisoftenmosteffectivetouseseveralBurptoolsatonce,passingindividualrequests
betweendifferenttoolstoperformdifferenttasks,andalsogoingbacktoyourbrowserfor
sometests.ThroughoutBurp,youcanusethecontextmenu
(suite_functions_messageeditor.html#menu)topassitemsbetweentoolsandcarryoutother
actions.
InBurp'sdefaultconfiguration,itautomaticallyperformslivepassivescanning
(scanner_initiatingscans.html#live_passive)ofallrequestsandresponsesthatpassthrough
theProxy.Sobeforeyoubeginactivelyprobingtheapplication,youmightfindthatBurp
Scannerhasalreadyrecordedsomeissues(target_sitemap.html#info_issues)thatwarrant
closerinvestigation.
Burp'stoolscanbeusedinnumerousdifferentwaystosupporttheprocessofactivelytesting
forvulnerabilities.Someexamplesaredescribedbelowfordifferenttypesofissues:
InputbasedbugsForissueslikeSQLinjection,crosssitescripting,andfilepath
traversal,youcanuseBurpinvariousways:
Youcanperformactivescans(scanner_scanmodes.html#active)usingBurpScanner.
YoucanselectitemsanywhereinBurp,andinitiatescans
(scanner_initiatingscans.html#manual)usingthecontextmenu.Oryoucanconfigure
Burptodoliveactivescanning(scanner_initiatingscans.html#live_active)ofallin
scoperequestspassingthroughtheProxy.
YoucanuseBurpIntrudertoperformfuzzing(intruder_using.html#uses_fuzzing),
usingyourownteststringsandpayloadpositions.
YoucansendindividualrequeststoBurpRepeater(repeater_using.html),tomanually
modifyandreissuetherequestoverandover.
Havingidentifiedsometypesofbugs,youcanactivelyexploittheseusingBurp
Intruder(intruder_using.html).Forexample,youcanoftenusetherecursivegrep
(intruder_payloads_types.html#recursivegrep)payloadtypetoexploitSQLinjection
vulnerabilities.
LogicanddesignflawsForissueslikeunsafeuseofclientsidecontrols,failureto
enforceaccountlockout,andtheabilitytoskipkeystepsinmultistageprocesses,you
generallyneedtoworkmanually:
Typically,aclosereviewoftheProxyhistory(proxy_using.html#history)willidentifythe
relevantrequeststhatneedtobeinvestigated.
Youcanthenprobetheapplication'shandlingofunexpectedrequestsbyissuingthese
individuallyusingBurpRepeater(repeater_using.html),orbyturningonProxy
interception(proxy_using.html#intercepting)andmanuallychangingrequestsonthefly
whileusingyourbrowser.
YoucanactivelyexploitmanylogicanddesignflawsusingBurpIntruder
(intruder_using.html).Forexample,Intrudercanbeusedtoenumeratevalid

usernames,guesspasswords,cyclethroughpredictablesessiontokensorpassword
recoverytokens,orevensimplytoreissuethesamerequestalargenumberoftimes
(usingthenullpayloads(intruder_payloads_types.html#nulls)type).
Havingconfirmedalogicordesignflaw,manyofthesecanbeactivelyexploitedby
usingBurpProxy'smatch/replacefunction(proxy_options.html#matchreplace),or
sessionhandlingrules(options_sessions.html#sessionrules),tochangerequestsin
systematicways.
AccesscontrolissuesBurpcontainsseveralfeaturesthatcanhelpwhentestingfor
accesscontrolvulnerabilities:
YoucanusetheComparesitemaps(target_sitemap_comparingmaps.html)function
forvarioustasks,including:identifyingfunctionalitythatisvisibletooneuserandnot
anothertestingwhetheralowprivilegedusercanaccessfunctionsthatshouldbe
restrictedtohigherprivilegedusersanddiscoveringwhereuserspecificidentifiersare
beingusedtosegregateaccesstodatabytwousersofthesametype.
Youcanusedifferentbrowserstoaccesstheapplicationindifferentusercontexts,and
useaseparateBurpProxylistener(proxy_options.html#listeners)foreachbrowser
(usingdifferentports).YoucanthenopenadditionalProxyhistory(proxy_history.html)
windows(viathecontextmenu)andsetthedisplayfilter(proxy_history.html#filter)on
eachwindowtoshowonlyitemsreceivedonaspecificlistenerport.Asyouusethe
applicationineachbrowser,eachhistorywindowwillshowonlytheitemsforthe
associatedusercontext.Youcanthenusethe"Requestinbrowserincurrentbrowser
session"function(viathecontextmenu)toswitchrequestsbetweenbrowsers,to
determinehowtheyarehandledinthatbrowser'susercontext.
Manyprivilegeescalationvulnerabilitiesarisewhentheapplicationpassesauser
identifierinarequestparameter,andusesthattoidentifythecurrentusercontext.You
canactivelyexploitthistypeofvulnerabilitybyusingBurpIntruder
(intruder_using.html)tocyclethroughidentifiersintheappropriateformat(e.g.using
thenumbers(intruder_payloads_types.html#numbers)orcustomiterator
(intruder_payloads_types.html#customiterator)payloadtypes)andconfiguringextract
grep(intruder_options.html#grepextract)itemstoretrieveinterestinguserspecificdata
fromtheapplication'sresponses.
OthervulnerabilitiesBurpcontainsfunctionsthatcanbeusedtodeliver,andoften
automate,virtuallyanytaskthatariseswhenprobingforothertypesofvulnerabilities.For
example:
YoucanreviewthecontentsoftheTargetsitemap(target_sitemap.html)for
informationleakageissues,usingtheSearch(suite_functions_search.html#search)
andFindcomments(suite_functions_search.html#comments)functionstoassistyou.
HavingidentifiedapossibleCSRFvulnerability,youcanusetheCSRFgenerator
(suite_functions_csrfpoc.html)toquicklycreateaproofofconceptattackinHTML,
thenusethe"Testinbrowser"functiontoloadtheattackintoyourbrowser,andthen
reviewthebrowserresultsandProxyhistory(proxy_using.html#history)toverify
whethertheattackwassuccessful.
YoucanuseBurpSequencer(sequencer.html)toanalyzeasampleofsessiontokens
fromtheapplication,andestimatethequalityoftheirrandomness.
Forsometypesofencryptedsessiontokensorotherparameters,youcanusethebit
flipper(intruder_payloads_types.html#bitflipper)andECBblockshuffler
(intruder_payloads_types.html#ecbblockshuffler)payloadtypesinBurpIntruderto
blindlymodifytheencrypteddatainanattempttomeaningfullychangethedecrypted
datathattheapplicationprocesses.
YoucanwriteyourowncustomBurpextensions(extender.html)tocarryoutmore
specializedorcustomizedtasks.

ReadMore
ThereisextensivedocumentationforallofBurp'stoolsandfeatures,andthetypicalworkflow
youneedtousewhentestingwithBurp.
UsethelinksbelowforhelpaboutusingeachofthemainBurptools:
UsingtheTargettool(target_using.html)
UsingBurpProxy(proxy_using.html)
UsingBurpSpider(spider_using.html)
UsingBurpScanner(scanner_using.html)
UsingBurpIntruder(intruder_using.html)
UsingBurpRepeater(repeater_using.html)

Copyright2016PortSwiggerLtd.Allrightsreserved.

Company(../../company.html)

Careers(../../careers/index.html)

Legal(../../legal.html)

Contact(../../contact.html)