Burp Suite – an overview

• Burp Suite is an integrated platform for performing

security testing of web applications.
• Burp Suite Free Edition
‒ contains everything you need to carry out manual security testing of
web applications
‒ Burp Intruder - Time-throttled demo, No Burp Scanner, Save and
resume

• Burp Suite Professional

‒ contains numerous powerful features to make your work faster and
more effective, letting you find more vulnerabilities in a shorter time

2 © 2012 NetIQ Corporation. All rights reserved.

 Burp Suite components
• Proxy
‒ intercept, inspect and modify traffic between browser and web
application/server.

• Intruder
‒ customized attacks to exploit unusual vulnerability

• Repeater
‒ manipulate and resend individual requests

• Sequencer
‒ test the randomness of session tokens

• Spider
‒ application-aware, crawl content and functionality

• Scanner
‒ automatic scan and detection of vulnerabilities

3 © 2012 NetIQ Corporation. All rights reserved.

 Running an automated live Burp scan
• Launch Burp Suite and configure Burp Proxy
‒ Ensure that “loopback only” is unchecked if browser is not on the
machine where Burp is running

• Define target scope as required

• Turn off interception if you don't want Burp to
intercept and stop at every request
• Configure scanner to perform passive scans
‒ Allow scanner to perform active scans (if possible)

• Configure network proxy settings on the browser to

route traffic through the Burp Proxy
• Connect to the web application, navigate through its
pages and perform different tasks/operations

4 © 2012 NetIQ Corporation. All rights reserved.

Configuring and starting a Burp scan
 Browser's Proxy Settings→ Specify
Burp Proxy's IP and Port

6 © 2012 NetIQ Corporation. All rights reserved.

 Burp Suite > Proxy > Options > Proxy
Listeners > Specify a listener

7 © 2012 NetIQ Corporation. All rights reserved.

 Burp Suite > Proxy > Intercept >
Toggle Interception

8 © 2012 NetIQ Corporation. All rights reserved.

 Burp Suite > Alert > Proxy service
start notification

9 © 2012 NetIQ Corporation. All rights reserved.

 Burp Suite > Scanner > Live Scanning
> Enable Active and Passive Scanning

10 © 2012 NetIQ Corporation. All rights reserved.

 Burp Suite > Scanner > Options >
Active Scanning Areas

11 © 2012 NetIQ Corporation. All rights reserved.

 Burp Suite > Scanner > Options >
Passive Scanning Areas

12 © 2012 NetIQ Corporation. All rights reserved.

 Burp Suite > Scanner > Options >
Exclude parameters from tests

13 © 2012 NetIQ Corporation. All rights reserved.

 Burp Suite > Scope > Target Scope

14 © 2012 NetIQ Corporation. All rights reserved.

 For more information, please visit http://www.portswigger.net/burp/

Thank you.

16 © 2012 NetIQ Corporation. All rights reserved.

 Worldwide Headquarters +1 713.548.1700 (Worldwide)
1233 West Loop South 888.323.6768 (Toll-free)
Suite 810 info@netiq.com http://community.netiq.com
Houston, TX 77027 USA NetIQ.com

17 © 2012 NetIQ Corporation. All rights reserved.

This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein. These changes may be incorporated in new
editions of this document. NetIQ Corporation may make improvements in or changes to the
software described in this document at any time.

Copyright © 2012 NetIQ Corporation. All rights reserved.

ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the
cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration
Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy
Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit,
PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite,
Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ
Corporation or its subsidiaries in the United States.