Burp Suite

Burp Suite is an industry-standard tool for modern security assessment & penetration testing of web applications.^[1][2] This software was initially developed from 2003-2006 by author Dafydd Stuttard^[3] to automate his own security testing needs, after realizing the capabilities of automatable web tools like Selenium.^[4] Stuttard created the company PortSwigger to flagship Burp Suite's development. A community, professional, & enterprise version of this product are available.

Burp Suite

Logo of PortSwigger, the company that develops Burp Suite
Developer(s)	PortSwigger
Written in	Java
Type	Security testing
Website	portswigger.net/burp

Notable capabilities in this suite include features to proxy web-crawls (Burp Proxy)^[5], log HTTP requests/responses[5], capture/intercept in-motion HTTP requests (Burp Intercept)^[6], and aggregate reports which indicate weaknesses (Burp Scanner).^[7] This software uses a built-in database containing known-unsafe syntax patterns & keywords to search within captured HTTP requests/responses.^[8]

Burp Suite possesses several penetration-type functionalities. A few built-in PoC services include tests for HTTP downgrade^[9], interaction with tool-hosted external sandbox servers (Burp Collaborator)^[10], & analysis for pseudorandomization strength (Burp Sequencer).^[11] This tool permits integration of user-defined functionalities through download of open-source plugins (such as Java Deserialization Scanner^[12] & Autorize^[13]).

Features

As a web security analyzer, Burp Suite offers several built-in features designed to assist testers in auditing their web applications.

Community Edition features

The Community Edition version of Burp Suite includes the following features.^[14]

• Burp Proxy and Interceptor: Like other web application security scanners, one of the primary functionalities behind Burp Suite is its capability to act as a proxy server for client-side HTTP requests.^[15] Penetration testers can intercept web servers' default HTTP requests variables (attributes, body parameters, cookies, headers) in real-time and edit these values on-the-fly.^[16]
• Burp Site Map: BurpSuite operates similarly to the OWASP ZAP software, wherein target URLs' site maps^[17] can be captured either through automatic or manual web-crawling.^[18] When users crawl through a web application, HTTP requests become sent to a web proxy in Burp Suite's software. Once HTTP requests/responses are captured, these endpoints can be investigated manually or audited automatically through features in Burp Suite's Professional edition.
• Burp Logger and HTTP History: Retains a list of HTTP requests/responses captured during web-crawling (and automated scanning for Professional edition).^[19][20]
• Burp Repeater: Repeats captured HTTP requests, allowing custom changes to request variables.^[21]
• Burp Decoder: Automates text decoding.^[22]
• Burp Sequencer: Analyzes an application-generated token variable across repeated HTTP requests to determine pseudorandomness predictability strength.
• Burp Comparer: Allows users to compare content found between two different HTTP requests or HTTP responses.^[23]
• Burp Extender: See the Extender section below; certain Burp Suite plugins are limited to only interact with Professional edition.^[24]

Professional Edition features

Burp Suite's Professional edition includes all Community features plus those listed below.

• Burp Scanner: Automates report auditing and/or web crawling for HTTP captured requests/responses. Uses internal rules to audit contents from intercepted HTTP responses in order to search for vulnerable response values. Capacitates users to customize scanners' speeds and findings coverage.
• Burp Dashboard: Displays findings results and categorizes issues based on severity.^[25] Detailed descriptions and remediation steps may be provided based on what type of finding.^[26]
• Burp Intruder: Similarly to Burp Repeater at a broader extent, grants users the means to send multiple parallel HTTP requests with changes to specified request variables.^[27]
• Burp Collaborator: Simulates C2 Server hosting to attempt external service interaction and Out-of-Band attacks.^[28]
• Burp Organizer: Allows users to curate selected HTTP requests/responses into a saved collection.^[29]
• Burp Infiltrator: An IAST agent scripted to automate interactive/runtime scanning and communicate results through the Burp Collaborator feature.^[30]
• Burp Clickbandit: A tool to concept proof to test clickjacking attacks against web applications' front-end HTML and JavaScript files.^[31]
• File Saving: Profession edition allows users to save their projects as ".burp" files.^[32]

Burp Extender

BApps Burp Suite offers an extension store^[33] where users can upload and download plugins for functionalities not supported natively. Different plugins alter in functionality, ranging from adjustments for UI readability, additions to scanner rules, and implementations of new analysis-based features.

Burp Suite's extension API is open-source.^[34][35] Support for Java plugins is natively supported, while extensions which use Python & Ruby require users to download JAR files for Jython & JRuby respectively.^[36]

Many Burp plugins have also been created by Portswigger employees as a means of developing proof-of-concepts for research conducted by the company.^[37] Examples of these include extensions created by James Kettle, Portswigger's Director of Research^[38], including Backslash Powered Scanner^[39][40], Param Miner^[41][42], and HTTP Request Smuggler.^[43][44]

BChecks

BChecks were added to Burp Suite in June 2023^[45] as a means of permitting users to create and customize their own scanner rules.^[46] A curated collection of BChecks are maintained by Portswigger through an open-source GitHub project.^[47]

Bambdas

Users can write Java scripts to create custom HTTP request/response index filtering in Burp Suite's proxy HTTP History, WebSocket History, & Logger lists.^[48][49]

Awards

Granted Queen's Award for Enterprise for International Trade in 2019.^[50]

See Also

• Application security
• Dynamic Application Security Testing (DAST)
• Vulnerability Assessment (Computing)
• Information technology security assessment
• OWASP ZAP
• Web Crawler
• Web Proxy Servers

References

1. Rahalkar, Sagar Ajay (2021). A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities. Apress. ISBN 978-1-4842-6401-0.
2. Lozano, Carlos A.; Shah, Dhruv; Walikar, Riyaz Ahemed (2019-02-28). Hands-On Application Penetration Testing with Burp Suite. Packt Publishing. ISBN 9781788995283.
3. PortSwigger. "About". PortSwigger. Retrieved 2024-07-09.
4. PortSwigger. "Ask me anything, with Burp Suite creator Dafydd Stuttard". YouTube. Retrieved 2020-07-09.
5. Rose, Adam. "Proxy VM Traffic Through Burp Suite". FortyNorth Security. Retrieved 2024-07-09.
6. Setter, Matthew. "Introduction to Burp Suite". Web Dev With Matt. Retrieved 2017-12-06.
7. Lavish, Zandt. "Intro to Burp Suite Automatic Scanning". GreatHeart. Retrieved 2022-07-12.
8. Shelton-Lefley, Tom. "Web Application Cartography: Mapping Out Burp Suite's Crawler". PortSwigger. Retrieved 2021-03-05.
9. PortSwigger. "HTTP/2 Normalization in the Message Editor". PortSwigger. Retrieved 2024-07-09.
10. Stuttard, Dafydd. "Introducing Burp Collaborator". PortSwigger. Retrieved 2015-04-16.
11. Stuttard, Dafydd. "Introducing Burp Sequencer". PortSwigger. Retrieved 2007-10-21.
12. "Java Deserialization Scanner". GitHub. Retrieved 2024-07-09.
13. "Autorize". GitHub. Retrieved 2024-07-09.
14. ""Burp Suite : Home page"". portswigger.net. Retrieved 2016-02-24.
15. PortSwigger. "Proxy". PortSwigger. Retrieved 2024-07-09.
16. Setter, Matthew. "How to Intercept Requests & Modify Responses With Burp Suite". YouTube. Retrieved 2018-02-09.
17. "Burp Suite 101: Exploring Burp Proxy and Target Specification". Hacklido. Retrieved 2023-10-15.
18. PortSwigger. "Full Crawl and Audit". PortSwigger. Retrieved 2024-07-09.
19. Aggarwal, Sahil. "BurpSuite Logger Secrets for Pentesters". CertCube Blog. Retrieved 2023-01-11.
20. Pradeep. "Filtering Burp Suite HTTP History". Study Tonight. Retrieved 2023-06-02.
21. TryHackMe. "Burp Suite Repeater". TryHackMe. Retrieved 2024-07-09.
22. Chandel, Raj. "BurpSuite Encoder Decoder Tutorial". Hacking Articles. Retrieved 2018-01-24.
23. Salame, Walid. "How to Use Burp Decoder". KaliTut. Retrieved 2024-04-09.
24. PortSwigger. "Installing Extensions". PortSwigger. Retrieved 2024-07-09.
25. PortSwigger. "Dashboard". PortSwigger. Retrieved 2024-07-09.
26. PortSwigger. "Vulnerabilities List". PortSwigger. Retrieved 2024-07-09.
27. FireCompass. "Mastering Burp Intruder Attack Modes". FireCompass Blog. Retrieved 2023-10-31.
28. PortSwigger. "OAST". PortSwigger. Retrieved 2024-07-09.
29. PortSwigger. "Organizer". PortSwigger. Retrieved 2024-07-09.
30. Stuttard, Dafydd. "Introducing Burp Infiltrator". PortSwigger. Retrieved 2016-07-26.
31. Roof, Zach. "Learn Clickjacking With Burp Suite". Teachable. Retrieved 2024-07-09.
32. PortSwigger. "Manage Project Files". PortSwigger. Retrieved 2024-07-09.
33. PortSwigger. "BApp Store". PortSwigger. Retrieved 2024-07-09.
34. PortSwigger. "Creating Extensions". PortSwigger. Retrieved 2024-07-09.
35. "Burp Extensions Montoya API". GitHub. Retrieved 2024-07-09.
36. "TryHackMe Burp Suite Extensions". Medium. Retrieved 2024-03-21.
37. PortSwigger. "Research". PortSwigger. Retrieved 2024-07-09.
38. PortSwigger. "Meet the Swiggers: James K". PortSwigger. Retrieved 2024-07-09.
39. "Backslash Powered Scanner". GitHub. Retrieved 2024-07-09.
40. Kettle, James. "Backslash Powered Scanning: hunting unknown vulnerability classes". PortSwigger Research. Retrieved 2016-11-04.
41. "Param Miner". GitHub. Retrieved 2024-07-09.
42. Kettle, James. "Practical Web Cache Poisoning". PortSwigger Research. Retrieved 2018-09-09.
43. "HTTP Request Smuggler". GitHub. Retrieved 2024-07-09.
44. Kettle, James. "HTTP Desync Attacks: Request Smuggling Reborn". PortSwigger Research. Retrieved 2019-09-07.
45. PortSwigger. "Professional Community 2023.6". PortSwigger. Retrieved 2024-07-09.
46. "Use BCheck to Improve Vulnerability Scanning". YesWeHack. Retrieved 2023-09-01.
47. "BChecks". GitHub. Retrieved 2024-07-09.
48. Stocks, Emma. "Introducing Bambdas". PortSwigger. Retrieved 2023-11-14.
49. "Bambdas". GitHub. Retrieved 2024-07-09.
50. "Queen's Award for Enterprise - International Trade 2019". Retrieved 2024-07-09.

External links

• Official website