Burp Suite is an integrated platform for performing security testing of web applications. It is not a point-and-click tool, but is designed to be used by hands-on testers to support the testing process. With a little bit of effort, anyone can start using the core features of Burp to test the security of their applications. Some of Burp’s more advanced features will take further learning and experience to master. All of this investment is hugely worth it – Burp’s user-driven workflow is by the far the most effective way to perform web security testing, and will take you way beyond the capabilities of any conventional point-and-click scanner. Burp is intuitive and user-friendly, and the best way to start learning is by doing. These steps will get you started with running Burp and using its basic features. You can then read on deeper into the documentation to become more proficient in using this supremely powerful tool.
Burp Suite is a Java application and is distributed as a standalone Java executable file, with the .JAR extension. You can download Burp Suite Community Edition from the PortSwigger.net website. For Burp Suite Professional users, you can log in and download the latest Professional build using your account details. The Burp JAR file can be executed using a Java Runtime Environment, and there is no need to unpack the contents of the JAR file itself.
To launch Burp, first check whether Java is installed:
- Open a command prompt:
- On Windows, click the Start button, type “cmd” into the search box, and click on the “cmd.exe” item under “Programs”.
- On Mac OS X, in the system dock, click on Applications, then Utilities, then Terminal.app.
- On Linux, look in your lists of applications for an item called “console” or “shell”.
- In the command prompt window, type: java -version
- If Java is installed, you will see a message like: java version “1.6.0_21”. To run Burp, you will need a version of Java that is 1.6 or later.
- If Java is not installed, or if your version of Java is older than 1.6, you will need to install Java. Download the latest Java Runtime Environment (JRE) , run the installer, and then open a new command prompt and start again.
java -jar -Xmx1024m /path/to/burp.jar
Here 1024 is the amount of memory (in Mb) that you want to assign to Burp, and /path/to/burp.jar is the location of the Burp JAR file on your computer.
Configuring Your Browser
- Internet Explorer – Go to the Tools menu, select Internet Options, go to the Connections tab, and click on the “LAN settings” button. Make sure the “Automatically detect settings” box is unchecked. Make sure the “Use automatic configuration script” box is unchecked. Make sure the “Use a proxy server for your LAN” box is checked. Enter your Burp Proxy listener address in the “Address” field (by default, 127.0.0.1). Enter your Burp Proxy listener port in the “Port” field (by default, 8080). Make sure the “Bypass proxy server for local addresses” box is unchecked. Then click on the “Advanced” button. Make sure the “Use the same proxy server for all protocols” box is checked. Delete anything that appears in the “Exceptions” field. Then click “OK” to close all of the options dialogs.
- Chrome – The Chrome browser picks up the HTTP proxy settings configured on the host computer. If you are using Chrome, you can open your computer’s built-in browser and follow the instructions for configuring that. If you aren’t sure where the built-in proxy settings are, open Chrome, go to the Customize menu, select Settings, click on “Show advanced settings”, and click the “Change proxy settings …” button. This will open the relevant configuration options for your host computer.
- Firefox – Go to the Firefox menu, click on Options, click on Advanced, go to the Network tab, and click on the Settings button in the Connection section. Select the “Manual proxy configuration” radio button. Enter your Burp Proxy listener address in the “HTTP proxy” field (by default, 127.0.0.1). Enter your Burp Proxy listener port in the “Port” field (by default, 8080). Make sure the “Use this proxy server for all protocols” box is checked. Delete anything that appears in the “No proxy for” field. Then click “OK” to close all of the options dialogs.
- Safari – Go the Safari menu, click on Preferences, click on Advanced, and by the Proxies label click the “Change Settings” button. This will open the Network configuration settings for your current network adapter. In the Proxies tab, check the “Web Proxy (HTTP)” box, and enter your Burp Proxy listener address in the “Web Proxy Server” field (by default, 127.0.0.1), and your Burp Proxy listener port in the (unlabeled) port field (by default, 8080). Ensure the “Bypass proxy settings for these Hosts & Domains” box is empty. Repeat these steps for the “Secure Web Proxy (HTTPS)” checkbox. Click “OK” and “Apply” and close the open dialogs.
The Burp tools you will use for particular tasks are as follows:
- Spider – This can be used for automatically crawling an application, to discover its content and functionality.
- Scanner – This is used to automatically scan HTTP requests to find security vulnerabilities.
- Intruder – This allows you to perform customized automated attacks, to carry out all kinds of testing tasks.
- Repeater – This is used to manually modify and reissue individual HTTP requests over and over.
- Sequencer – This is used to analyze the quality of randomness in an application’s session tokens.
- Decoder – This lets you transform bits of application data using common encoding and decoding schemes.
- Comparer – This is used to perform a visual comparison of bits of application data to find interesting differences.