If there is one tool that you NEED to have to be a successful Bug Bounty Hunter (Ethical Hacking). It would be Burp Suite. You can find plenty of bugs without ever leaving Burp. It is by far my most used and favorite tool to use every web attack. If you don’t know what Burp is it’s a tool for performing security tests against web applications. The tool acts as a proxy and allows you to inspect, modify, replay, etc to web requests. Almost every exploit you’re going to pull off will be done with Burp.
Note that there is a free version (community) but I HIGHLY recommend purchasing a professional license. This is a must have tool!
The proxy tab is probably the most important tab in Burp. This is where you can see all of your traffic that passes by the Burp proxy. The first thing you want to do when Burp loads is make sure your proxy:
The next step is to force your browser to route its traffic through the Burp proxy. This can be accomplished by changing. Your browsers proxy setting and shown below, note this will be different depending on which browser you use:
Once you have the Burp proxy listening. The browser configured to use Burp. you imported the Burp certificate in your browser you will be good to go. Once you navigate to a web page you should see the request show up in Burp as shown below:
As you can see in the above image the “intercept” tab is toggled on. This means that Burp will intercept each HTTP request and you will have to manually press. The “forward” button for the request to continue to the server. While on this tab you can also modify the requests before forwarding it to the back-end server.
However, I only use this tab when i’m trying to isolate requests from a specific feature. I normally turn “intercept” to off and I view the traffic in the “HTTP History” tab and shown below:
As you can see the “HTTP History” tab shows each HTTP request and response.
That was made by and sent to our browser. This is where I spend 80% of my time looking for something that peaks my interest.
When looking at the traffic I’m mostly paying attention to the method, URL, and MIME type fields. Why? Because when I see a POST method being used I think of Stored XSS. Cross site request forgery, and many more vulnerabilities. When I see a URL with an email,username,or id in it I think IDOR.
Basic hacking burp suite ?
When I see a JSON MIME type I think back-end API. Most of this knowledge of knowing what to look experience. You test so many apps you start to see things that look similar. Clicking on an HTTP request will show you the clients request and the servers response. This can be seen in the above image. Note that while in this view these values can’t be modified. You will have to send the request to the repeater if you want to modify. The request and replay it, this will be discussed in more detail later.
One functionality that I use to find a lot of vulnerabilities and make my life easier is the search feature. Basically, you can search for a word(s) across all of your Burp traffic.
Burps proxy tab is where you will spend most of your time so make sure you are familiar with it. Any traffic that is sent by your browser. You have intercept turned off so that you don’t have to manually forward each request.
I generally don’t find myself in the target section of burp suite. But I think it’s still important to know what it is. The “Site Map” sub tab organizes each request seen by the proxy and build a site map as shown below:
As you can see in the above image a site map is built. Which easily allows us to view requests from a specific target. This becomes fairly useful when hitting an undocumented API endpoint. As this view allows you to build a picture of the possible endpoints. You can also view the HTTP requests in this tab, clicking on a folder in the sitemap.
In addition to the “Site Map” tab there is a “Scope” tab. I almost never use this but if you want to define. The scope of your target this will limit burps scans to only the domains in scope.
If you’re doing any fuzzing or brute forcing with Burp you’re probably doing it in the “intruder” tab. When you find an interesting request right click it then click “Send to Intruder”. This will send your requests to the intruder tab as shown below:
Go to the intruder tab and you should see something like this:
Now click the “Clear” button to reset everything. Now from here your steps vary depending on what you’re trying to do. But suppose we are trying to do some parameter fuzzing. One of the first things we need to do is select the value we are trying to modify. This can be done by highlighting the value and pressing the “Add” button as shown below:
As you can see above we are selecting the “cb” parameter value. Since we are attempting to do parameter fuzzing this is the value that will be replaced with our fuzzing payloads. You may have also noticed the “Attack type” drop down menu is set to “Sniper”. There are four different attack types which are described in the table below:
Sniper:- Uses a single payload list; Replaces one position at a time;
Battering ram:-Uses a single payload list; Replaces all positions at the same time;
Pitchfork:- Each position has a corresponding payload list. So if there are two positions to be modified they each get their own payload list.
Cluster Bomb:- Uses each payload list and tires different combinations for each position.
Once you have selected your attack type and the value to be modified click on the “Payloads” sub tab
Here we want to select our payload type and the payload list. There are numerous payload types but i’m going to keep. It on the default one, feel free to play around with the others. As for my payload list we want a list of fuzzing values. I’m just going to use the default lists that comes with Burp
Now to use Burps pre defined list just click the “Add from list” drop down menu and select one:
Now that you have your fuzzing list imported all that you have to do is press “Start attack”.
As shown above after hitting the “Start attack” button a popup will appear. You will see your payloads being launched. The next step is to inspect the HTTP responses to determine if there is anything suspicious.
Intruder is great for brute forcing, fuzzing, and other things of that nature. However, most professionals don’t use intruder, they use a plugin called “Turbo Intruder”. If you don’t know what “Turber Intruder” is, it’s intruder on steroids. It hits a whole lot harder and a whole lot faster. This plugin will be discussed more in the plugins section.
In my opinion this is one of the most useful tabs in Burp. If you want to modify and replay and request you do it in the repeater tab. Similar to Intruder if you right click a request and click “Send to Repeater”.
Once the request is sent to the Repeater tab you will see something like this:
One this tab you can modify the request to test for vulnerabilities and security misconfigurations. Once the request is modified you can hit the Send button to send the request. The HTTP response will be shown in the Response window. You might have noticed that at the top there are a bunch of different tabs with numbers on them. By default every request you send to the repeater will be assigned a number. Whenever I find something interesting I change this value so I can easily find it later, that’s why one
of the tabs is labeled SSRF,it’s a quick easy way to keep a record of things.