Burp Suite

Last updated
Burp Suite
Developer(s) PortSwigger
Written inJava
Type Security testing
Website portswigger.net/burp   OOjs UI icon edit-ltr-progressive.svg

Burp Suite is a proprietary software tool for security assessment and penetration testing of web applications. [1] [2] It software was initially developed in 2003-2006 by Dafydd Stuttard [3] to automate his own security testing needs, after realizing the capabilities of automatable web tools like Selenium. [4] Stuttard created the company PortSwigger to flagship Burp Suite's development. A community, professional, and enterprise version of this product are available.

Contents

Notable capabilities in this suite include features to proxy web-crawls (Burp Proxy), [5] log HTTP requests/responses (Burp Logger and HTTP History), capture/intercept in-motion HTTP requests (Burp Intercept), [6] and aggregate reports which indicate weaknesses (Burp Scanner). [7] This software uses a built-in database containing known-unsafe syntax patterns and keywords to search within captured HTTP requests/responses. [8]

Burp Suite possesses several penetration-type functionalities. A few built-in PoC services include tests for HTTP downgrade, [9] interaction with tool-hosted external sandbox servers (Burp Collaborator), [10] and analysis for pseudorandomization strength (Burp Sequencer). [11] This tool permits integration of user-defined functionalities through download of open-source plugins (such as Java Deserialization Scanner [12] and Autorize [13] ).

Features

As a web security analyzer, Burp Suite offers several built-in features designed to assist testers in auditing their web applications.

Community Edition

The Community Edition version of Burp Suite includes the following features. [14]

Professional Edition

Burp Suite's Professional edition includes all Community features plus those listed below.

Burp Extender

BApps Burp Suite offers an extension store [33] where users can upload and download plugins for functionalities not supported natively. Different plugins alter in functionality, ranging from adjustments for UI readability, additions to scanner rules, and implementations of new analysis-based features.

Burp Suite's extension API is open-source. [34] [35] Support for Java plugins is natively supported, while extensions which use Python and Ruby require users to download JAR files for Jython and JRuby respectively. [36]

Many Burp plugins have also been created by Portswigger employees as a means of developing proof-of-concepts for research conducted by the company. [37] Examples of these include extensions created by James Kettle, Portswigger's Director of Research, [38] including Backslash Powered Scanner, [39] [40] Param Miner, [41] [42] and HTTP Request Smuggler. [43] [44]

BChecks

BChecks were added to Burp Suite in June 2023 [45] as a means of permitting users to create and customize their own scanner rules. [46] A curated collection of BChecks are maintained by Portswigger through an open-source GitHub project. [47]

Bambdas

Users can write Java scripts to create custom HTTP request/response index filtering in Burp Suite's proxy HTTP History, WebSocket History, and Logger lists. [48] [49]

See also

Related Research Articles

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE).

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

The Invisible Internet Project (I2P) is an anonymous network layer that allows for censorship-resistant, peer-to-peer communication. Anonymous connections are achieved by encrypting the user's traffic, and sending it through a volunteer-run network of roughly 55,000 computers distributed around the world. Given the high number of possible paths the traffic can transit, a third party watching a full connection is unlikely. The software that implements this layer is called an "I2P router", and a computer running I2P is called an "I2P node". I2P is free and open sourced, and is published under multiple licenses.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

Notable issue tracking systems, including bug tracking systems, help desk and service desk issue tracking systems, as well as asset management systems, include the following. The comparison includes client-server application, distributed and hosted systems.

The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. AJP is a highly trusted protocol and should never be exposed to untrusted clients, which could use it to gain access to sensitive information or execute code on the application server.

Outpost Firewall Pro is a discontinued personal firewall developed by Agnitum.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

Web-based SSH is the provision of Secure Shell (SSH) access through a web browser. SSH is a secure network protocol that is commonly used to remotely control servers, network devices, and other devices. With web-based SSH, users can access and manage these devices using a standard web browser, without the need to install any additional software.

In free and open-source software (FOSS) development communities, a forge is a web-based collaborative software platform for both developing and sharing computer applications.

<span class="mw-page-title-main">WebSocket</span> Computer network protocol

WebSocket is a computer communications protocol, providing a simultaneous two-way communication channel over a single Transmission Control Protocol (TCP) connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction, preventing eavesdropping and forgery by a man-in-the-middle.

<span class="mw-page-title-main">HAProxy</span> Free and open-source proxy software

HAProxy is a free and open source software that provides a high availability load balancer and Proxy for TCP and HTTP-based applications that spreads requests across multiple servers. It is written in C and has a reputation for being fast and efficient.

QUIC is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google. It was first implemented and deployed in 2012. It was publicly announced in 2013 as experimentation broadened, and was described at an IETF meeting. QUIC is used by more than half of all connections from the Chrome web browser to Google's servers. Microsoft Edge, Firefox, and Safari support it.

<span class="mw-page-title-main">OWASP ZAP</span> Open-source web application security scanner

ZAP, formerly known as OWASP ZAP, is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

Kopano is an open-source groupware application suite originally based on Zarafa. The initial version of Kopano Core (KC) was forked from the then-current release of Zarafa Collaboration Platform, and superseded ZCP in terms of lineage as ZCP switched to maintenance mode with patches flowing from KC. Kopano WebApp similarly descended from Zarafa WebApp. Since October 2017, Kopano Core is also known more specifically as Kopano Groupware Core, since Kopano B.V. developed more products that were not directly requiring groupware components.

<span class="mw-page-title-main">Searx</span> Metasearch engine

Searx is a free and open-source metasearch engine, available under the GNU Affero General Public License version 3, with the aim of protecting the privacy of its users. To this end, Searx does not share users' IP addresses or search history with the search engines from which it gathers results. Tracking cookies served by the search engines are blocked, preventing user-profiling-based results modification. By default, Searx queries are submitted via HTTP POST, to prevent users' query keywords from appearing in webserver logs. Searx was inspired by the Seeks project, though it does not implement Seeks' peer-to-peer user-sourced results ranking.

<span class="mw-page-title-main">Netdata</span> Partially open-source system monitor software

Netdata is a partially open source tool designed to collect real-time metrics, such as CPU usage, disk activity, bandwidth usage, website visits, etc., and then display them in live, easy-to-interpret charts.

References

  1. Rahalkar, Sagar Ajay (2021). A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities. Apress. ISBN   978-1-4842-6401-0.
  2. Lozano, Carlos A.; Shah, Dhruv; Walikar, Riyaz Ahemed (2019-02-28). Hands-On Application Penetration Testing with Burp Suite. Packt Publishing. ISBN   9781788995283.
  3. PortSwigger. "About". PortSwigger. Retrieved 2024-07-09.
  4. PortSwigger (9 July 2020). "Ask me anything, with Burp Suite creator Dafydd Stuttard". YouTube. Retrieved 2020-07-09.
  5. Rose, Adam (21 April 2023). "Proxy VM Traffic Through Burp Suite". FortyNorth Security. Retrieved 2024-07-09.
  6. Setter, Matthew (6 December 2017). "Introduction to Burp Suite". Web Dev With Matt. Retrieved 2017-12-06.
  7. Lavish, Zandt. "Intro to Burp Suite Automatic Scanning". GreatHeart. Retrieved 2022-07-12.
  8. Shelton-Lefley, Tom. "Web Application Cartography: Mapping Out Burp Suite's Crawler". PortSwigger. Retrieved 2021-03-05.
  9. PortSwigger. "HTTP/2 Normalization in the Message Editor". PortSwigger. Retrieved 2024-07-09.
  10. Stuttard, Dafydd. "Introducing Burp Collaborator". PortSwigger. Retrieved 2015-04-16.
  11. Stuttard, Dafydd. "Introducing Burp Sequencer". PortSwigger. Retrieved 2007-10-21.
  12. "Java Deserialization Scanner". GitHub. Retrieved 2024-07-09.
  13. "Autorize". GitHub. Retrieved 2024-07-09.
  14. ""Burp Suite : Home page"". portswigger.net. Retrieved 2016-02-24.
  15. PortSwigger. "Proxy". PortSwigger. Retrieved 2024-07-09.
  16. Setter, Matthew (9 February 2018). "How to Intercept Requests and Modify Responses With Burp Suite". YouTube. Retrieved 2018-02-09.
  17. "Burp Suite 101: Exploring Burp Proxy and Target Specification". Hacklido. 15 October 2023. Retrieved 2023-10-15.
  18. PortSwigger. "Full Crawl and Audit". PortSwigger. Retrieved 2024-07-09.
  19. Aggarwal, Sahil (11 January 2023). "BurpSuite Logger Secrets for Pentesters". CertCube Blog. Retrieved 2023-01-11.
  20. Pradeep. "Filtering Burp Suite HTTP History". Study Tonight. Retrieved 2023-06-02.
  21. TryHackMe. "Burp Suite Repeater". TryHackMe. Retrieved 2024-07-09.
  22. Chandel, Raj (24 January 2018). "BurpSuite Encoder Decoder Tutorial". Hacking Articles. Retrieved 2018-01-24.
  23. Salame, Walid (9 April 2024). "How to Use Burp Decoder". KaliTut. Retrieved 2024-04-09.
  24. PortSwigger. "Installing Extensions". PortSwigger. Retrieved 2024-07-09.
  25. PortSwigger. "Dashboard". PortSwigger. Retrieved 2024-07-09.
  26. PortSwigger. "Vulnerabilities List". PortSwigger. Retrieved 2024-07-09.
  27. FireCompass (31 October 2023). "Mastering Burp Intruder Attack Modes". FireCompass Blog. Retrieved 2023-10-31.
  28. PortSwigger. "OAST". PortSwigger. Retrieved 2024-07-09.
  29. PortSwigger. "Organizer". PortSwigger. Retrieved 2024-07-09.
  30. Stuttard, Dafydd. "Introducing Burp Infiltrator". PortSwigger. Retrieved 2016-07-26.
  31. Roof, Zach. "Learn Clickjacking With Burp Suite". Teachable. Retrieved 2024-07-09.
  32. PortSwigger. "Manage Project Files". PortSwigger. Retrieved 2024-07-09.
  33. PortSwigger. "BApp Store". PortSwigger. Retrieved 2024-07-09.
  34. PortSwigger. "Creating Extensions". PortSwigger. Retrieved 2024-07-09.
  35. "Burp Extensions Montoya API". GitHub. Retrieved 2024-07-09.
  36. "TryHackMe Burp Suite Extensions". Medium. Retrieved 2024-03-21.
  37. PortSwigger. "Research". PortSwigger. Retrieved 2024-07-09.
  38. PortSwigger. "Meet the Swiggers: James K". PortSwigger. Retrieved 2024-07-09.
  39. "Backslash Powered Scanner". GitHub. Retrieved 2024-07-09.
  40. Kettle, James. "Backslash Powered Scanning: hunting unknown vulnerability classes". PortSwigger Research. Retrieved 2016-11-04.
  41. "Param Miner". GitHub. Retrieved 2024-07-09.
  42. Kettle, James. "Practical Web Cache Poisoning". PortSwigger Research. Retrieved 2018-09-09.
  43. "HTTP Request Smuggler". GitHub. Retrieved 2024-07-09.
  44. Kettle, James. "HTTP Desync Attacks: Request Smuggling Reborn". PortSwigger Research. Retrieved 2019-09-07.
  45. PortSwigger. "Professional Community 2023.6". PortSwigger. Retrieved 2024-07-09.
  46. "Use BCheck to Improve Vulnerability Scanning". YesWeHack. Retrieved 2023-09-01.
  47. "BChecks". GitHub. Retrieved 2024-07-09.
  48. Stocks, Emma. "Introducing Bambdas". PortSwigger. Retrieved 2023-11-14.
  49. "Bambdas". GitHub. Retrieved 2024-07-09.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.