-
Notifications
You must be signed in to change notification settings - Fork 0
Ops 401 Class 38
Burp Suite is a suite of tools from PortSwigger designed to aid in the penetration testing of web applications over both HTTP and HTTPS. The primary tool is a proxy designed to allow the analysis and editing of web traffic. The proxy can intercept web requests and responses and read and edit them in real-time before they reach their respective destinations. Versions are available for Windows, MacOS, and Linux, along with a JAR file.
The proxy itself allows you to configure which domains have their web traffic intercepted and what sort of traffic is shown. For example, intercepting web requests is helpful as you can edit them to test how the website reacts to unusual requests, however intercepting the responses as there’s no real point in editing them.
Many of the tools included in Burp Suite are designed to integrate with the main proxy and can have requests imported to them. Intruder allows you to import a request and then configure arrange of payloads to attempt and can then run through them automatically. Repeater allows you to import a web request and then make manual modifications to it and see the response side by side allowing you to make minor adjustments to attempted exploits and easily see if it’s working. A dashboard feature shows a list of identified issues, although these need to be manually checked for false positives.
Tip: The issue tracker is a premium feature, while the automated attacks are rate-limited in the free version.
Sequencer is designed to analyse the randomness of data such as session IDs, CSRF tokens, and password reset tokens. The analysis requires more than 100 samples but can identify weaknesses in how supposedly random values are being generated. Decoder allows you to decode strings from a range of encoding standards as well as allowing you to encode data again. Comparer allows you to compare two strings to check for minor differences.
all content cited from technipages.com
this content is relevant to our studies this week as it pertains to a tool used widely by both red and blue teams, as well as threat actors in the wild. This content and the understanding of the toolset the content is related to is essential knowledge for any serious security practitioner.