Burp suite it’s a Java-based application, a web tools for manipulating HTTP/HTTPS request, analysing and testing security web and mobile applications.
Burp provide different component in the following:
- Proxy: capture and modify the request and responses with a web application
- Repeater: Capture, modify and resend the request multiples times, but, it’s very useful for crafting payload for testing SQL injection
- Intruder: For brute-force attacks
- Decoder: decode/encode data informations
- Compare: compare two piece of data for a string or byte level
- Sequencer: useful for randomness of token for cookies sessions
Before diving into Burp suite
Intruder
The intruder tab is used for requesting the target with different values, very used for brute-forcing a website like identify the username/password.
We have different kind of attacks:
- Sniper: most use for launching an attack. For each position in the request, the sniper attack will test all payload
- Battering ram: in this attack the payload is put in each positions, like that:
| Attack 1 | username=pentester&password=pentester |
|---|---|
| Attack 2 | uername=foo&password=foo |
| Attack 3 | username=hacked&password=hacked |
| - Pitchfork: .similar to the Sniper attack, but launch simultaneously attack. Pitchfork attack use one payload per position (20 maxi) |
| 1 | username=foo&password=F0o |
|---|---|
| 2 | username=pentest&password=P$ntester |
| 3 | username=hacked&password=Hacked |
| - Cluster bomb: use multiple payloads |
| 1 | username=joel&password=J03l |
|---|---|
| 2 | username=harriet&password=J03l |
| 3 | username=alex&password=J03l |
| 4 | username=joel&password=Emma1815 |
| 5 | username=harriet&password=Emma1815 |
| 6 | username=alex&password=Emma1815 |
| 7 | username=joel&password=Sk1ll |
| 8 | username=harriet&password=Sk1ll |
| 9 | username=alex&password=Sk1ll |