Burp Suite and Web Pentesting Tools¶

Burp Suite as the primary web application security testing platform: proxy configuration, key components (Repeater, Intruder, Scanner, Decoder), plus complementary tools for directory brute-forcing and fuzzing.

Key Facts¶

Burp Suite is the industry-standard web application security testing proxy
Configure browser to use proxy at 127.0.0.1:8080 and install Burp CA for HTTPS interception
Repeater is for manual request manipulation; Intruder is for automated attacks
Scanner (Pro version) performs both passive and active vulnerability scanning
Always configure Scope to limit testing to target domains

Setup¶

Install Burp Suite (Community or Pro)
Configure browser proxy: 127.0.0.1:8080
Navigate to http://burp and download CA certificate
Install CA cert in browser for HTTPS interception
Set Scope to target domain(s) only

Key Components¶

Proxy¶

Intercept and modify HTTP/HTTPS requests in real-time: - Match and replace rules for automated modifications - Proxy history for reviewing all captured traffic - WebSockets interception support

Repeater¶

Manual request modification and resending: - Test parameter manipulation - Verify vulnerability existence - Craft exploit payloads iteratively - Compare responses side-by-side

Intruder¶

Automated attack tool with payload positions: | Mode | Behavior | Use Case | |------|----------|----------| | Sniper | Single payload, one position at a time | Parameter fuzzing | | Battering Ram | Same payload in all positions | Username = password test | | Pitchfork | Different payload per position (parallel) | Known user:pass pairs | | Cluster Bomb | All combinations (cartesian product) | Credential brute force |

Scanner (Pro)¶

Passive scanning - analyzes normal traffic for issues
Active scanning - sends payloads to test for vulnerabilities
Crawling - discovers application content and endpoints

Decoder¶

Encode/decode data: Base64, URL encoding, HTML entities, hex, etc. Essential for crafting encoded payloads.

Comparer¶

Diff two responses to identify differences - useful for detecting blind vulnerabilities where responses vary slightly.

Complementary Tools¶

Directory Brute-Forcing¶

# gobuster
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# ffuf (Fast Fuzzer)
ffuf -w wordlist.txt -u http://target.com/FUZZ
ffuf -w wordlist.txt -u http://target.com/FUZZ -fc 404  # Filter status codes

# dirbuster (GUI alternative)

Web Vulnerability Scanners¶

Nikto - web server scanner (misconfigs, dangerous files)
WPScan - WordPress-specific vulnerability scanner
Nuclei - template-based vulnerability scanner

Patterns¶

Testing Workflow¶

Set scope, start proxy, browse application naturally
Review proxy history for interesting endpoints/parameters
Send suspicious requests to Repeater for manual testing
If parameter appears injectable: test in Repeater, then automate with Intruder
Use Scanner to find additional issues
Verify all findings manually before reporting

Routing Through Burp from Scripts¶

import requests

# Route Python requests through Burp proxy for inspection
resp = requests.post(
    "https://target.com/login",
    data={"username": "admin", "password": "test"},
    proxies={"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"},
    verify=False  # Needed for Burp's self-signed cert
)

Gotchas¶

Free (Community) version has rate-limited Intruder and no Scanner - Pro is essential for professional use
Always test in scope only - out-of-scope testing is unauthorized access
Browser extensions can interfere with proxy - use a dedicated testing browser profile
HTTPS interception requires the Burp CA - without it, you only see encrypted traffic
Intruder Cluster Bomb with large lists creates N x M requests - can DoS the target