Web Pentest – Lesson 1: An overview of Burp Suite

Nowadays, creating and developing a website is not difficult for everyone. Creating a website can be of great help to everyone and especially in the current 4.0 era. In addition, the Covid-19 pandemic has made our tendency to go online on websites. But have you ever wondered if the website you build is safe enough for you and the customers accessing the system? What if a bad guy attacks your Website?

So today Anonyviet will bring you a series on the security of your Website system. You will be playing the role of a bad guy and attack on your own website (Penttest) and from there will find out the error on the system and how to fix it.

Overview of Pentest Burpsuite Support Software

Installation Requirements:

About BurpSuite

Burpsuite currently has many different versions. Each version has quite different features and interfaces. In this article, Anonyviet will introduce this Burpsuite 2021.4.3 version.

After installation, you open Burp Suite and you will have the same interface as below.

Web Pentest - Lesson 1: An overview of Burp Suite 40

How to use Burp Suite

In the Dashboard interface, there will be information about the Tasks running on the website that need to be pentested. The EventLog below shows the detected vulnerabilities. The information in the EventLog frame is quite important, there are many errors related to the certificate, connection errors are also displayed here. Makes it easier to spot and fix it faster.

Next is the Target section

Web Pentest - Lesson 1: An overview of Burp Suite 41

In Target, there will be information about the subsites of that website that are allowed to access, requests can be made on these sites, you can press the > button in each site, to view it as a tree, there will be a more intuitive view of the target.

Also in the Target, can serve to filter requests more quickly than in the Scope subtab.

Next is the Proxy tab interface, this is an extremely important part in Burp Suite. The HTTP history tab will save the history of requests made during real-time manipulation right on the application or Website. You can directly view the request, response and edit it.

From the Proxy tab, you can select a request and send this request to other tools in Burp Suite that support such as Repeater, Intruder, Comparer, …

In the latest version that I introduce, Burpsuite has integrated the Chromium browser, which is very convenient and saves you from having to manually configure it on other browsers.

To open Chromium, click Open Browser like the image below.

Web Pentest - Lesson 1: An overview of Burp Suite 42

When the Chromium browser is launched, you go to any website, Anonyviet.Com for example, and see the recorded requests in the HTTP Proxy tab. If not, your Intercept is off. Click to turn it on.

The next tab is Intruder. Used a lot to BruteForce Username, Password, Directory or test IDOR…

Web Pentest - Lesson 1: An overview of Burp Suite 43

Next to the Intruder tab, that is the Repeater, an indispensable component for every time we pentest. Here, it allows us to edit any component of the request, from methods, headers, parameters, etc. After editing the request, you click Send to send the request to the server and receive the response.

Web Pentest - Lesson 1: An overview of Burp Suite 44

I am not saying that this is an indispensable ingredient. That’s because attacking a target requires us to send payloads in different locations. The same is true of BurpSuite.

Changing the request itself like this allows us to try out all the payloads we have, look for reflected inputs in the response (when looking for XSS vulnerabilities), or see what the results are back when we type the payload as SQL injection,…, and to do those tasks, Repeater is the best solution to do it.

This part is quite important, so I will go into detail in the next articles. Remember to follow along.

Next is the Sequencer tab, which is used to analyze the complexity of the token generation algorithms in the website. See if it’s easy to guess.

Web Pentest - Lesson 1: An overview of Burp Suite 45

Next is Tab Decoder used to encode or decode character types such as MD5, AES, BASE64 …

Web Pentest - Lesson 1: An overview of Burp Suite 46

Tab Comparer, used to compare different requests and responses, sent by you through tabs such as proxy tabs or target tabs. You can send by right-clicking the request and selecting send to comparer.

Web Pentest - Lesson 1: An overview of Burp Suite 47

The Logger tab, as the name implies, will save all requests executed in Burp Suite.

Web Pentest - Lesson 1: An overview of Burp Suite 48

Tab Extender is an interesting tab, it allows you to add new Burp existing extensions, or add extensions developed by yourself. I will go into more detail in the next posts.

Web Pentest - Lesson 1: An overview of Burp Suite 49

Here are some basics that you must be familiar with before the pentesting process begins. You can learn more by yourself, it will be very helpful for you beginners. In the next articles we will learn about Bruteforce techniques, collect information, etc. Hope you will watch and support.

Summary Series :

Good luck
TMQ.

Leave a Reply