Burp Suite Pocket Book

1) What is Burp Suite?

An integrated platform for web security testing: intercepting proxy, request editors, automation, and (Pro) active/passive scanning.

2) Editions

Community: core tools (Proxy, Repeater, Decoder, Comparer, Sequencer). Professional: adds Scanner, Collaborator (OAST), advanced automation. Enterprise: CI-scale scanning.

3) Project vs User Options

Project Options travel with the .burp project file (targets, scope, proxy, logging). User Options are local to your workstation.

4) Workflows

Proxy traffic → define scope → map target → probe with Repeater/Intruder → scan (Pro) → verify → report and retest.

5) Legal & Ethics

Only test systems you own or are authorized to test. Respect scope, rate limits, and data handling policies. Stop if instability occurs.

6) Launch & Update

Use the Burp launcher; keep up-to-date for protocol fixes and new checkers. Enable automatic update checks in User Options.

7) CA Certificate

Import Burp’s CA into your browser/OS to intercept HTTPS without warnings; keep it separate per engagement.

8) Built-in Browser

Burp ships a Chromium-based browser preconfigured with the proxy; handy to avoid OS-level proxy changes.

9) Logs & Evidence

Enable HTTP history, extender logs, and issue activity. Export selected traffic for reports and proof-of-exploit.

10) Keyboard Comfort

Learn hotkeys (send to Repeater, forward, drop) to move fast during manual testing.

11) Proxy Listener

Default: 127.0.0.1:8080. Add more listeners for mobile devices or upstream proxies; support invisible proxying for non-proxy-aware clients.

12) Intercept

Toggle Intercept is on to pause requests/responses. Use match/replace and interception rules to auto-modify traffic.

13) Target Tab

Site map + scope control. Right-click a host → “Add to scope”. Out-of-scope requests can be hidden or blocked to avoid collateral traffic.

14) Scope Rules

Define hosts, protocols, and paths with wildcards/regex. Keep scope tight; include subdomains explicitly when needed.

15) SSL/TLS

If a site uses certificate pinning, use app-specific debug builds or disable pinning where permitted; for mobile, use a device CA store.

16) Upstream & SOCKS

Chain through corporate/ZScaler proxies; set SOCKS for Tor/VPN egress when the test plan allows.

17) Traffic Filtering

Hide static assets (images/fonts) to focus on API/HTML. Use MIME-type and status-code filters in Proxy/HTTP history.

18) Rewriting Hosts

Map hosts to IPs (e.g., staging to specific VIP). Useful for testing DR sites or blue/green environments.

19) Repeater (Manual Testing)

Send a request from Proxy/Target; tweak headers/body; observe responses side-by-side; use tabs to track hypothesis tests.

20) Intruder (Fuzzing)

Automate payload injection at marked positions. Four attack types: Sniper, Battering ram, Pitchfork, Cluster bomb.

21) Intruder Payloads

Use simple lists, numbers, dates, grep-extracted tokens, or regex-based generators. Add § markers around insertion points.

POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded

username=§admin§&password=§password§

22) Positioning Strategy

Mark parameters individually for Sniper when isolating; use Pitchfork to combine lists (same index) and Cluster bomb for Cartesian product.

23) Grep-Match/Extract

Highlight success indicators (e.g., 200, Welcome, JWT presence). Extract dynamic values for chained attacks.

24) Sequencer

Analyze token randomness (session IDs, CSRF, password reset links). Longer, high-entropy tokens should score better.

25) Decoder

Convert between Base64, URL encoding, HTML entities, JWT parts; try smart decode to guess formats automatically.

26) Comparer

Diff responses/requests to see what changed; useful for detecting error-based behaviors or bypasses.

27) Logger (HTTP history)

Use search/filter to locate interesting requests; export as .har/.burp for evidence.

28) Inspector

View parsed parameters, cookies, headers, and insertion points; quickly toggle URL-encoding and body types.

29) Passive vs Active Scan

Passive looks at traffic for issues with zero risk. Active sends additional requests to confirm/exploit; do it only within scope & change windows.

30) Crawl & Audit

Let Burp discover content (forms, params) and then audit. Seed with known paths, sitemaps, or recorded logins.

31) Scan Configuration

Tune insertion points, throttling, and issue selection. Exclude destructive checks when testing production.

32) Issue Severity & Confidence

Each finding has a risk and confidence score. Reproduce via Repeater; attach evidence and business impact in your report.

33) Collaborator (OAST)

Detect SSRF, blind XXE, blind XSS by referencing a Collaborator URL and checking for out-of-band interactions.

34) Insertion Points

Common: query/body params, JSON keys/values, headers, cookies, path segments, multipart, GraphQL variables.

35) Rate Limiting

Respect app SLAs; add delays, concurrency limits, and pause scans on instability; coordinate with site reliability teams.

36) False Positives

Validate by reproducing and checking context. Many “informational” issues still matter for hardening (e.g., verbose banners).

37) Authentication Handling

Use the built-in browser to log in; record macros to fetch tokens; set session handling rules to auto-reapply auth when expired.

38) Macros

A macro is a small scripted flow (e.g., GET login page → POST creds → capture CSRF). Reference it in a session rule.

39) CSRF Tokens

Detect and update dynamic anti-CSRF tokens automatically by extracting from a prior response and inserting into the next request.

40) Cookie Jar & Scope

Burp manages cookies per host; clear or isolate per project. Mark security attributes (HttpOnly, Secure, SameSite) during review.

41) SSO & Redirects

For SAML/OIDC flows, allow out-of-scope IdP endpoints but limit scanning there; use Repeater to tweak assertions/claims within policy.

42) State Machine (Pro)

Model login/logout/2FA states to keep scans authenticated and meaningful; avoid getting logged out mid-scan.

43) Rate Limits & Lockouts

Coordinate with app owners to avoid account lockouts when testing auth. Create dedicated test accounts with reset paths.

44) Sensitive Data Exposure

Grep responses for PII, secrets, tokens. Add matchers for AKIA[0-9A-Z]{16} (AWS keys), JWT patterns, or common credential formats.

45) REST JSON

Use JSON beautify in the editor; test content-type boundaries and method overrides (X-HTTP-Method-Override).

46) GraphQL

Send queries/mutations via POST; enumerate schema (introspection if enabled); fuzz variables and directives.

POST /graphql
{"query":"query{ me{ id email } }"}

47) gRPC & HTTP/2

Burp can proxy HTTP/2; for gRPC JSON transcoding or reflection, capture requests and iterate in Repeater; mind binary encodings.

48) WebSockets

Use the “Messages” subtab to send/receive frames; test auth changes after upgrade; try JSON injection and path confusion.

49) File Uploads

Inspect multipart boundaries; try mismatched Content-Type vs content; check image metadata and SVG scripts.

50) CORS

Validate Access-Control-Allow-Origin/Credentials; look for * with credentials or reflection of arbitrary origins.

51) Caching Issues

Check Cache-Control and ETag; test cache poisoning via vary headers and ambiguous routes.

52) OpenAPI/Swagger

Import API specs into Target to seed endpoints and parameter shapes; prune out-of-scope operations before scanning.

53) BApp Store

Install vetted extensions (add-on scanners, content discovery, parameter miners). Review code and permissions before use.

54) Extender API

Write custom extensions in Java, Python (Jython), or Ruby (JRuby) to hook requests, add insertion points, or export findings.

55) Headless & CI (Enterprise/Pro)

Use Burp Enterprise for scheduled/CI scans; in Pro, leverage the CLI and project templates for repeatable audits (where licensed).

56) Save/Share

Use project files (.burp) for reproducible sessions; share with teammates along with scope notes and creds via a secure channel.

57) Pattern — Param Mining

Use content-discovery + proxy history to collect hidden parameters; fuzz with Intruder’s wordlists and grep for behavioral changes.

58) Pattern — Auth-Bypass Checks

Replay authorized endpoints without cookies/headers; try method flipping (POST→GET), and check for IDORs by changing IDs.

59) Reporting

For each issue: description, reproduction steps, evidence (request/response), affected scope, risk, and remediation. Include burp logs and screenshots.

60) Interview Q&A — Practical

Intruder attack types? Sniper, Battering ram, Pitchfork, Cluster bomb.

When passive scan only? Production systems or fragile targets; start passive then surgically test with Repeater.

What’s Collaborator? Out-of-band interaction server to detect SSRF/blind vulns via callbacks.

Keep scans authenticated? Macros + session handling rules + state machine to refresh tokens.