°• THE BURP SUITE. •°
# What is Burp Suite :-
Burp Suite is an integrated platform/graphical tool for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
•workings(what is the the purpose)
1. Burp Bounty Pro is a Burpsuit Pro extension that enhances active and passive scanners with personalized rules through a highly intuitive graphical interface. By improving the payload for advanced detection and sending of patterns, we can create our own vulnerability profile in both active scanner and passive. On the one hand, it can simulate manual Pentest in search of maximum efficiency, without making unnecessary requests, it scans targets only for potentially unsafe parameters with the most effective payload.
2. On the other hand, it acts as a traditional web vulnerability scanner, capable of adding your vulnerability profile or adding your custom payload to existing vulnerability profiles and also This extension helps you gather valuable information while performing manual pentrast, such as potentially unsafe parameters, version detection, etc.
•The tools offered by BurpSuite are:
1. Spider:
It is a web spider/crawler that is used to map the target web application. The objective of the mapping is to get a list of endpoints so that their functionality can be observed and potential vulnerabilities can be found. Spidering is done for a simple reason that the more endpoints you gather during your recon process, the more attack surfaces you possess during your actual testing.
2. Proxy:
BurpSuite contains an intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. It also lets the user send the request/response under monitoring to another relevant tool in BurpSuite, removing the burden of copy-paste.
The proxy server can be adjusted to run on a specific loop-back ip and a port. The proxy can also be configured to filter out specific types of request-response pairs
3. Intruder:
It is a fuzzer. This is used to run a set of values through an input point. The values are run and the output is observed for success/failure and content length.
Usually, an anomaly results in a change in response code or content length of the response. BurpSuite allows brute-force, dictionary file and single values for its payload position.
The intruder is used for:
*Brute-force attacks on password forms, pin forms, and other such forms.
*The dictionary attack on password forms, fields that are suspected of being vulnerable to XSS or SQL injection.
4. Sequencer:
The sequencer is an entropy checker that checks for the randomness of tokens generated by the webserver.
These tokens are generally used for authentication in sensitive operations: cookies and anti-CSRF tokens are examples of such tokens. Ideally, these tokens must be generated in a fully random manner so that the probability of appearance of each possible character at a position is distributed uniformly.
This should be achieved both bit-wise and character-wise. An entropy analyzer tests this hypothesis for being true. It works like this: initially, it is assumed that the tokens are random.
Then the tokens are tested on certain parameters for certain characteristics.
5. Decoder:
Decoder lists the common encoding methods like URL, HTML, Base64, Hex, etc. This tool comes handy when looking for chunks of data in values of parameters or headers.
It is also used for payload construction for various vulnerability classes. It is used to uncover primary cases of IDOR and session hijacking.
6. Extender:
BurpSuite supports external components to be integrated into the tools suite to enhance its capabilities. These external components are called BApps. These work just like browser extensions.
7. Scanner:
The scanner is not available in the community edition. It scans the website automatically for many common vulnerability.
.jpg)
