Burp suite
Burp Suite created by PortSwigger Web Security is a Java based software platform of tools for performing security testing of web applications.[1][2] The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.
Burp Proxy
The Burp Proxy tool lies at the heart of Burp's user-driven workflow, and gives a direct view into how the target application works "under the hood". It operates as a web proxy server, and sits as a man-in-the-middle between the browser and destination web servers. This allows the interception, inspection and modification of the raw traffic passing in both directions.
Burp Scanner
Burp Scanner is a web application security scanner, used for performing automated vulnerability scans of web applications. Security testers can use Burp scanner alongside manual testing methodology to quickly identify many types of common vulnerabilities.
Burp Spider
Burp Spider is a tool for automatically crawling web applications. It can be used in conjunction with manual mapping techniques to speed up the process of mapping an application's content and functionality.
Burp Intruder
Burp Suite's Intruder tool can perform automated attacks on web applications. The penetration tester must already have detailed knowledge of the application and HTTP protocol to be attacked. The tool offers a configurable algorithm that can generate malicious HTTP requests. The intruder tool can test and detect SQL injections, cross-site scripting, parameter manipulation and vulnerability for brute-force attacks.
Burp Repeater
Burp Repeater is a simple tool that can be used to manually test an application. The penetration tester can use it to modify requests to the server, resend them, and observe the results.
Burp Sequencer
Burp Sequencer is a tool for analyzing the quality of randomness in a sample of data items. It can be used to test an application's session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.
Burp Decoder
Burp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.
Burp Comparer
Burp Comparer is a simple tool for performing a comparison (a visual "diff") between any two items of data.
Burp Extender
Burp Extender allows the security tester to load Burp extensions, to extend Burp's functionality using the security testers own or third-party code (BAppStore)
Burp Collaborator introduced in 2015
Burp Collaborator is an external service that Burp can use to help discover many kinds of vulnerabilities, including out of band vulnerabilities, blind SQL injection vulnerabilities and mail header injection vulnerabilities.
See also
References
- ↑ "Burp Suite". PortSwigger Web Security. PortSwigger Ltd. 2014. Retrieved 2014-09-13.
- ↑ "10 outils de hacking pour les expert: burp suite".
Further Reading
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition, authors Dafydd Stuttard, Marcus Pinto, published by Wiley
Burp Suite Essentials, author Akash Mahajan, published by PACKT
External links
- Official website
- Burp Suite Support Center contains a large number of articles and community discussions for using Burp Suite.
- Burp Testing Methodologies explain methodologies for using Burp Suite to test for various kinds of web application vulnerabilities.
- Knowledge Base contains the definitions of all the issues that can be detected by Burp Scanner.
- Sec Tools