Burp Suite

Repeater

Allows us to 'repeat' requests that have previously been made with or without modification. Often used in a precursor step to fuzzing with the aforementioned intruder.

Proxy Server

Allows us to relay our traffic through an alternative route to the internet.

Sequencer

Analyzes the 'randomness' present in parts of the web app which are intended to be unpredictable. This is commonly used for testing session cookies.

Target

How we set the scope of our project. We can use this to effectively create a site map of the application we are testing.

Intruder

Incredibly powerful tool for everything from field fuzzing to credential stuffing and more.

Battering Ram (intruder)

Similar to Sniper, Battering Ram uses only one set of payloads. Unlike Sniper, Battering Ram puts every payload into every selected position. Think about how a battering ram makes contact across a large surface with a single surface, hence the name battering ram for this attack type.

Extender

Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more!

Pitchfork (intruder)

The Pitchfork attack type allows us to use multiple payload sets (one per position selected) and iterate through both payload sets simultaneously. For example, if we selected two positions (say a username field and a password field), we can provide a username and password payload list. Intruder will then cycle through the combinations of usernames and passwords, resulting in a total number of combinations equalling the smallest payload set provided.

Sniper (intruder)

The most popular attack type, this cycles through our selected positions, putting the next available payload (item from our wordlist) in each position in turn. This uses only one set of payloads (one wordlist).

Why would you want a proxy server?

Variety of reasons ranging from educational filtering to accessing content that may be otherwise unavailable due to region locking or a ban.

Proxy

What allows us to funnel traffic through Burp Suite for further analysis

Why use a proxy server for web application pen testing?

allows us to view and modify traffic inline at a granular level.

What are the common uses for intruder?

- Enumerating identifiers such as usernames, cycling through predictable session/password recovery tokens, and attempting simple password guessing - Harvesting useful data from user profiles or other pages of interest via grepping our responses - Fuzzing for vulnerabilities such as SQL injection, cross-site scripting (XSS), and file path traversal

What will you likely be provided with before starting a web application test?

- The application URL (hopefully for dev/test and not prod) - A list of the different user roles within the application - Various test accounts and associated credentials for those accounts - A list of pieces/forms in the application which are out-of-scope for testing and should be avoided

What does the target tab allow you to do?

- define our scope -view site map - specify our issue definitions

What are commonly analyzed items with Sequencer?

-Session tokens - Anti-CSRF (Cross-Site Request Forgery) tokens - Password reset tokens (sent with password resets that in theory uniquely tie users with their password reset requests)

What are the major components of the Burp proxy?

-interception -request history -configuration options we have access to

What are the four attack types for intruder?

-sniper -battering ram -pitchfork -cluster bomb

Decoder

As the name suggests, Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding.

Comparer

Comparer as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.

Cluster Bomb (intruder)

The Cluster Bomb attack type allows us to use multiple payload sets (one per position selected) and iterate through all combinations of the payload lists we provide. For example, if we selected two positions (say a username field and a password field), we can provide a username and password payload list. Intruder will then cycle through the combinations of usernames and passwords, resulting in a total number of combinations equalling usernames x passwords.

Scanner

utomated web vulnerability scanner that can highlight areas of the application for further manual investigation or possible exploitation with another section of Burp. This feature, while not in the community edition of Burp Suite, is still a key facet of performing a web application test.