Login
Login

Burp Suite

{{Short description|Web security software}}

{{Primary sources|date=August 2024}}

{{Infobox software

| title = Burp Suite

| logo = Logo of PortSwigger.svg

| logo caption = Logo of PortSwigger, the company that develops Burp Suite

| logo alt =

| logo size = 250px

| collapsible =

| screenshot = File:Thumbnail BurpSuite.png

| screenshot size =

| screenshot alt =

| caption =

| other_names =

| author =

| developer = PortSwigger

| released =

| ver layout =

| discontinued =

| latest release version = {{wikidata|property|reference|P348}}

| latest release date = {{start date and age|{{wikidata|qualifier|P348|P577}}}}

| latest preview version =

| latest preview date =

| repo =

| qid =

| programming language = Java

| middleware =

| engine =

| operating system =

| platform =

| included with =

| replaces =

| replaced_by =

| service_name =

| size =

| standard =

| language =

| language count =

| language footnote =

| genre = Security testing

| license =

| website =

| AsOf =

}}

Burp Suite is a proprietary software tool for security assessment and penetration testing of web applications.{{cite book |last1=Rahalkar |first1=Sagar Ajay |title=A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities |year=2021 |publisher=Apress |isbn=978-1-4842-6401-0}}{{cite book |last1=Lozano |first1=Carlos A. |last2=Shah |first2=Dhruv |last3=Walikar |first3=Riyaz Ahemed |title=Hands-On Application Penetration Testing with Burp Suite |date=2019-02-28 |publisher=Packt Publishing |isbn=9781788995283}} It was initially developed in 2003-2006 by Dafydd Stuttard{{Cite web |author=PortSwigger |title=About |url=https://portswigger.net/about |access-date=2024-07-09 |website=PortSwigger}} to automate his own security testing needs, after realizing the capabilities of automatable web tools like Selenium.{{Cite web |author=PortSwigger |title=Ask me anything, with Burp Suite creator Dafydd Stuttard |url=https://www.youtube.com/watch?v=vgYzICDaNhM |access-date=2020-07-09 |website=YouTube|date=9 July 2020 }} Stuttard created the company PortSwigger to flagship Burp Suite's development. A community, professional, and enterprise version of this product are available.

Notable capabilities in this suite include features to proxy web-crawls (Burp Proxy),{{Cite web |last=Rose |first=Adam |title=Proxy VM Traffic Through Burp Suite |url=https://fortynorthsecurity.com/blog/proxy-vm-traffic-through-burp-suite/ |access-date=2024-07-09 |website=FortyNorth Security|date=21 April 2023 }} log HTTP requests/responses (Burp Logger and HTTP History), capture/intercept in-motion HTTP requests (Burp Intercept),{{Cite web |last=Setter |first=Matthew |title=Introduction to Burp Suite |url=https://matthewsetter.com/introduction-to-burp-suite/ |access-date=2017-12-06 |website=Web Dev With Matt|date=6 December 2017 }} and aggregate reports which indicate weaknesses (Burp Scanner).{{Cite web |last=Lavish |first=Zandt |title=Intro to Burp Suite Automatic Scanning |url=https://www.greatheart.io/post/intro-to-burp-suite-automatic-scanning |access-date=2022-07-12 |website=GreatHeart}} This software uses a built-in database containing known-unsafe syntax patterns and keywords to search within captured HTTP requests/responses.{{Cite web |last=Shelton-Lefley |first=Tom |title=Web Application Cartography: Mapping Out Burp Suite's Crawler |url=https://portswigger.net/blog/web-application-cartography-mapping-out-burp-suites-crawler |access-date=2021-03-05 |website=PortSwigger}}

Burp Suite possesses several penetration-type functionalities. A few built-in PoC services include tests for HTTP downgrade,{{Cite web |author=PortSwigger |title=HTTP/2 Normalization in the Message Editor |url=https://portswigger.net/burp/documentation/desktop/http2/http2-normalization-in-the-message-editor |access-date=2024-07-09 |website=PortSwigger}} interaction with tool-hosted external sandbox servers (Burp Collaborator),{{Cite web |last=Stuttard |first=Dafydd |title=Introducing Burp Collaborator |url=https://portswigger.net/blog/introducing-burp-collaborator |access-date=2015-04-16 |website=PortSwigger}} and analysis for pseudorandomization strength (Burp Sequencer).{{Cite web |last=Stuttard |first=Dafydd |title=Introducing Burp Sequencer |url=https://portswigger.net/blog/introducing-burp-sequencer |access-date=2007-10-21 |website=PortSwigger}} This tool permits integration of user-defined functionalities through download of open-source plugins (such as Java Deserialization Scanner{{Cite web |title=Java Deserialization Scanner |url=https://github.com/federicodotta/Java-Deserialization-Scanner |access-date=2024-07-09 |website=GitHub}} and Autorize{{Cite web |title=Autorize |url=https://github.com/Quitten/Autorize |access-date=2024-07-09 |website=GitHub}}).

Features

As a web security analyzer, Burp Suite offers several built-in features designed to assist testers in auditing their web applications.

= Community Edition =

File:BurpSuite_Comunity_Edition.svg

The Community Edition version of Burp Suite includes the following features.{{cite web|access-date=2016-02-24|language=en|title="Burp Suite : Home page"|url=https://portswigger.net/burp|website=portswigger.net }}

  • Burp Proxy and Interceptor: Like other web application security scanners, one of the primary functionalities behind Burp Suite is its capability to act as a proxy server for client-side HTTP requests.{{Cite web |author=PortSwigger |title=Proxy |url=https://portswigger.net/burp/documentation/desktop/tools/proxy |access-date=2024-07-09 |website=PortSwigger}} Penetration testers can intercept web servers' default HTTP requests variables (attributes, body parameters, cookies, headers) in real-time and edit these values on-the-fly.{{Cite web |last=Setter |first=Matthew |title=How to Intercept Requests and Modify Responses With Burp Suite |url=https://www.youtube.com/watch?v=5fnUt9fYQlI |access-date=2018-02-09 |website=YouTube|date=9 February 2018 }}
  • Burp Site Map: BurpSuite operates similarly to the OWASP ZAP software, wherein target URLs' site maps{{Cite web |title=Burp Suite 101: Exploring Burp Proxy and Target Specification |url=https://hacklido.com/blog/625-burp-suite-101-exploring-burp-proxy-and-target-specification |access-date=2023-10-15 |website=Hacklido|date=15 October 2023 }} can be captured either through automatic or manual web-crawling.{{Cite web |author=PortSwigger |title=Full Crawl and Audit |url=https://portswigger.net/burp/documentation/desktop/automated-scanning/webapp-scans/full-crawl-and-audit |access-date=2024-07-09 |website=PortSwigger}} When users crawl through a web application, HTTP requests become sent to a web proxy in Burp Suite's software. Once HTTP requests/responses are captured, these endpoints can be investigated manually or audited automatically through features in Burp Suite's Professional edition.
  • Burp Logger and HTTP History: Retains a list of HTTP requests/responses captured during web-crawling (and automated scanning for Professional edition).{{Cite web |last=Aggarwal |first=Sahil |title=BurpSuite Logger Secrets for Pentesters |url=https://blog.certcube.com/burpsuite-logger-secrets-for-pentesters/ |access-date=2023-01-11 |website=CertCube Blog|date=11 January 2023 }}{{Cite web |last=Pradeep |title=Filtering Burp Suite HTTP History |url=https://www.studytonight.com/post/filtering-burp-suite-http-history |access-date=2023-06-02 |website=Study Tonight}}
  • Burp Repeater: Repeats captured HTTP requests, allowing custom changes to request variables.{{Cite web |author=TryHackMe |title=Burp Suite Repeater |url=https://tryhackme.com/r/room/burpsuiterepeater |access-date=2024-07-09 |website=TryHackMe}} Customized HTTP requests can be sent in quick succession and can be used to exploit race condition vulnerabilities. {{Cite web |title=Race Conditions |url=https://portswigger.net/web-security/race-conditions |website=PortSwigger}}
  • Burp Decoder: Automates text decoding.{{Cite web |last=Chandel |first=Raj |title=BurpSuite Encoder Decoder Tutorial |url=https://www.hackingarticles.in/burpsuite-encoder-decoder-tutorial/ |access-date=2018-01-24 |website=Hacking Articles|date=24 January 2018 }} Decoded text can then be edited and re-encoded, allowing for enhanced customization in web requests. Currently, Burp can encode and decode in HTML, URL, Base64, ASCII hex, Hex, Octal, Binary, and GZIP. Burp’s “smart decode” will automatically detect encoded data and recursively decode it as much as it can. {{Cite web |date=December 19, 2024 |title=Burp Decoder |url=https://portswigger.net/burp/documentation/desktop/tools/decoder |website=PortSwigger}}
  • Burp Sequencer: Analyzes an application-generated token variable across repeated HTTP requests to determine pseudorandomness predictability strength.
  • Burp Comparer: Allows users to compare content found between two different HTTP requests or HTTP responses.{{Cite web |last=Salame |first=Walid |title=How to Use Burp Decoder |url=https://kalitut.com/how-to-use-burp-decoder/ |access-date=2024-04-09 |website=KaliTut|date=9 April 2024 }}
  • Burp Extender: See the Burp Extender section below; certain Burp Suite plugins are limited to only interact with Professional edition.{{Cite web |author=PortSwigger |title=Installing Extensions |url=https://portswigger.net/burp/documentation/desktop/extensions/installing-extensions |access-date=2024-07-09 |website=PortSwigger}}

= Professional Edition =

Burp Suite's Professional edition includes all Community features plus those listed below.

  • Burp Scanner: Automates report auditing and/or web crawling for HTTP captured requests/responses. Uses internal rules to audit contents from intercepted HTTP responses in order to search for vulnerable response values. Capacitates users to customize scanners' speeds and findings coverage.
  • Burp Dashboard: Displays findings results and categorizes issues based on severity.{{Cite web |author=PortSwigger |title=Dashboard |url=https://portswigger.net/burp/documentation/desktop/tools/dashboard |access-date=2024-07-09 |website=PortSwigger}} Detailed descriptions and remediation steps may be provided based on what type of finding.{{Cite web |author=PortSwigger |title=Vulnerabilities List |url=https://portswigger.net/burp/documentation/scanner/vulnerabilities-list |access-date=2024-07-09 |website=PortSwigger}}
  • Burp Intruder: Similarly to Burp Repeater at a broader extent, grants users the means to send multiple parallel HTTP requests with changes to specified request variables.{{Cite web |author=FireCompass |title=Mastering Burp Intruder Attack Modes |url=https://www.firecompass.com/blog/mastering-burp-intruder-attack-modes/ |access-date=2023-10-31 |website=FireCompass Blog|date=31 October 2023 }}
  • Burp Collaborator: Simulates C2 Server hosting to attempt external service interaction and Out-of-Band attacks.{{Cite web |author=PortSwigger |title=OAST |url=https://portswigger.net/burp/application-security-testing/oast |access-date=2024-07-09 |website=PortSwigger}}
  • Burp Organizer: Allows users to curate selected HTTP requests/responses into a saved collection.{{Cite web |author=PortSwigger |title=Organizer |url=https://portswigger.net/burp/documentation/desktop/tools/organizer |access-date=2024-07-09 |website=PortSwigger}}
  • Burp Infiltrator: An IAST agent scripted to automate interactive/runtime scanning and communicate results through the Burp Collaborator feature.{{Cite web |last=Stuttard |first=Dafydd |title=Introducing Burp Infiltrator |url=https://portswigger.net/blog/introducing-burp-infiltrator |access-date=2016-07-26 |website=PortSwigger}}
  • Burp Clickbandit: A tool to concept proof to test clickjacking attacks against web applications' front-end HTML and JavaScript files.{{Cite web |last=Roof |first=Zach |title=Learn Clickjacking With Burp Suite |url=https://securing-the-stack.teachable.com/courses/362516/lectures/5553373 |access-date=2024-07-09 |website=Teachable}}
  • File Saving: Professional edition allows users to save their projects as ".burp" files.{{Cite web |author=PortSwigger |title=Manage Project Files |url=https://portswigger.net/burp/documentation/desktop/projects/manage-project-files |access-date=2024-07-09 |website=PortSwigger}}

= Burp Extender =

BApps

Burp Suite offers an extension store{{Cite web |author=PortSwigger |title=BApp Store |url=https://portswigger.net/bappstore |access-date=2024-07-09 |website=PortSwigger}} where users can upload and download plugins for functionalities not supported natively. Different plugins alter in functionality, ranging from adjustments for UI readability, additions to scanner rules, and implementations of new analysis-based features.

Burp Suite's extension API is open-source.{{Cite web |author=PortSwigger |title=Creating Extensions |url=https://portswigger.net/burp/documentation/desktop/extensions/creating |access-date=2024-07-09 |website=PortSwigger}}{{Cite web |title=Burp Extensions Montoya API |url=https://github.com/PortSwigger/burp-extensions-montoya-api |access-date=2024-07-09 |website=GitHub}} Support for Java plugins is natively supported, while extensions which use Python and Ruby require users to download JAR files for Jython and JRuby respectively.{{Cite web |title=TryHackMe Burp Suite Extensions |url=https://medium.com/@shadowgirlincyberland/tryhackme-burp-suite-extensions-9bcb24c1e7fa |access-date=2024-03-21 |website=Medium}}

Many Burp plugins have also been created by Portswigger employees as a means of developing proof-of-concepts for research conducted by the company.{{Cite web |author=PortSwigger |title=Research |url=https://portswigger.net/research |access-date=2024-07-09 |website=PortSwigger}} Examples of these include extensions created by James Kettle, Portswigger's Director of Research,{{Cite web |author=PortSwigger |title=Meet the Swiggers: James K |url=https://portswigger.net/about/team/james-k |access-date=2024-07-09 |website=PortSwigger}} including Backslash Powered Scanner,{{Cite web |title=Backslash Powered Scanner |url=https://github.com/PortSwigger/backslash-powered-scanner |access-date=2024-07-09 |website=GitHub}}{{Cite web |last=Kettle |first=James |title=Backslash Powered Scanning: hunting unknown vulnerability classes |url=https://portswigger.net/research/backslash-powered-scanning-hunting-unknown-vulnerability-classes |access-date=2016-11-04 |website=PortSwigger Research}} Param Miner,{{Cite web |title=Param Miner |url=https://github.com/PortSwigger/param-miner |access-date=2024-07-09 |website=GitHub}}{{Cite web |last=Kettle |first=James |title=Practical Web Cache Poisoning |url=https://portswigger.net/research/practical-web-cache-poisoning |access-date=2018-09-09 |website=PortSwigger Research}} and HTTP Request Smuggler.{{Cite web |title=HTTP Request Smuggler |url=https://github.com/PortSwigger/http-request-smuggler |access-date=2024-07-09 |website=GitHub}}{{Cite web |last=Kettle |first=James |title=HTTP Desync Attacks: Request Smuggling Reborn |url=https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn |access-date=2019-09-07 |website=PortSwigger Research}}

== BChecks ==

BChecks were added to Burp Suite in June 2023{{Cite web |author=PortSwigger |title=Professional Community 2023.6 |url=https://portswigger.net/burp/releases/professional-community-2023-6 |access-date=2024-07-09 |website=PortSwigger}} as a means of permitting users to create and customize their own scanner rules.{{Cite web |title=Use BCheck to Improve Vulnerability Scanning |url=https://www.yeswehack.com/learn-bug-bounty/pimpmyburp-9-use-bcheck-to-improve-vulnerability-scanning |access-date=2023-09-01 |website=YesWeHack}} A curated collection of BChecks are maintained by Portswigger through an open-source GitHub project.{{Cite web |title=BChecks |url=https://github.com/PortSwigger/BChecks |access-date=2024-07-09 |website=GitHub}}

== Bambdas ==

Users can write Java scripts to create custom HTTP request/response index filtering in Burp Suite's proxy HTTP History, WebSocket History, and Logger lists.{{Cite web |last=Stocks |first=Emma |title=Introducing Bambdas |url=https://portswigger.net/blog/introducing-bambdas |access-date=2023-11-14 |website=PortSwigger}}{{Cite web |title=Bambdas |url=https://github.com/PortSwigger/bambdas |access-date=2024-07-09 |website=GitHub}}

See also

References

{{Reflist}}

External links

  • {{Official website|https://portswigger.net/burp}}

Category:Computer security software

Category:Free security software

Category:Injection exploits

Category:Java platform software