S.P.B.

Patel Engineering CollegeDigital Forensics (3170725)

ABOUT BURPSUITE
BurpSuite is a comprehensive suite of tools designed to assist in
penetration testing and security auditing of web applications. Developed by the
company Portswigger, it stands out in the market as one of the most trusted and
widely used solutions for web application security testing.

Key Features

● One of the strengths of BurpSuite is its flexibility and the wide range of
tools it offers, which allow security professionals to carry out a variety of
tasks related to security testing. These tools enable both automated and
manual workflows, making it an ideal solution for testing, assessing, and
attacking web applications of all sizes and complexities.
● Being a Java executable, BurpSuite is cross-platform, meaning it can be
run on any operating system that supports Java. This feature significantly
enhances its accessibility and usability.
Versions of BurpSuite

BurpSuite comes in three different versions, each catering to the diverse needs of
users in the field of web application security.

1. Community: This is the free version of BurpSuite and is well-suited for students,
hobbyists, and beginners in the field of web application security. While
limited in features compared to the other versions, it still provides a
powerful set of tools for basic security testing.

2. Professional: This is a paid version that includes all the features of the
Community version along with additional advanced features. It is designed
for security professionals and penetration testers who require
comprehensive tools for in-depth security testing of web applications.

3. Enterprise: Tailored for large organizations and enterprises, this version

builds on the Professional version, adding features to support the
management and automation of large-scale web application security
testing.

200390107065 1
S.P.B. Patel Engineering CollegeDigital Forensics (3170725)

WHY BURP SUITE?

BurpSuite is considered one of the most effective and versatile tools in the field
of web application security testing. Here are some key reasons why BurpSuite is
a preferred choice for penetration testers and security professionals:

1. Comprehensive Toolset for Penetration Testing

One of the standout features of BurpSuite is its comprehensive toolset. The
various tools and features within BurpSuite work effectively and seamlessly in
any environment for penetration testing. This allows security professionals to
have all the tools they need in one place, simplifying their workflow and
increasing efficiency.

2. Combination of Manual and Automated Techniques

BurpSuite is not just an automated scanner; it also provides a robust platform for
manual testing. It allows you to combine both manual and automated techniques,
which is essential for in-depth penetration testing and analysis. While automated
tools can quickly find common vulnerabilities, manual testing is necessary to
identify complex, logic-based vulnerabilities that automated tools may miss.

3. Interconnected Scanners and Information Flow

The various scanners within BurpSuite are interconnected, allowing for a
seamless flow of information from one tool to another. This interconnection
ensures that the information gathered by one scanner can be used by another,
allowing the tools to work together to develop comprehensive remedies for the
identified vulnerabilities.

4. Manipulation of Web Traffic

BurpSuite allows you to route and forward the traffic of a web application
through the internet, enabling you to manipulate each and every request. This
feature is particularly useful for testing the security of a web application under
various scenarios and for identifying vulnerabilities that may only be exposed
under specific conditions.

200390107065 2
S.P.B. Patel Engineering CollegeDigital Forensics (3170725)

WHAT IS A
WEB PROXY?
A web proxy is a system or application that serves as an intermediary between
clients and web servers, capturing all HTTP requests and responses. It plays a
crucial role in web application security testing and offers the following key
functions:

1. Intermediary: The web proxy acts as a go-between, forwarding client

requests to the web server and relaying server responses back to the
client. This ensures all data flows through the proxy.

2. Capture Requests & Responses: By capturing all HTTP traffic, the

proxy enables
security professionals to analyze requests and responses, identify
vulnerabilities, and assess application behavior under various conditions.

3. Manipulate Requests: The web proxy allows users to modify HTTP

requests before they reach the server. This capability is useful for testing
application responses to different inputs and detecting security issues like
input validation flaws.

200390107065 3
S.P.B. Patel Engineering CollegeDigital Forensics (3170725)

INSTALLATION
1. Download Burp Suite: You can download Burp Suite Community Edition from the
official PortSwigger website. Visit the URL
https://portswigger.net/burp/communitydownload and click on the "Download"
button. You will need to provide your name and email address to get the download link.

2. Run the Installer: Once the download is complete, locate the installer file on your
computer. It should be a file with the extension ".exe" for Windows, ".dmg" for macOS,
or ".sh" for Linux. Double-click on the installer file to start the installation process.

3. Follow the Installation Wizard: The Burp Suite installer will open, and you'll see the
"Burp Suite Setup Wizard". Click "Next" to continue.
4. Choose Components: The next screen will ask you to choose which components to
install. For most users, the default settings will be sufficient. Click "Next" to continue.
5. Installation Confirmation: The next screen will provide a summary of your choices.
Click "Install" to start the installation process.
6. Installation Process: The installation process will now begin. It may take a few
minutes to complete. Once it's done, click "Finish" to close the installer.
7. Run Burp Suite: You should now see a shortcut to Burp Suite on your desktop or in
your start menu. Double-click the shortcut to launch Burp Suite.

200390107065 4
S.P.B. Patel Engineering CollegeDigital Forensics (3170725)

Tools in Burpsuite
TARGET TAB

● Sitemap: This feature allows you to view a tree structure of the target application, making
it easier to navigate and understand the application's content.
● Scope: This helps define the extent of your testing. You can specify which parts of
the application are "in scope" and which are "out of scope," allowing you to focus your
testing efforts.

PROXY TAB:
● Interceptor: This tool allows you to intercept and inspect HTTP requests and responses
between the client and the server. It's particularly useful for modifying requests and
responses on-the-fly for testing purposes.
● HTTP History: This feature keeps track of all HTTP requests and responses that pass
through the Burp proxy. It provides a detailed log that you can review and analyze.
● Web Socket History: Similar to the HTTP History, this tool captures the history of
WebSocket messages. It allows you to view, search, and filter the WebSocket
communication.

Intruder:
● Intruder is a powerful tool in Burp Suite that automates the process of testing and attacking
web applications. Here are its main components:

Target: Define the part of the web application to attack.

Positions: Identify points in the request for manipulation. Attack types include:

● Sniper: Substitutes each payload sequentially.

● Pitchfork: Substitutes different payloads for different positions simultaneously.
● Cluster Bomb: Substitutes different payloads for the same positions simultaneously.

Payloads: Configure data to replace payloads in positions. Multiple sets and processing
rules are configurable.

Other Tools
● Repeater: Manually modify, re-send HTTP requests, and analyze responses.
● Sequencer: Analyze randomness in session tokens and other data.
● Decoder: Decode data from various encoding schemes (e.g., URL, Base64).
● Comparer: Perform side-by-side comparisons of two data sets
●

200390107065 5
S.P.B. Patel Engineering CollegeDigital Forensics (3170725)

Practical
Step 1: Install and launch Burp Suite: Download and install Burp Suite Community
Edition or Burp Suite Professional from the official website. Launch the application once
installed.
Step 2: To use Burp Suite to test the DVWA (Damn Vulnerable Web Application)
website,Set up DVWA: If you haven't already, set up and configure the DVWA website on
your local machine or server. Ensure that it's accessible via a web browser

Step 3: Configure proxy settings: Open your web browser and configure it to use the Burp
Suite proxy. Typically, this involves setting the HTTP proxy to "127.0.0.1" and port "8080"
(or the port you specified during Burp Suite setup).

200390107065 6
S.P.B. Patel Engineering CollegeDigital Forensics (3170725)

Navigate to DVWA: In your web browser, visit the DVWA website, ensuring that traffic is
routed through the Burp Suite proxy. For example, if DVWA is hosted locally, navigate to
"http://localhost/DVWA" or "http://127.0.0.1/DVWA".

Step 4: Intercept Traffic: Enable interception in Burp Suite's "Proxy" tab, then interact with the
DVWA website. Burp Suite will display HTTP requests and responses for analysis and
manipulation.
Step 5: Security Testing: Use Burp Suite features like "Scanner," "Repeater," "Intruder," and
"Decoder" to identify vulnerabilities in DVWA through automated scans, manual testing, and
parameter manipulation.

200390107065 7
S.P.B. Patel Engineering CollegeDigital Forensics (3170725)

CONCLUSION
Burpsuite is a powerful and versatile tool for web application security testing. It offers
a range of features that can help you perform various tasks, such as intercepting and
modifying requests, crawling and scanning web applications, exploiting
vulnerabilities, analyzing session tokens, decoding and encoding data, and comparing
responses. Burpsuite can be used for both manual and automated testing, and it allows
you to customize and extend its functionality with plugins and extensions. Burpsuite is
a must-have tool for any web application security tester or researcher.

Burpsuite is an integrated platform for web application security testing that

consists of several tools that work together.

Burpsuite can help you perform different types of testing, such as passive,
active, or user-directed scanning, fuzzing, brute forcing, etc.

200390107065 8
S.P.B. Patel Engineering CollegeDigital Forensics (3170725)

Burpsuite can be configured to work with your browser and proxy settings, and
it can also be enhanced with plugins and extensions.

200390107065 9