|BurpSuite Compendium Preview.pdf|
We would like to present you our newest issue, which will mainly focus on Burp Suite. We gathered all the articles we had about this tool, added new ones and prepared this compendium. Tutorials, step by step guides, and more can be found in this edition. Hamed Farid will show you how to Extend Burp with Python. Junior Carreiro wrote an article to show you how you can use Burp to perform fuzzing web applications and discover SQL Injection flaws.
If you get tired of Burp, I recommend reading two amazing articles: “Demystifying the Dark Web” by Sayani Banerjee and “Browser Exploits: PasteJacking And XSSJacking” by Samrat Das. We hope that you will find many interesting articles inside the magazine and that you will have time to read them all.
Again special thanks to the Beta testers and Proofreaders who helped with this issue. Without your assistance there would not be a Hakin9 Magazine!
Enjoy your reading,
What is Burp Suite?
by Prasoon Nigam
The Burp Suite or a (Manual) Proxy tool is an intercepting proxy tool that intercepts all the traffic (Request and Response) which is sent from Client to Server and vice versa. The primary job of the Burp Suite Proxy tool is to intercept regular web traffic, which goes over Hypertext Transfer Protocol (HTTP), and with additional configuration, encrypted HTTP (HTTPS) traffic as well. Burp Suite can be used to intercept any client-server communication that goes over HTTP.
Brute forcing passwords
by Tomasz Krupa
In this article we will be testing web security of the popular WordPress engine by simulating a brute force attack using my two favourite Linux Kali tools: WPScan and Burp Suite.
Extending Burp Using Python
by Hamed Farid
You can write your own extensions in Burp using the Burp Extensibility API. The API consists of a number of Java interfaces that you will provide implementations of, depending upon what you are trying to accomplish. However, Burp is written in Java and the understeering of its APIs need some java knowledge but I think some understanding of any programming language will be enough beside searching the web for Java keywords you don’t understand. Burp extensions can be written in Java, Python, or Ruby. We’ll use Python here in this article, check the section Why Python for details.
Web Applications Pentesting Tools: Burp Suite Playbook
by Pranav Jagtap
Web Application pen testing can be done through various tools available. This article will mainly focus on ‘Burp Suite’ tool and its various interesting features. After reading this article, the reader will be able to configure burp suite with the browser, exploit XSS using burp plugins and will know how to use different tabs of burp suite.
Harnessing the lesser known “Burp macros” for Penetration Testing Web Apps
by Samrat Das
In my penetration testing career so far, while performing fuzzing of parameters and page field in web applications, I did encounter some challenges relating to session handling. In multiple cases, the application used to terminate the session being used for testing, this either happened due to some security countermeasures (for example: getting unsafe input, the session used to get logged out) or in other cases, say the Burp spider/ crawler used to fuzz the logout page parameters and terminate the session.
Automating Manual Security Testing Using Burp Macros to Accelerate Manual Security Testing
by Prashant Kumar Khare and Sarang Dabadghao
The purpose of this paper is to cite an implementation approach of using automation in security testing which enhances the efficiency of doing manual security testing of a tester in much less time than anticipated. In this paper, the tool that will be referenced is Burp Suite (free version) provided by Portswigger and a demo application. This paper will cover automation using Macros in Burp Suite and its integration with Intruder and Repeater.
Burp for fuzzing
by Junior Carreiro
The purpose of this article is to show how we can use the Burp to perform a fuzzing web applications and discovered SQL Injection flaws.
Web Applications Penetration Testing Tools – Overview
by Andrea Cavallini
Nowadays, the world of information technologies, in particular the applications development process, is strongly oriented to web implementations. Cybersecurity is important because web languages have more attack vectors than the other languages; its aim is to guarantee the CIA Triad, with confidentiality, integrity, and availability milestones. Vulnerability assessments are necessary to know the level of criticality of the entire platform or of its components; Burp Suite is one of the most important tools for Web Application Penetration Test activities (WAPT).
Demystifying the Dark Web
by Sayani Banerjee
The curiosity towards hidden and unknown is an eternal human trait. We usually navigate the World Wide Web via popular search engines like Google, Bing etc. But there is another world of secrets underneath these publicly accessible web services. It is only the surface that is indexed by the typical search engines.
Browser Exploits: PasteJacking And XSSJacking
by Samrat Das
In the field of penetration testing, we all know attacks such as Clickjacking, Cross Site Scripting. These are attacks from most commonly included OWASP Top 10 test cases. However, what about learning some client side exploits which can help us chain unexpected and not so commonly accepted attacks to perform account takeover, hijacking sessions, manipulating user clipboard remotely? Sounds exciting? Well, that’s what XSSJacking and Paste Jacking is all out, read on to know more: Today we will look into some advanced attack vectors which have been lately around sometime but not all are aware of the attack.