In Chapter 7, Working with Vulnerability Scanners, we outlined the benefits and functionality of using Burp Suite. In this section, we will further demonstrate how to perform automated vulnerability discovery using this tool.
We can use Burp Suite to perform automated scans on specific pages or websites. Before we start, ensure that you have configured the following settings:
- Configure the web browser on the attacker machine (Kali Linux) to work with Burp Suite Proxy. If you are having difficulty with this task, please revisit Chapter 7, Working with Vulnerability Scanners.
- Ensure that you turn on the OWASP BWA virtual machine and capture its IP address.
Once these configurations are in place, we can begin by taking the following steps:
- Use the web browser on your Kali Linux machine to navigate to the DVWA within the OWASP BWA virtual machine.
- Click on SQL Injection as shown here:
- Open Burp Suite and ensure that Intercept is on.
- On the DVWA web page, click the Submit button to send an HTTP request to the server:
- In Burp Suite, you should be able to see the HTTP request. Right-click anywhere in the context window and select Do an active scan:
This will allow Burp Suite to perform an automated scan on the target web page to discover any web vulnerabilities.
The following is an example of the results after completing a scan using Burp Suite:
Selecting each issue found will provide you with a breakdown of the specific vulnerability.
In the next section, we will learn how to use Acunetix to discover web vulnerabilities.