You are getting closer and closer to becoming a pro in application security testing. This chapter is dedicated to an amazing application called Burp Suite. It is a mandatory tool for testing web application security. I'm not trying to sell you the application; rather, I'm giving you an honest opinion, based on my own experience as a web application penetration tester. Burp was written by PortSwigger Ltd. I can't thank them enough for allowing us to test web applications, making sure that they are secure against threats.
You're probably wondering, why Burp? Why not one of the fancy, expensive, single-button tools out there on the market?
First of all, just because they are expensive doesn't mean that they are good; secondly, don't be a slave to the Gartner charts. Big companies increase their prices when they appear at the top of the Gartner chart; they are big businesses, and they want to make big bucks. On the other hand, Burp offers many options (from manual to automated tests) for only 350 USD per year, compared to other big name scanners, which cost thousands of dollars per year. When you work in the security field, you will be amazed by how expensive these tools are. Our job, as professionals, is to help our clients or companies choose the right tools for their budgets, while also providing a professional outcome.
False positives (fake vulnerabilities that are flagged by the scanner) will always be there, and it is your job to differentiate the real vulnerabilities from the false ones. Never copy and paste the contents of any report without understanding its contents. Try to test a vulnerability and make sure that it's real before putting it into a final report.
In this chapter, I will do my best to cover the ins and outs of Burp Suite, including the following:
- Introducing Burp Suite
- Practical examples of how to use Burp Suite
- How to use Burp Proxy
- How to install the Burp SSL certificate
- How to crawl a web application
- How to find hidden items using Burp
- Using the Burp vulnerabilities scanner
- How to use the Repeater tab
- Exploring the functionalities of the Intruder tab
- How to install additional applications in Burp