Quartz 4

Burp Suite

2 min read

for web application penetration testing. As an IT Specialist, you can think of it as a specialized, high-powered proxy that sits between your browser and the web server, allowing you to intercept, inspect, and modify every single packet of traffic.

Core Components (The “Tabs”)

Burp is organized into modules that you’ll use throughout your attack and Enumeration phases:

  • Proxy: The heart of Burp. It intercepts HTTP/S traffic. You can “drop” a request or “forward” it after you’ve changed the data (e.g., changing a price from $100.00 to $0.01).

  • Repeater: Used for manual testing. You send a specific request to Repeater, change a parameter (like testing for #SSRF), and resend it over and over to see how the server reacts.

  • Intruder: The automation engine. Use this for “Fuzzing” or brute-forcing. You can feed it a list of usernames and have it test them all automatically.

  • Decoder: A quick utility to transform data (Base64, URL encoding, Hex, hash) into a readable format.

  • Comparer: Visually highlights the differences between two server responses—perfect for spotting Blind SSRF or SQL Injection indicators.

💻 Using Burp in the CLI

While Burp is a GUI-heavy tool, it is often paired with linux and CLItool commands like curl to verify findings.

TaskBurp ToolManual Equivalent (#CLItool)
Intercept/ModifyProxymitmproxy
Repeat RequestRepeatercurl -X POST [URL] -d "[data]"
Brute ForceIntruderffuf or gobuster
Find VulnsScanner (Pro)nikto

Burp Suite

📝 Overview

What it is: An integrated platform for performing security testing of web applications. Its various tools work together to support the entire testing process, from initial mapping to finding and exploiting security vulnerabilities. Target Phase: Enumeration / attack / postexploitation Operating System: linux / Windows / macOS (Java-based)

⚙️ Core Capabilities

  • Interception Proxy: Man-in-the-middle for HTTP/S traffic.
  • Web Fuzzing: Testing input fields for vulnerabilities like XSS, SQLi, and SSRF.
  • Automated Scanning: (Pro version) Automatically identifies common web vulnerabilities.

⚠️ Notes for the Vault

  • CA Certificate: To intercept HTTPS, you must install the Burp CA certificate in your browser.
  • Scope: Always define your “Target Scope” so you don’t accidentally intercept traffic from other sites (like your email) while testing.

🏷️ Tags

BurpSuite WebSecurity Proxy Fuzzing attack Enumeration PenTestPlus tools

Graph View

Backlinks