Cheatsheets

Burp Suite: Security Tool Cheatsheet for Penetration Testing

by n8n admin

🛠 Security Tool Cheatsheet

Alex Morgan — Senior Penetration Tester

What is Burp Suite?

Burp Suite is a popular integrated platform for performing security testing of web applications. It provides tools for mapping and analyzing an application’s attack surface, identifying vulnerabilities, and exploiting them effectively.

Installation

Burp Suite can be installed on various operating systems including Windows, macOS, and Linux. You can download it directly from the PortSwigger website. Ensure you have Java Runtime Environment (JRE) installed, as it is required to run Burp Suite.

Basic Syntax

To start Burp Suite, simply use the command:

java -jar burpsuite.jar

Discovery

Using the Target Tab

To map the application:

  • Open Burp Suite and navigate to the Target tab.
  • Use the Site map to see the structure of the application.

Spidering

To crawl the application:

Right-click on a URL in the Site Map > Crawl

This will enumerate parameters and endpoints. You can further configure the spider settings in the Options tab.

Scanning

Active Scanning

To run an active scan:

Right-click on the URL > Active Scan

This scans for vulnerabilities and provides detailed reports. Ensure your Target Scope is properly defined to avoid scanning unintended targets.

Exploitation

Intruder Tool

For automated attacks, use the Intruder:

Navigate to the Target tab > Intruder > Positions

Markers for injection points can be set. You can customize payloads based on the context, like brute-forcing or injection attacks.

Analysis

Repeater Tool

For manual testing, use Repeater:

Right-click on a request > Send to Repeater

This allows you to manipulate and resend requests to observe the server’s response.

Evasion

Using Proxy

To intercept requests:

Set your browser to use the Burp proxy on 127.0.0.1:8080

Ensure you install the Burp CA certificate in your browser for HTTPS traffic.

Reporting

To generate reports:

Dashboard > Report > Generate Report

You can customize the report format and content based on the findings from your testing.

Quick Reference Table

Flag Description
-c Enable crawler
-a Activate the scanner
-i Perform Intruder tasks

Pro Tips

  • Use the Scanner in passive mode during active engagements to avoid detection.
  • Customize payloads in the Intruder for more targeted attacks (e.g., SQLi, XSS).
  • Leverage the Extensions feature in Burp to add new capabilities (e.g., for specific vulnerabilities).

Real-World Examples

Example of command injection using Intruder:

1. Send a POST request to the target with a parameter.
2. Use Intruder to modify the parameter value with common payloads.
3. Analyze the responses to determine if a command injection is possible.

Related Posts

Mobile Security Tips for Android Devices

🛠 Security Tool Cheatsheet Alex Morgan — Senior Penetration Tester Why This Matters With increasing threats to mobile devices, understanding how to secure your Android phone is essential. Personal information, banking details, and work emails…

Mobile Security Tips for iOS 17

🛠 Security Tool Cheatsheet Alex Morgan — Senior Penetration Tester Why This Matters Mobile devices have become essential tools for both personal and professional activities. As iOS 17 brings new features, it also introduces potential…