search
githubEdit

Burpsuite

hashtag
BURPSUITE WEB PROXY TOOL (USE IT WITH FOXYPROXY BROWSER EXTENSION)

hashtag
Burpsuite generates its own TLS certificate for each host, signed by its own Certificate Authority (CA)

hashtag
Ensure you install Burp's CA Certificate for HTTPS sites

hashtag
Can be found at http://burpsuite

hashtag
Import certificate into browser

hashtag
TIP: Burpsuite has an embedded browser to use (Chromium)

hashtag
PROXY

hashtag
Intercet is on by default

hashtag
Can modify packet before it is sent to the web server

hashtag
Can send requests to other Burpsuite tools under "actions"

hashtag
REPEATER

hashtag
Can try different requests without having to use a browser

hashtag
Great for analyzing things like Time-based SQL injections (example)

hashtag
Can easily analyze different behavior by web server from requests

hashtag
INTRUDER

hashtag
Intruder is a tool to brute-force logins or fuzz web applications

hashtag
Can grep for specific strings

hashtag
You need to specify the position for the attack

hashtag
INTRUDER ATTACK TYPES

hashtag
Sniper = Attacks only one position at a time

hashtag
Battering Ram = Places the same payload value in all positions

hashtag
Pitchfork = Uses one payload set for each position. It places the first payload in the first position, the second payload in the second position, and so on and so forth.

hashtag
Cluster Bomb = The cluster bomb attack tries all different combinatipons of payloads. It still puts the first payload in the first position and the second payuload in the second position. But when it loops through the payload sets, it tries all the combinations.

hashtag
DECODER

hashtag
Can both encode/decode

1) Base64

2) URL

3) HTML

4) ASCII Hex

5) Hex

6) Octal

7) Binary

8) Gzip

PreviousWeb ApplicationsNextGIT TOOLS

Last updated