One of the main aspects of security is penetration testing and vulnerability assessments. Simply put, these terms are just fancy ways of saying that the only safe way to know how you can be hacked is to hack yourself. Companies hire security consultants to legally tear apart their websites piece by piece and put them back together again, stronger and more secure than they were before. Security consultants (and malicious hackers) employ several tools to do their jobs, one of which being Burp Suite.
Burp Suite is an interception proxy. What a proxy is, is it’s a program, computer, or server that acts as a hub that your network will use to access the internet. They’re usually used to anonymize the user by hiding his or her IP address, and replacing it with the address of the proxy instead. This allows the user to hide their identity from the rest of the world. Burp Suite works on the same principle. It takes the internet traffic going through it and (here’s the fun part) lets us mess with this traffic. That’s where the “interception” part of “interception proxy” comes in. I’ll make a separate post on how to set up the program itself and how to configure it with your machine because there are quite a few steps to do that; this post is just to help you understand what you can do with Burp.
Burp has a number of tools that you can use to perform a wide variety of tasks, ranging from simple to incredibly advanced. These tools are shown as subsections in the program.
- The first is Spider, which you can use to crawl a site or web application. “Crawling” is the act of sifting through every page that a site has to offer in order to gain the scope of the task. Without it, you might miss a couple of vulnerabilities that you could have caught. If you have the time for it, crawl manually without Spider, or at the very least don’t rely solely on the program to do it for you, it can make mistakes too.
- Next is Scanner, a premium-only program that makes your job easier by scanning the site for any vulnerabilities. This is a pretty important tool and is worth Premium’s price point.
- The Intruder tool comes next, and it’s a powerful one. This is your main attacking tool that you’ll use to prod and poke at a website to see what makes it tick. You can use it for a very large variety of purposes, for example, if the site has the option of letting a user sign up or log in, you can try to see what characters work, what don’t, and what crash the site or give administrator access by accident.
- Repeater, similarly to Intruder, can be used to repeatedly (thus the name) issue HTTP requests into different input or manipulation fields.
- Sequencer looks over the site’s random elements, the important stuff that you want to be encrypted or randomised, and analyses just how random it is.
- Decoder, a relatively simple tool, decodes and encodes (translates) different types of data. It takes HTML, URL, Base64, GZIP, hexadecimal, ASCII hexadecimal, Octal, and Binary.
- Finally, the Comparer tool makes comparisons between two pieces of data. If two pieces of data are both much too long you can pop them both into the Comparer and it’ll tell how they differ.
This is a very, very, very basic look at what Burp Suite is and what it can do for you. I’ll be rolling out blog posts with specific instructions and examples for each tool in the coming weeks. Keep these in mind until then and remember to always stay on your toes. See you next week.