Web Application Penetration Testing with BurpSuite – Part 1
A tutorial on how to get started and/or pace up web application penetration testing with BurpSuite
Since you are looking for serious stuff, I won’t beat around the bush. Let’s get into the content.
Information to Retain:
BurpSuite is an all in one tool for web application penetration testers created by Dafydd Stuttard under the alias Portswigger. Dafydd is also the co-author of the famous book The Web Application Hacker’s Handbook. BurpSuite contains following tools.
1. Proxy Server for request/response analysis
2. Password cracker and username enumerator
3. Input Field Brute Forcer
4. Web Spider
5. Decoder for common encodings(URL, BASE64 etc)
and much more.
How to get started:
The simple steps are:
1. Choose a Browser ( I prefer Mozilla Firefox)
2. Choose localhost(127.0.0.1) at 8080 as a proxy in your chosen browser.
3. Fire Up Burpsuite and configure the proxy in the Options window of a proxy main window.
4. you are all set!
Stuff to know about HTTP:
HTTP is an application layer protocol that runs over TCP. It works on request-response architecture i.e. the client sends a request and the server responds with a response.
A typical request/ response has two parts
1. Header Part
2. Content Part
Header part contains various name-value pairs and some headers that determine many parameters of communication.
The working of HTTP and types of headers in a request/response is a vast topic which I’ll cover in another article before getting into advanced stages of Web app pentest. For now, this information is enough.
First Thing to do:
Spidering is the first to be done as recommended by many pentesters. The reason being you will need to enumerate web services before you can come out with a proper plan to attack their components. A spider maps out the web application to give you a clear picture of the structure of the web app. It is a skill to be learned with practice.
I’ll cover more sophisticated stuff in the upcoming articles.