Web Application Penetration Testing with BurpSuite – Part 1


A tutorial on how to get started and/or pace up web application penetration testing with BurpSuite

Since you are looking for serious stuff, I won’t beat around the bush. Let’s get into the content.

Information to Retain:

BurpSuite is an all in one tool for web application penetration testers created by Dafydd Stuttard under the alias Portswigger. Dafydd is also the co-author of the famous book The Web Application Hacker’s Handbook. BurpSuite contains following tools.

1. Proxy Server for request/response analysis
2. Password cracker and username enumerator
3. Input Field Brute Forcer
4. Web Spider
5. Decoder for common encodings(URL, BASE64 etc)
and much more.

How to get started:

The simple steps are:

1. Choose a Browser ( I prefer Mozilla Firefox)
2. Choose localhost( at 8080 as a proxy in your chosen browser.
3. Fire Up Burpsuite and configure the proxy in the Options window of a proxy main window.
4. you are all set!

Stuff to know about HTTP:

HTTP is an application layer protocol that runs over TCP. It works on request-response architecture i.e. the client sends a request and the server responds with a response.

A typical request/ response has two parts
1. Header Part
2. Content Part

Header part contains various name-value pairs and some headers that determine many parameters of communication.
The working of HTTP and types of headers in a request/response is a vast topic which I’ll cover in another article before getting into advanced stages of Web app pentest. For now, this information is enough.

First Thing to do:
Spidering is the first to be done as recommended by many pentesters. The reason being you will need to enumerate web services before you can come out with a proper plan to attack their components. A spider maps out the web application to give you a clear picture of the structure of the web app. It is a skill to be learned with practice.

I’ll cover more sophisticated stuff in the upcoming articles.



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.