Web Application Penetration Testing with BurpSuite – Part 1

A tutorial on how to get started and/or pace up web application penetration testing with BurpSuite

Since you are looking for serious stuff, I won’t beat around the bush. Let’s get into the content.

Information to Retain:

BurpSuite is an all in one tool for web application penetration testers created by Dafydd Stuttard under the alias Portswigger. Dafydd is also the co-author of the famous book The Web Application Hacker’s Handbook. BurpSuite contains following tools.

1. Proxy Server for request/response analysis
2. Password cracker and username enumerator
3. Input Field Brute Forcer
4. Web Spider
5. Decoder for common encodings(URL, BASE64 etc)
and much more.

How to get started:

The simple steps are:

1. Choose a Browser ( I prefer Mozilla Firefox)
2. Choose localhost( at 8080 as a proxy in your chosen browser.
3. Fire Up Burpsuite and configure the proxy in the Options window of a proxy main window.
4. you are all set!

Stuff to know about HTTP:

HTTP is an application layer protocol that runs over TCP. It works on request-response architecture i.e. the client sends a request and the server responds with a response.

A typical request/ response has two parts
1. Header Part
2. Content Part

Header part contains various name-value pairs and some headers that determine many parameters of communication.
The working of HTTP and types of headers in a request/response is a vast topic which I’ll cover in another article before getting into advanced stages of Web app pentest. For now, this information is enough.

First Thing to do:
Spidering is the first to be done as recommended by many pentesters. The reason being you will need to enumerate web services before you can come out with a proper plan to attack their components. A spider maps out the web application to give you a clear picture of the structure of the web app. It is a skill to be learned with practice.

I’ll cover more sophisticated stuff in the upcoming articles.