[go: up one dir, main page]
Scribd
Upload
772 views8 pages

Burp Suite:: Name:B Mahith Kumar Reddy Reg no:18BIT0076

Burp Suite is a tool that allows users to intercept and modify HTTP requests and responses. It includes several tabs that allow users to: 1. Use a proxy to view requests and responses and modify them before they are sent to the server. 2. Use an intruder tool to inject values into inputs to test for vulnerabilities like XSS or SQL injection. 3. Repeatedly send modified requests using a repeater tool to test input validation and sanitization. 4. Analyze tokens for randomness using a sequencer to check for session fixation or CSRF vulnerabilities. 5. Decode encoded data using common encoding formats to identify encoded values that could be vulnerable.

Uploaded by

Youngling Hunter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
772 views8 pages

Burp Suite:: Name:B Mahith Kumar Reddy Reg no:18BIT0076

Burp Suite is a tool that allows users to intercept and modify HTTP requests and responses. It includes several tabs that allow users to: 1. Use a proxy to view requests and responses and modify them before they are sent to the server. 2. Use an intruder tool to inject values into inputs to test for vulnerabilities like XSS or SQL injection. 3. Repeatedly send modified requests using a repeater tool to test input validation and sanitization. 4. Analyze tokens for randomness using a sequencer to check for session fixation or CSRF vulnerabilities. 5. Decode encoded data using common encoding formats to identify encoded values that could be vulnerable.

Uploaded by

Youngling Hunter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Name:B Mahith kumar reddy

Reg no:18BIT0076

Burp suite:

Screenshot of burp suite tool location in my system


Burp suite window just after opening browser.
Here we need to turn on intercept and manually forward every request. In proxy tab
we can see what requests we are sending to the server and the data received also.

Screen shot of Proxy tab after searching “burpsuite” in google

Here we can see all get and post requests during our google search in http history
tab under proxy tab.
1.proxy

BurpSuite provides an intercepting proxy that allows the user to access


and change the contents of requests and answers when in transit. It also
lets the user submit the request / response to another appropriate
BurpSuite tool under supervision, eliminating the copy-paste burden.
You may change the proxy server to run on a particular ip-back loop and
a port.
2.intruder

This is used to execute a set of values over an input. The values are run
and the output is observed for success / failure and content length.
Usually an anomaly results in the response code or length of the
response content being changed. For its payload position, BurpSuite
allows brute-force, dictionary file and one value. The intruder is used for:

Brute-force attacks on password forms, pin forms, and other such


forms.

The dictionary attack on password forms, fields that are suspected of


being vulnerable to XSS or SQL injection.

Testing and attacking rate limiting on the web-app.


3.repeater

Repeater lets a user send requests repeatedly with manual


modifications. It is used for:

 Verifying whether the user-supplied values are being verified.

 If user-supplied values are being verified, how well is it being


done?

 What values is the server expecting in an input parameter/request


header?

 How does the server handle unexpected values?

 Is input sanitation being applied by the server?

 How well the server sanitizes the user-supplied inputs?

 What is the sanitation style being used by the server?


4.sequencer

The sequencer is an entropy checker that checks for the randomness of


tokens generated by the webserver. These tokens are generally used for
authentication in sensitive operations: cookies and anti-CSRF tokens are
examples of such tokens. Ideally, these tokens must be generated in a
fully random manner so that the probability of appearance of each
possible character at a position is distributed uniformly. This should be
achieved both bit-wise and character-wise. An entropy analyzer tests
this hypothesis for being true. It works like this: initially, it is assumed
that the tokens are random. Then the tokens are tested on certain
parameters for certain characteristics. A term significance level is
defined as a minimum value of probability that the token will exhibit for a
characteristic, such that if the token has a characteristics probability
below significance level, the hypothesis that the token is random will be
rejected. This tool can be used to find out the weak tokens and
enumerate their construction.
5.decoder

Decoder lists the common encoding methods like URL, HTML, Base64, Hex, etc.
This tool comes handy when looking for chunks of data in values of parameters or
headers. It is also used for payload construction for various vulnerability classes. It is
used to uncover primary cases of IDOR and session hijacking.

You might also like