Table of Contents
Burp Suite Essentials
Credits
About the Author
Acknowledgments
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. Getting Started with Burp
Starting Burp from the command line
Specifying memory size for Burp
Specifying the maximum memory Burp is allowed to use
Ensuring that IPv4 is allowed
Working with other JVMs
Summary
2. Configuring Browsers to Proxy through Burp
Configuring widely used browsers to proxy through Burp Suite
Microsoft Internet Explorer
Google Chrome
Mozilla Firefox
Fine-grained proxy configuration
Setting up FoxyProxy
Mozilla Plug-n-Hack extension
Exclusive Firefox profile
Summary
3. Setting the Scope and Dealing with Upstream Proxies
Multiple ways to add targets to the scope
Loading a list of targets from a file
Scope and Burp Suite tools
Scope inclusion versus exclusion
Dropping out-of-scope requests
Dealing with upstream proxies and SOCKS proxies
Types of proxies supported by Burp
Working with SOCKS proxies
Using SSH tunneling as a SOCKS proxy
Setting up Burp to be a proxy server for other devices
Summary
4. SSL and Other Advanced Settings
Importing the Burp certificate in Mozilla Firefox
Importing the Burp certificate in Microsoft IE and Google Chrome
Installing the Burp certificate in iOS or Android
SSL pass-through
Invisible Proxy
Summary
5. Using Burp Tools As a Power User – Part 1
Target
Site map compare
Proxy
The Message Analysis tab
Actions on the intercepted requests
Response interception and modification
Using the Proxy history tab
Intruder
Scanner
Scanning optimization and requests
When to scan
Repeater
Summary
6. Using Burp Tools As a Power User – Part 2
Spidering
Sequencer
Analysis of the tokens
Sample analysis
Decoder
Comparer
Alerts
Summary
7. Searching, Extracting, Pattern Matching, and More
Filtering
Illustration
Matching
Grep - Match and Grep - Extract
Summary
8. Using Engagement Tools and Other Utilities
Search
Target Analyzer
Content Discovery
Task Scheduler
CSRF proof of concept Generator
Summary
9. Using Burp Extensions and Writing Your Own
Setting up the Python runtime for Burp Extensions
Setting up the Ruby environment for Burp Extensions
Loading and installing a Burp Extension from the Burp App Store
Using BApp files
Loading and installing a Burp Extension manually
Managing Burp Extensions
Memory issues with Burp Extensions
Writing our own Burp Extensions
A simple Burp Extension in Python
Noteworthy Burp Extensions
Summary
10. Saving Securely, Backing Up, and Other Maintenance Activities
Saving and restoring a state
Automatic backups
Scheduled tasks
Logging all activities
Summary
11. Resources, References, and Links
Primary references
Learning about Burp
Web application security testing with Burp
Miscellaneous security testing tutorials with Burp Suite
Pentesting thick clients
Testing mobile applications for web security using Burp Suite
Extensions references
Books
Summary
Index
Copyright © 2014 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: November 2014
Production reference: 2111214
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78355-011-1
www.packtpub.com
Author
Akash Mahajan
Reviewers
Luca De Fulgentis
Rejah Rehim
David Shaw
Commissioning Editor
Anthony Albuquerque
Acquisition Editor
Harsha Bharwani
Content Development Editor
Neeshma Ramakrishnan
Technical Editor
Mrunal M. Chavan
Copy Editor
Sarang Chari
Project Coordinator
Rashi Khivansara
Proofreaders
Simran Bhogal
Ameesha Green
Lucy Rowland
Indexers
Monica Ajmera Mehta
Tejal Soni
Graphics
Abhinash Sahu
Production Coordinator
Manu Joseph
Cover Work
Manu Joseph
Akash Mahajan is "That Web Application Security Guy." He has more than 10 years of experience in application and network security. Before starting his own company, he was a technical lead for one of the leading American commercial security software companies specializing in endpoint security. He then started working on the security of the web infrastructure for the Government of India.
He is the founder and community manager at null - The Open Security Community, where he has made major contributions in making null a national-level group and null Bangalore the biggest and most vibrant chapter.
He is currently a ch...