Questions tagged [burp-suite]

Burp Suite is a popular platform for performing security testing of web applications. It can also be used by a malicious party to analyze and attack web applications. Implemented in Java.

Burp Suite is a platform for performing security testing of websites, including (list taken from the Burp website):

An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
An application-aware Spider, for crawling content and functionality.
An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
A Repeater tool, for manipulating and resending individual requests.
A Sequencer tool, for testing the randomness of session tokens. It can be used to test an application's session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.
The ability to save your work and resume working later.
Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

More information - Burp Suite on Wikipedia

254 questions

votes

3 answers

Passwords in plaintext?

I'm doing some research on the App of my telephone operator. I started Burp Suite on my Mac in proxy mode, then I opened up the App on my iPhone and started to sniff some traffic. I pressed the "login" button and this happened: My username and my…

asked Sep 30 '14 at 09:45

marcomanzoni

votes

5 answers

Where can I find a solid BURP tutorial?

I'm looking for a good resource for learning/configuring BURP. I understand the concepts behind using the framework, and have read the docs on the site, but if anyone has a solid tutorial link I would love to see it. I would've made this a wiki…

appsec configuration web-scanners exploit-kits burp-suite

asked Feb 23 '11 at 17:28

mrnap

1,308
9
15

votes

7 answers

How to configure Burp Suite for localhost application

I am trying to analyze HTTP traffic of our application. Application uses port 8080. So I had configured burp proxy for 6666 and upstream proxy to our organisation proxy. Made changes to browser's proxy for 127.0.0.1:6666 application URL can be…

burp-suite

asked Nov 14 '16 at 10:33

Dheeraj Joshi

votes

7 answers

Affordable web application attack tools

I've been using Burp Intruder (part of Burp suite), but in the free edition of Burp Suite the Intruder functionality is Time-throttled. As a student pen tester however, I can't justify the cost of $300 a year for the Burp Suite Professional Edition.…

penetration-test tools software burp-suite

asked Feb 27 '13 at 12:51

Peleus

3,827
2
18
20

votes

2 answers

What are the differences between Burp and OWASP ZAP?

I am new to security testing and I'm confused about two web proxy tools, namely Burp and OWASP ZAP. Both seem to fulfill the same task, so what exactly are the differences between them?

burp-suite zap

asked Aug 19 '19 at 09:08

Nitin Rastogi

votes

1 answer

In what situations can element.setAttribute allow XSS?

Burp has identified a potential DOM XSS vulnerability: The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.href and passed to the 'setAttribute()' function of a DOM element In this example, the…

xss dom burp-suite

asked Oct 14 '16 at 09:30

paj28

32,736
8
92
130

votes

1 answer

Burpsuite accidental defacement, should I be concerned?

I was spidering a website with Burpsuite and the automated Form Submission caused me to unknowingly deface the main page with "555-555-0199@example.com". It took me a decent amount of time to notice but when I did I immediately worked to resolve the…

web-application penetration-test ethics burp-suite

asked Jan 19 '16 at 02:39

QUEX0R

votes

3 answers

How could the string \";alert('XSS');// be used for XSS?

I was using Burp Suite for some testing and I noticed that they included the following string: \";alert('XSS');// as an attack string for an XSS payload. How could this string be used to execute a XSS attack?

web-application javascript xss burp-suite

asked Jul 30 '13 at 23:54

Abe Miessler

8,155
10
44
72

votes

2 answers

Intercepting Android app traffic with Burp

I am trying to understand what do Burp and Android apps do when the traffic is https. I did not install the Burp CA to the phone. Some apps completely refuse to work. They display an error message or think the phone is not online. Is this because…

android proxy burp-suite

asked Mar 10 '17 at 08:31

b4da

votes

1 answer

How exactly does Burp Sequencer calculate the values it derives?

I'm testing a Web application based on SAP for a customer. One of the checks we normally do is to analyse the cookie holding the session token to make sure that it is sufficiently random and you can't predict the next valid token. We do this using…

web-application burp-suite

asked Jan 30 '13 at 07:23

Marion McCune

votes

4 answers

Burpsuite: just passthrough firefox detect portal

When I enable Burpsuite's Proxy I continiously get http GET requests for firefox's detectportal as seen in the following image: How I can configure it to somehow just pass though theese requests silently and just load the target url? I tried theese…

proxy burp-suite http-proxy

asked Jun 04 '18 at 09:10

Dimitrios Desyllas

votes

1 answer

Can a .DER be converted to a .PFX / .P12 ?

Burp-Suite's http://burp/cert:8080 web-interface for downloading the CA Certificate only provides a .der encoded certificate, but for a particular use-case scenario I require a PKCS#12 .pfx/.p12. I can find a lot of information regarding the…

tls openssl proxy sniffer burp-suite

asked Jun 19 '16 at 23:36

voices

1,649
7
22
36

votes

1 answer

Burp Suite Active Scanning Wizard options

I have been making use of Burp Suite's active scanning functionality for some of my recent web application assessments and I had some questions about the active scanners ability to remove urls from the scan queue that have particular characteristics…

web-application vulnerability-scanners web-scanners burp-suite

asked Nov 05 '14 at 06:31

Bryan

votes

2 answers

How to configure Burp suite in browsers while my internet connection works behind proxy.?

I could not able to configure burp suite with browsers. If I use manual connection settings in browsers,I could not load any site.Because my company uses proxy. Following Methods I have tried but fails: I have set manual proxy as "127.0.0.1:8080"…

burp-suite

asked Jul 15 '14 at 07:13

Arun

votes

1 answer

Disable or bypass SSL Pinning/Certificate Pinning on Android 6.0.1

Previously I have been able to bypass SSL Pinning by using the program JustTrustMe with the Xposed framework for nearly every app. https://github.com/Fuzion24/JustTrustMe However it has started to fail on more and more apps recently. The more I…

android proxy burp-suite http-proxy tls-intercept

asked Jan 24 '17 at 20:51

Ogglas

2 3

…

16 17 Next