IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [burp-suite]

Burp Suite is a popular platform for performing security testing of web applications. It can also be used by a malicious party to analyze and attack web applications. Implemented in Java.

Burp Suite is a platform for performing security testing of websites, including (list taken from the Burp website):

  • An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
  • An application-aware Spider, for crawling content and functionality.
  • An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
  • An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
  • A Repeater tool, for manipulating and resending individual requests.

  • A Sequencer tool, for testing the randomness of session tokens. It can be used to test an application's session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.

  • The ability to save your work and resume working later.

  • Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

More information - Burp Suite on Wikipedia

254 questions
0
votes
2 answers

Defending from POST requests from BURP?

On my site, I restrict access to forms through assigning a $_SESSION['id'] if they are logged in. If there is no $_SESSION['id'], to form page will redirect to a login page. But I ran burpsuite on my site, and it had access to these forms when I…
TACO
  • 23
  • 3
0
votes
1 answer

Setting payload for email using burp intruder

I am setting up the burp intruder attack for email. For example, youremail@gmail.com Now when i added $ it takes youremail@gmail%2ecom so i am getting the result as email is invalid type. My aim is to achieve yoursemail@gmail.com but it takes %2e.
vijaykumar
  • 11
0
votes
2 answers

If I install Burp certificate in my system and try to access HSTS certified site and site will work and is it safe?

Can I intercept request via burp suite CA certificate for HSTS sites and is it safe or not?
Parag Dave
  • 1
0
votes
1 answer

Burpsuite - finding xss vulnerabilities in the vaadin framework

I made a little website using the vaadin-framework. It contains one TextField-component for user input and one Label-component which is placed in another view and which is displaying exactly the value, entered in the view before. The Label-component…
Nazar Medeiros
  • 161
  • 8
0
votes
1 answer

How to configure proxy settings of cellular internet for burp

I am pen testing an android app and using tethering to connect my phone to my laptop. I configured the access point settings as proxy = ipv4 address of my laptop and port = port on which burp is listening on all interfaces. Burp was intercept the…
t6chgeek
  • 9
  • 1
-1
votes
1 answer

Credentials in a POST body over https are visible

Hey so am new to pentesting and I learnt that using https makes the traffic encrypted so hackers cannot decipher credentials passed in a body for example in a login page or read the traffic properly. So I was practicing with both GET and POST…
Rakoshin
  • 1
-1
votes
1 answer

CAPTCHA with Burpsuite or AppScan

I have an web application which uses login user password and captcha for login. Is there a way to perform vulnerability assessment using AppScan or Burpsuite tools to capture the CAPTCHA automatically and crawl and audit the application
AppSecGuy
  • 1
  • 1
-1
votes
2 answers

Trying to extract SSL client certificate from android app

I'm trying to find out a specific request from an android application to its API server. Using Burp Suite, I get a handshake failure alert. Using fiddler it asks me to provide a custom certificate. Now I have used apktool to de-compile the…
Ali Padida
  • 135
  • 9
-1
votes
1 answer

Find Confirmation Code (FindBug.io)

I have solve half of the problem by decoding a base64 code that reveal the next URL(https://app.findbug.io/app/task/FinDBuG-CTF2019) but now i don't know what to find or where i tried it with burpsuite. Here is the link for confirmation…
snowr
  • 3
  • 1
-2
votes
0 answers

Intercept Host Traffic via Burp Suite (running in a Guest VMWare)

Scenario: I have a Windows Host Machine in which I am running a VMware VM with a Linux distro (Guest Machine). In this Linux distro I am running BurpSuite. I would like to know how could I be able to intercept the http and https requests that happen…
ai hashimoto
  • 1
  • 3
-2
votes
1 answer

Monitor data traffic in chrome:// protocols

With Burp Suite we can capture the traffic of protocols like http, https. But i want now monitor the data traffic in urls like chrome://settings
Cenk Ten
  • 101
  • 1
-2
votes
2 answers

Burp Suite's keeps my ip safe?

I am starting to learn how to use Burp Suite, but since it is kind of (tho I know it does more) automatic way of plugging information into a website/form, should I still use proxychain/vpn to keep my ip safe? It seems my IP address would be easy to…
Terry
  • 1
-4
votes
1 answer

How to configure proxy CA certificate in browser?

I was trying to download burp's CA certificate for Firefox on Kali from http://burp as specified in its documentation but the site is not available. It redirects me to http://www.inert.com/. So is there any alternative to download the certificate?
RAVINDRA REDDY RAGIPINDI
  • 1
-6
votes
1 answer

How can I succesfully pentest site with two factor authentication?

I want to use a commercial, automated tool but it cannot login successfully because the website requires a two factor authentication process using SMS. For testing, the SMS message is sent to another website, though in normal situations the SMS is…
dgn
  • 124
  • 2
  • 4
  • 13
1 2 3
16
17