Step-by-step guide: rapidly mastering Burp to test your app #
Installation and first steps #
For the first steps, refer to the official documentation on installing and licensing Burp Suite Professional on your system.
Preparing the proxy #
To launch Burp’s embedded browser based on Chromium, select the Proxy > Intercept tab and click the Open browser button. Before proceeding, get familiar with Proxy intercept.
If you want to configure an external browser other than Chromium (e.g., Firefox or Safari), refer to the official documentation.
First run of your target web application in Burp #
Open your web application using the embedded Burp browser. Go through the largest number of functionalities you want to cover, such as logging in, signing up, and visiting possible features and panels.
Add your targets to your scope. Narrowing down specific domains in the Target tab allows you to control what’s tested.
a. Consider stopping Burp from sending out-of-scope items to the history. A pop-up will be shown with the text, “‘Do you want Burp Proxy to stop sending out-of-scope items to the history or other Burp tools?” Choose one of the following options:
- Click Yes if you are sure you have chosen all possible domains. This will help you avoid sending potentially malicious requests to unforeseen hosts. This way, you can configure Burp Scanner to actively attack targets only from the configured scope.
- Click No if it’s your first run and you are unsure about potential underlying requests to the specific domains. This will help you gain a more thorough overview of what’s going on in your application.
b. For more information on configuring the scope, see Scope.
Once you configure the scope, briefly look at Burp Proxy and what’s happening in the intercepted traffic.
a. When you go through the application with Burp attached, many unwanted requests (e.g., to
fonts.googleapis.com
) can crop up in the Intercept tab.b. To turn off intercepting the uninteresting host, click on the intercepted request in the Interception tab, right-click, and then choose Don’t intercept requests > To this host. Burp will then automatically forward requests to the marked host.
c. Keep in mind that if you selected No when asked in the previous step (“Do you want Burp Proxy to stop sending out-of-scope items to the history or other Burp tools?”), you could see a lot of out-of-scope (“unwanted”) items.
Important hot key: By default, Ctrl+F forwards the current HTTP request in the Burp Intercept feature.
Enabling extensions #
Extensions can be added to Burp to enhance its capabilities in finding bugs and automating various tasks. For in-depth information on installing the Burp extensions that we will cover in this section, refer to Installing extensions.
Some extensions fall under the category of “turn on and forget.” They are mostly designed to automatically run on each Burp Scanner task without user interaction, with results appearing in the Issue activity pane of the Dashboard tab. We generally recommend the following extensions, which should apply to most web applications:
- Active Scan++ enhances the default active and passive scanning capabilities of Burp Suite. It adds checks for vulnerabilities that the default Burp Scanner might miss.
- Backslash Powered Scanner extends the active scanning capability by trying to identify known and unknown classes of server-side injection vulnerabilities.
- Software Vulnerability Scanner integrates with Burp Suite to automatically identify known software vulnerabilities in web applications.
- Freddy, Deserialization Bug Finder helps detect and exploit serialization issues in libraries and APIs (e.g., .NET and Java).
- J2EEScan improves the test coverage during web application penetration tests on J2EE applications.
- 403 Bypasser attempts to bypass HTTP 403 Forbidden responses by changing request methods and altering headers.
Some of the above extensions need Jython or JRuby configured in Burp.
Because of the performance impact of enabling too many extensions, you should enable only extensions that you are actively using. We encourage you to periodically review your enabled extensions and unload any that you don’t currently use.