Working manually on specific HTTP requests #
When you understand how your target application works—for instance, when you can identify crucial requests from a security standpoint—you can choose appropriate requests from the Proxy tab and try to exploit them manually.
For example, requests that reflect user-provided values in the response and API calls that handle authentication are worth investigating in this manner. To support yourself with semi-automatic methods, use the following Burp tools.
- Burp Repeater
- Burp Repeater allows you to manually manipulate and modify HTTP requests and analyze their responses.
- Burp Intruder
- Burp Intruder is a tool for automating customized attacks against web applications and serves as an HTTP request fuzzer.
- Burp Collaborator
- Burp Collaborator is a Burp Suite Professional ecosystem tool that helps uncover hidden security vulnerabilities in your web applications. By allowing your testing to span more than just the immediate interaction with a target, Burp Collaborator opens the door to identifying out-of-band (OOB) vulnerabilities.