Burp Suite

# Dev Training
### Burp Suite

## What is it?

### Burp

* HTTP proxy to inspect traffic
* Vulnerability scanner
* Helpful tools for security assessments
* Plugin system with many available plugins for specific tasks
* Much much more

Notes: Put simply, an extensible HTTP proxy with some fancy features. Swiss army knife for web app assessments. The paid version has some automated vulnerability scanning tools. Comes with a large selection of plugins extending basic functionality; you can even develop your own! (If you don't mind Java too much.) Primarily used to record, inspect and modify HTTP traffic when interacting with a web app.

### Why?

* Important for developers to know what goes over the wire
* Use the same tools as security auditors
* Scan for vulnerabilities

Notes: Also a great tool for developers! Helps us understand what our application is actually doing behind layers of abstraction. Allows interactions that are impossible via regular browser. Identifies risks, bad practices and vulnerabilities as you explore.

### Installation

* Download from [PortSwigger](https://portswigger.net/burp/communitydownload) and install
    * You can also request a free [Pro trial](https://portswigger.net/burp/pro/trial) to enable more features
* Run the Burp browser

Notes: Simply follow the instructions relavant to your operating system at portswigger.net/burp/communitydownload for the free version. Feel free to request a pro trial for more cool features. I recommend first becoming familiar with the community version. Burp Suite comes packaged with a Chromium browser preconfigured to proxy through Burp Suite and preloaded with the Burp extension, which helps identify some niche DOM-based vulnerabilities.

### Use Burp with another browser

* Setup browser to use proxy
    * You can use [FoxyProxy](https://getfoxyproxy.org/) to easily turn proxies on and off
* Configure browser to proxy through Burp (default `localhost:8080`)
* Install Burp's certificate using these [instructions](https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/certificate)

Notes: If you don't like Chromium, you can configure any modern browser to proxy its traffic through Burp Suite. Some browsers have extensions available which help you manage proxy settings on the fly. By default, the proxy address is localhost, port 8080. You can find instructions for installing the Burp root certificate on portswigger.net.

### Alternative

* [ZAP](https://www.zaproxy.org/)
    * Free and open source

Notes: A free and open-source alternative to Burp Suite is ZaProxy. We will base examples and instructions on Burp in these sessions, since that is the tool we are familiar with.

## HTTP

### Request overview

```text
[VERB] [URL] [PROTOCOL]
[HEADER_1_NAME]: [HEADER_1_VALUE]
...
[HEADER_N_NAME]: [HEADER_N_VALUE]

[BODY]
```

Notes: Let's take a look at HTTP, which is usually what we are ultimately working with. HTTP is a simple request-response protocol. There are complications to this, but they are out of scope for now. This is the anatomy of an HTTP request. It consists of a VERB, denoting the HTTP method, followed by the URL of the target endpoint and the HTTP protocol version. This is followed by a list of headers, including the target host, cookies, user agent etc. Finally, we have the body, containing the request data, if any. This will be a quick overview, assuming that you are somewhat familiar with these concepts, but do not be shy to ask if you have questions. We are not expecting everyone to know everything about this. If you have questions, someone else is probably wondering the same thing.

### GET request

```http
GET /index.html HTTP/1.1
Host: www.example.com
```

Notes: Here is a simple GET request for the index page of the website example.com. Not much to see here.

### POST request

```http
POST /login HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

username=admin&password=hunter2
```

Notes: Here we have a POST request to the login page of example.com. POST is the default method for sending new data to a web application. In this case, we include a username and a password in the format denoted by the Content-Type header.

### PUT request

```http
PUT /user HTTP/1.1
Host: www.example.com
Content-Type: application/json
Content-Length: 60

{"email": "me@example.com", "phone": "01189998819991197253"}
```

Notes: PUT requests are pretty much identical to POST requests, but are primarily used to send updates for existing data entities in the application. This example shows an update to contact information in JSON format.

### Other HTTP verbs

* Common
    * `HEAD`
    * `DELETE`
    * `OPTIONS`
* Less common
    * `CONNECT`
    * `TRACE`
    * `PATCH`

Notes: Other methods include HEAD, DELETE, OPTIONS, CONNECT, TRACE and PATCH.

### HTTP response

```text
[PROTOCOL] [STATUS CODE] [STATUS]
[HEADER_1_NAME]: [HEADER_1_VALUE]
...
[HEADER_N_NAME]: [HEADER_N_VALUE]

[BODY]
```

Notes: The server will respond to all of the above in this format. It will specify the protocol version, followed by a well-documented status code and status description. This is followed by response headers, including content metadata and connection instructions for the client browser.

### Response

```
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 999
Connection: close

<!doctype html>
<html>
...
</html>
```

Notes: Here is an example of a successful response, containing an HTML webpage to be rendered by the browser.

### Response

```
HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8
Content-Length: 58
Connection: close

{"success": true, "message": "Thing successfully created"}
```

Notes: This response indicates that an entity has been successfully created and contains a message to be displayed to the user.

## Demo

### The proxy

* Logs all requests and responses that go through
* Allows for searching and filtering [pro]
* Can be exposed externally
    * Can be useful for testing mobile apps
* Can also proxy your own code, such as Python scripts
    * Very useful for debugging

Notes: Let's have a look at Burp Suite's main tools. The proxy is our main view for inspecting traffic, or modifying it in real-time. It logs all requests and responses as you browse, allowing you to peek behind the scenes and view the inner workings of the application. It also allows you to intercept and modify outgoing requests in order to do things your browser will not do. The proxy endpoint can be exposed externally, as with most proxy servers, which can be useful when testing mobile apps for example. You can also connect to the proxy programmatically in order to log and inspect the traffic generated by your scripts, for example.

### Repeater

* Modify request parameters and resend it
* Useful for testing parameter manipulation
* Useful for interacting with APIs

Notes: The repeater is the scratchpad of Burp, allowing you to customize HTTP requests, send them and examine the responses at will. This is great for manual testing and interacting with APIs, for example.

### Scanner [Pro]

* Passive scanner
    * Traffic inspected while browsing
    * Issues identified and reported

* Active scanner
    * Scans for multiple known issues
    * Rather aggressive, only use with consent!

Notes: The scanner is a pro feature which inspects application behavior passively as you browse and also allows you to perform active scans for multiple known issues. The active scanner is very noisy and intrusive, so make sure never to use it without explicit consent from the website owner.

### Target

* Limit scope to specific domains
* Overview of found paths
* Overview of discovered issues

Notes: The target tab allows you to limit the scope to a specific list of domains. It also builds a sitemap as you browse and allows you to map scanner findings onto different parts of the target application.

### Burp collaborator [Pro]

* General purpose HTTP/SMTP/DNS server
* Very useful for testing various things
    * Test SSRF
    * Test email sending

Notes: Collaborator is a pro feature which provides you with a link with which to test for various issues which require you to 'phone home'. This includes anything from email delivery to payload delivery or Server-Side Request Forgery.

### Collaborator alternatives

* DNS and HTTP
    * [requestbin.net](https://requestbin.net/)
    * [app.interactsh.com](https://app.interactsh.com/)
* HTTP
    * [beeceptor.com](https://beeceptor.com)
    * [webhook.site](https://webhook.site)
* Email
    * [maildrop.cc](https://maildrop.cc/)
    * [mailinator.com](https://www.mailinator.com/)

Notes: There are multiple free alternatives to the Collaborator. Here are just a few examples.

### Other

* Decoder
* Extender
* Intruder

Notes: Other Burp tools include the Decoder, Extender and Intruder. We will not cover them in this course.

## FYI

<div>
You do <strong>not</strong> need to use Burp for solving all the problems, but for many
problems it can be very helpful
</div>

Notes: Burp Suite is not strictly necessary for the problems we will be solving here, but like I said before, it is the tool we are most familiar with and will therefore be used for demonstration purposes.

### Learning resources

* [PortSwigger documentation](https://portswigger.net/burp/documentation/desktop/getting-started)
* [PortSwigger self-study resources](https://portswigger.net/training#self-study)
* [Free course from Æther](https://hackademy.aetherlab.net/p/burp-suite)

Notes: I strongly recommend you get somewhat familiar with Burp Suite or a similar toolkit of your choice. Here we have provided some resources for you to learn more.