Introduction to Burp Suite: Basic Usage of Web Application Vulnerability Assessment Tool

Introduction

[Reading time: approximately 10 minutes]
This article explains the basic usage of "Burp Suite," a web application vulnerability assessment tool. It covers everything from installation to basic operations, simple attack methods, and the use of extensions, all explained step-by-step with actual screenshots. Recommended content for those interested in web security, especially beginners.

What is Burp Suite?

Burp Suite is a tool for security testing of web applications.
It works by modifying request parameters to input values that might exploit application vulnerabilities, and then checking the responses to determine if vulnerabilities exist.
In this article, I'll be using the free version, Community Edition, Version 2024.9.5.

Basic Operations

1. First, download the Community Edition from the link below.
   https://portswigger.net/burp/communitydownload

2. When launched, the following screen appears. There's nothing in particular to set up, so press Next -> Start Burp to proceed.
   

3. Open the Proxy tab and click Intercept on. This allows you to intercept requests, or in other words, temporarily stop requests so you can inject parameters.
   

4. Click Open browser to launch a web browser. Let's try searching on Google.
   

5. The request is intercepted, but you can proceed by pressing Forward.
   

6. Another request is intercepted, but if you want to use custom input values, you can change the Pretty values.
   

Simple attack

Now, let's try changing parameter values to perform an attack. Please note that you should never attack real web applications! Always use your own development environment or test pages where no one will be affected.
Burp Suite provides the following test page for practice, so I'll demonstrate using this page.
https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

1. Press the LOGIN button in the top right to go to the login page. Enter some arbitrary values and press Login.
   
   

2. Click on the POST request to see the request body, where you can enter arbitrary values for EmailAddress and Password to send the request.
   

3. While this method works, you can also modify requests using the Intruder feature. Right-click on the POST request and select Send to intruder.
   

4. You can see the API request body, surround the parts you want to change with §, and enter the values you want in the Payload configuration. Then press Start attack to attack with the entered values.
   

5. Once the attack is performed, the payloads used and the responses are displayed.
   

So far, I've introduced the basic usage of Burp Suite. Next, I'll introduce attack methods that combine other tools.

Import attack parameter values

Even if you understand how to attack, it might be hard to imagine what parameters to use. Additionally, preparing parameters one by one is frankly time-consuming. If you search on GitHub, you'll find several repositories that compile typical input patterns for each vulnerability, which might be helpful to reference.
You can import these files to perform attacks, and I'll explain how below.
I used the following repository as an example:
https://github.com/fuzzdb-project/fuzzdb/tree/master

1. First, clone the repository to your local environment.
2. Go to the Intruder tab and select Runtime file as the Payload type. Then select a file from ./attack under the fuzzdb-project for Select file and click Start attack.
3. This allows you to attack using the input values in the file.

OpenAPI extension

Next, I'll introduce a method to create parameters based on OpenAPI specifications. Burp Suite has various extensions, and this time we'll use one called OpenAPI Parser.

1. First, install OpenAPI Parser from the BAppstore.
   

2. Select the OpenAPI specification from the Browser button in the top right and click Load. This will display requests for each API path. You can select a path to transition to the Intruder screen and launch attacks.
   

Impressions after use

That's how to use Burp Suite. I think the free version of the tool should be sufficient for simple diagnostics. However, one issue I felt while using it is that it would be nice to have a feature that automatically determines whether an API is vulnerable for each attack. Especially when preparing a large number of attack patterns, it's challenging to go through all the responses, so an automatic detection feature would be very helpful.
It seems possible with Pro version extensions, but apparently not with the free version. Similar tools to Burp Suite include OWASP ZAP, but I haven't tried it, so if anyone knows if this is possible with other tools, I'd appreciate your input.