View profile

What's happening in the Burp-verse - Issue #2 📰

What's happening in the Burp-verse - Issue #2 📰
By Burp Suite Guide • Issue #2 • View online
“Do you recommend any book to get started with Burp Suite?” is a question I hear from time to time.
After reading a few books on Burp Suite, I have settled on one book to recommend.
Hands-On Application Penetration Testing with Burp Suite is the book I recommend to anyone who likes to get started with Burp Suite. It’s a beginner-friendly book that teaches you web app pentesting mindset with the help of Burp Suite. Even if you have been using Burp Suite for some time now, you will find something new with the book.
To read my complete review of the book, check out my blog.

Updates in Burp Suite
Burp Suite Professional / Community 2021.3 was released on 8th March. This is an early adopter release. It contains some bug fixes and no new features.
Professional / Community 2021.3 | Releases
Professional / Community 2021.3 | Releases
This release provides several bug fixes. Most notably: Copy and cut hotkeys now work in inspector tables, and the copied data is formatted appropriately for the types of items in the table. Burp Suite
portswigger.net  •  Share
Blog Posts
PortSwigger has released two blog posts covering Burp crawler - while one covers the crawling process in general, the other covers how crawler works on APIs.
The first blog post describes how Burp’s crawler is better than Burp Spider (in older versions). The blog uses the metaphor of a person searching the maze to describe the Burp crawler’s functionality, discusses how volatile content and reusable templates are dealt with while crawling, and much more.
Web application cartography: mapping out Burp Suite’s crawler | Blog - PortSwigger
Web application cartography: mapping out Burp Suite’s crawler | Blog - PortSwigger
At the core of Burp Suite is Burp Scanner - a powerful tool designed to reduce the number of manual steps users have to take to discover vulnerabilities in their targets. Burp Scanner was first release
portswigger.net  •  Share
Burp Suite’s crawler now parses OpenAPI documents when found. It then scans the APIs mentioned in the OpenAPI document to find vulnerabilities.
The blog post discusses how testing APIs are different from testing HTML forms (from Burp Scanner’s point of view) and ends with a few examples of how Burp Scanner will work for sample APIs from the OpenAPI document.
API Scanning with Burp Suite | Blog - PortSwigger
API Scanning with Burp Suite | Blog - PortSwigger
How Burp Suite’s Scanner overcomes the problems of crawling APIs
portswigger.net  •  Share
New Extensions to Burp
Customizer by Corey Arthur
Finally, Customizer is on the BApp store. Customizer is an extension that helps change themes of Burp Suite. This extension was developed “because just a dark theme wasn’t enough!”.
The extension works quite well with the Sharpener extension. Please note that there’s a bug with the Apply button.
Customizer's "Arc Dark Contrast (Material)" theme with Sharpener
Customizer's "Arc Dark Contrast (Material)" theme with Sharpener
ViewState Editor by Mike Smith (PortSwigger Web Security)
ViewState tab was useful while testing ASP.NET web apps but was removed from Burp.
This was because (quoting PortSwigger Agent),
the tab has been removed as it’s not used as much as our other views [like Params and Headers].
After a lot of feedback from the community, the functionality is now available as an extension. Using this extension allows seeing the decoded ViewState for requests in Proxy History / intercepted Proxy requests.
Don’t forget to use this extension while testing ASP.NET web apps 😉
ViewState Editor for requests in Proxy history
ViewState Editor for requests in Proxy history
ViewState Editor when Proxy interception turned on
ViewState Editor when Proxy interception turned on
Autowasp by Thomas Lim (GovTech)
This extension guides new penetration testers to understand the best practices of web application security and automate OWASP WSTG checks. This feature is similar to Bugcrowd’s HUNT extension but for OWASP WSTG.
Autowasp extension also has a logger tab (works only in Burp Pro) that allows pentesters to extract and consolidate Burp Scanner issues. Check out the author’s blog post on the extension and how to use it.
Testing Checklist - https://github.com/GovTech-CSG/Autowasp
Testing Checklist - https://github.com/GovTech-CSG/Autowasp
Tips & Tricks
How to “active scan” all requests passing through Burp?
Nicolas GrĂ©goire on Twitter: "Yes, that’s doable from the dashboard with a live task of type « Live audit » and scope « Proxy »  "
Nicolas GrĂ©goire on Twitter: "Yes, that’s doable from the dashboard with a live task of type « Live audit » and scope « Proxy »  "
“@pry0cc Yes, that’s doable from the dashboard with a live task of type « Live audit » and scope « Proxy »”
twitter.com  •  Share
If you want to actively scan all requests originating from your browser / automated tools, then Burp has got your back. Scanning all requests is easier than you think with the help of Burp’s Live task.
In Burp Suite Professional, click on the “New live task” button in Dashboard.
New live task
New live task
Then select task type as “Live audit” and the tools scope as “Proxy”. When it comes to URL scope, select “Suite scope” if you already have configured scope for target domains. If you haven’t, then click “Custom scope” to configure.
Don’t click on “Everything” unless you know what you are doing. 😜
Configuring live task
Configuring live task
Once the live task starts, Burp scans all the requests passing through its proxy as per the URL scope defined.
Live tasks
Live tasks
Logger++ view of all requests initiated from Burp Scanner
Logger++ view of all requests initiated from Burp Scanner
Did you enjoy this issue?
Burp Suite Guide

Your guide to all things Burp Suite !

Tweet     Share
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue