Web Application Penetration Testing tutorial for Burpsuite by Partho Mandal.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

The Burp Tools You Will Use For Particular Tasks Are As Follows:

  • Scanner – This is used to automatically scan websites for content and security vulnerabilities.
  • Intruder – This allows you to perform customized automated attacks, to carry out all kinds of testing tasks.
  • Repeater – This is used to manually modify and reissue individual HTTP requests over and over.
  • Collaborator client – This is used to generate Burp Collaborator payloads and monitor for resulting out-of-band interactions.
  • Click bandit – This is used to generate clickjacking exploits against vulnerable applications.
  • Sequencer – This is used to analyze the quality of randomness in an application’s session tokens.
  • Decoder – This lets you transform bits of application data using common encoding and decoding schemes.
  • Comparer – This is used to perform a visual comparison of bits of application data to find interesting differences.

Burp Suite Steps to Use :

  1. Proxy à Option à Note down ip à Come to browser (genuine page) à Browser Settings à Advance à Networks à Settings à Manual Proxy Configuration à HTTP Proxy & Port 8080 à Select Tick Option “Use this proxy for all protocols” (*No Proxy for*) clear all files there  à Click OK à Back to burp suite
  • Go to Proxy à Intercept  à Click Intercept Is Off and turn it on *should be seen as intercept is on*
  • Go to Browser à Give input for username and password à login à Burp Suite opens itself showing packet capture à Select the input packet à Right Click à Send to intruder à Switch off Intercept
  • Go to Intruder à Positions à Clear Packets à Select username input and click add à Select password and click add à to select multiple input use cluster bomb option
  •  Go to Payload à Select payload 1 à Add input for usernames à Select payload 2 à Add inputs for password à Go to options à Grep – Match à Add input for error Username and/or password incorrect à Click Start Attack


By admin

Leave a Reply

Your email address will not be published. Required fields are marked *