Burp Suite Setup Guide (For Web & Mobile Testing)
Burp Suite is a powerful tool used by security professionals to test web applications for vulnerabilities. Here are the general steps to conduct a security audit using Burp Suite:
- Set up the target: Configure Burp Suite to proxy traffic from your web browser to the target application. This will allow Burp to capture and analyze the requests and responses exchanged between the client and server.
- Explore the target application: Navigate through the application as a user and identify areas that may be vulnerable to attacks. Take note of the different parameters passed in the requests, such as cookies, headers, and form fields.
- Configure the scanner: In Burp Suite, you can use the scanner to automatically identify common security vulnerabilities, such as SQL injection and cross-site scripting. Configure the scanner to target the relevant parameters and set any necessary authentication or session handling.
- Analyze the results: Once the scanner has completed its analysis, review the findings and prioritize them based on their severity. Burp Suite provides a detailed report of the vulnerabilities detected and suggests remediation actions.
- Manual testing: Conduct manual testing to verify the vulnerabilities detected by the scanner and identify any other potential issues. This may involve crafting custom requests using Burp's repeater or intruder tools.
- Exploit and remediate: Once vulnerabilities are identified, attempt to exploit them to demonstrate their impact. Once this is done, work with the development team to remediate the issues, and retest the application to verify the fixes.
Burp Suite is a popular tool used by QA engineers, security testers, and penetration testers to intercept, inspect, and modify HTTP/HTTPS traffic.
You can download it from:
Burp Suite Official Website
1. Install Burp Suite
Windows
- Download Burp Suite Community Edition.
- Run the installer.
- Launch Burp Suite.
- Select Temporary Project → Start Burp.
2. Configure Browser with Burp
Method 1: Use Burp Browser (Recommended)
- Open Burp Suite.
- Go to Proxy → Intercept.
- Click Open Browser.
- Browse websites normally.
- Requests will appear in Burp.
No proxy configuration is required.
Method 2: Configure Chrome/Firefox Manually
Burp Proxy Default Settings:
IP: 127.0.0.1
Port: 8080
Chrome
- Open Network Settings.
- Configure Manual Proxy:
HTTP Proxy: 127.0.0.1
Port: 8080
HTTPS Proxy: 127.0.0.1
Port: 8080
3. Install Burp Certificate (HTTPS Interception)
Without a certificate, HTTPS sites show SSL errors.
Steps
- Start Burp Suite.
- Open browser configured with Burp.
- Visit:
http://burpsuite
or
http://burp
- Download CA Certificate.
- Import certificate into browser as a Trusted Root CA.
4. Enable Intercept
Navigate:
Proxy → Intercept
Click:
Intercept is ON
Now every request pauses before reaching the server.
Example:
GET /login HTTP/1.1
Host: example.com
You can:
- Forward
- Drop
- Modify Request
5. Send Requests to Repeater
Useful for API testing.
- Intercept request.
- Right-click.
- Select:
Send to Repeater
- Open Repeater Tab.
- Modify request.
- Click Send.
Example:
POST /login HTTP/1.1
{
"username":"admin",
"password":"test"
}
6. Use Intruder
Used for:
- Brute force testing
- Parameter fuzzing
- Input validation testing
Steps:
- Right-click Request.
- Send to Intruder.
- Select positions.
- Add payloads.
- Start attack.
7. API Testing with Burp
Capture API calls from:
- Web Applications
- Mobile Apps
- Postman
Example Request:
POST /api/login
{
"email":"test@test.com",
"password":"123456"
}
Check:
- Status Code
- Response Time
- Authentication
- Error Handling
8. Mobile App Setup (Android)
Same Wi-Fi Network
PC:
192.168.1.100
Burp:
Proxy Listener: 8080
Android
Wi-Fi → Modify Network
Proxy Hostname: 192.168.1.100
Proxy Port: 8080
Open:
http://burp
Install certificate.
Now Burp captures mobile traffic.
9. Common Tabs for QA Engineers
| Tab | Purpose |
|---|---|
| Proxy | Capture Traffic |
| Repeater | Modify Requests |
| Intruder | Fuzz Testing |
| Decoder | Encode/Decode |
| Comparer | Compare Responses |
| Logger | View All Requests |
Burp Suite Interview Questions
Q1. What is Burp Suite?
A web security and API testing tool used to intercept and analyze HTTP/HTTPS traffic.
Q2. What is Proxy Listener?
A listener that captures requests between browser/app and server.
Q3. What is Repeater?
Used to resend modified requests multiple times.
Q4. What is Intruder?
Used for payload-based testing and automation attacks.
Q5. Why install Burp CA Certificate?
To decrypt and inspect HTTPS traffic.
No comments:
Post a Comment