Tools I use – Burp

Jan 4th, 2010

Comments: 0
Category: Penetration Testing

Tools I use – Burp

I’ve been meaning to do a post on burp for a while, and courtesy of my new years resolution to stop procrastinating, here it is 🙂
I was thinking of a way to sum up burp, so far the best I’ve got is “If you’re doing web application testing and not using Burp, you’re missing out !”, it is that useful…
Burp has been around for a while now as one of a group of handy web application proxy tools along with the likes of Web Scarab and Paros. Over time it’s developed a huge range of handy features, which make web app. testing a lot more productive.
There’s the basics, in terms of intercepting and modifying requests, which all the tools in this category tend to do quite well, but on top of that there’s just loads of other things that Burp does.
The Web app scanner is a good targetable way to test for several types of common web app vulnerabilities. As an add-on in the latest beta, there’s a wizard which lets you reduce the number of requests that Burps going to make, by removing duplicates and similar requests. If you’ve used many commercial web app. scanners you’ll know that volume of requests generated can be a real problem, so anything that can help bring down the load is useful.
Another stand-out feature of Burp for me, is intruder which lets you pick a specific parameter or set of parameters from a request and easily modify them. As an example pretty much every time I see a URL that looks like request.asp?id=123 , it’s going to be worth running burp Intruder over that parameter to see what pops up when you change that value.
One of the things I have found about burp is that it’s easy to miss functions that are available and not get the best out of it. Luckily there’s a blog which covers a lot of the new features as they come out. Also I need to mention the Burp Tip of the Day series of posts on Cktricky’s blog which has loads of good tips on getting more out of Burp.

Add a comment

Your email address will not be shared or published. Required fields are marked *