BurpSuite Proxy

•

1 like•1,633 views

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Technology

BURP SUITE PROXY
Nishanth Kumar
n|u Bangalore Chapter Lead
n|u / OWASP / g4h Monthly Meet
17th Oct 2015

Who am I ?
• Info Security enthusiast
• Consulting service for enterprises to implement security
• Null moderator
• OWASP Contributor
• @nishanthkumarp

Wannaa tweet ?
• @null0x0
• @nullblr
• @OWASPBangalore
• @garage4hackers
• #BurpSuite
• @nishanthkumarp

Disclosure
• The view expressed are my personal.
• Non of my employers are responsible for my talk.
• No offense to any one

Contents
• BurpSuite Proxy
• BurpSuite Features
• Demo

BurpSuite Proxy
• Used in any client-server model application testing.
• Commonly used to Intercept http/https request between
client and Server.
• Webapplication , moblie application testing.
• exploiting vulnerabilities, fuzzing web applications,
carrying out brute force attacks

BurpSuite Features - 1
• Interception Proxy: Designed to give the user control
over requests sent to the server.
• Repeater: The ability to rapidly repeat/modify specific
requests.
• Intruder: Feature that allows automation of custom
attacks/payloads
• Decoder: Decode and encode strings to various formats
(URL, Base64, HTML, etc.)

BurpSuite Features - 2
• Comparer: Can highlight differences between
requests/responses
• Extender: API to extend Burps functionality, with many
free extensions available via the BApp store.

BurpSuite Features - 3
• Spider and Discover Content feature: Crawls links on a
web application, and the discover content can be used to
dynamically enumerate unlinked content.
• Scanner (Pro Only): Automated scanner that checks for
web application vulnerabilities (XSS, SQLi, Command
Injection, File Inclusion, etc.)

Demo
• Manual Application Walkthrough
• Intercept & Scope Configuration
• Outbound SOCKS Proxy Configuration
• Using The Spider & Discover
• Using The Repeater Tab
• Using The Intruder Tab
• Text Specific Searching
• Using The Automated Scanner

References
• https://www.pentestgeek.com/web-applications/burp-
suite-tutorial-1/
• https://www.pentestgeek.com/web-applications/burp-
suite-tutorial-web-application-penetration-testing-part-2/
• http://www.hackingloops.com/burpsuite-web-application-
penetration-testing.html

Viewers also liked

IOS Security Basics - NULL/ OWASP/G4H Meet

Anthony Jose

Netcat - A Swiss Army Tool

Chandrapal Badshah

The Evil Tester's Guide to HTTP proxies Tutorial

Alan Richardson

ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge

ITCamp

Paypal-IPN

Mindfire Solutions

How to Launch a Web Security Service in an Hour

Cyren, Inc

We have various resources for learning social engineering like social-engineer.org, the art of deception by kevin mitnick, the art of social engineering by Christopher Hadgney etc. but then why this same old TALK? The purpose of this talk is to take you one step forward, by teaching you how exactly it could be done. I mean, how can you possibly hack computers without having the basic understanding of how operating system works, how computer protocols works? You need to know what you’re dealing with and then you go ahead and look for the security issues and vulnerabilities in them. Similar scenario is with social engineering, You need to know what you are dealing with. HUMANS. Right!. what do you know about humans other than but being one. How do they operate, how do they make decision, what all factors affects their response etc. Without understanding how humans work? Your knowledge of social engineering and toolkits will not suffice. This talk will unleash the psychological strategies to execute the structure of social engineering.

Pyscho-Strategies for Social Engineering

Ishan Girdhar

Burp suite

Ammar WK

This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite: - Passive scanning - Active scanning - Identifying insertion points - Request modification The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.

Cusomizing Burp Suite - Getting the Most out of Burp Extensions

August Detlefsen

Windows Azure Versioning Strategies

Pavel Revenkov

Owasp m7-m8-shivang nullmeetblr 21june2015

n|u - The Open Security Community

Wcf security session 1

Anil Kumar M

Dark Arts Of Social Engineering

Nutan Kumar Panda

Venom vulnerability Overview and a basic demo

Akash Mahajan

Null bufferoverflow

Abhinav Chourasia, GMOB

Burp plugin development for java n00bs (44 con)

Marc Wickenden

Web Service Security

n|u - The Open Security Community

Basics of WCF and its Security

Mindfire Solutions

Owasp top 10

veerababu penugonda(Mr-IoT)

Pentesting With Web Services in 2012

Ishan Girdhar

Viewers also liked (20)

IOS Security Basics - NULL/ OWASP/G4H Meet

Netcat - A Swiss Army Tool

The Evil Tester's Guide to HTTP proxies Tutorial

ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge

Paypal-IPN

How to Launch a Web Security Service in an Hour

Pyscho-Strategies for Social Engineering

Burp suite

Cusomizing Burp Suite - Getting the Most out of Burp Extensions

Windows Azure Versioning Strategies

Owasp m7-m8-shivang nullmeetblr 21june2015

Wcf security session 1

Dark Arts Of Social Engineering

Venom vulnerability Overview and a basic demo

Null bufferoverflow

Burp plugin development for java n00bs (44 con)

Web Service Security

Basics of WCF and its Security

Owasp top 10

Pentesting With Web Services in 2012

Recently uploaded

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Manulife - Insurer Innovation Award 2024

The Digital Insurer

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Top 10 Most Downloaded Games on Play Store in 2024

Automating Google Workspace (GWS) & more with Apps Script

MINDCTI Revenue Release Quarter One 2024

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

AWS Community Day CPH - Three problems of Terraform

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

2024: Domino Containers - The Next Step. News from the Domino Container commu...

GenAI Risks & Security Meetup 01052024.pdf

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Powerful Google developer tools for immediate impact! (2023-24 C)

Exploring the Future Potential of AI-Enabled Smartphone Processors

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Boost PC performance: How more available memory can improve productivity

Axa Assurance Maroc - Insurer Innovation Award 2024

HTML Injection Attacks: Impact and Mitigation Strategies

Manulife - Insurer Innovation Award 2024

BurpSuite Proxy

1. BURP SUITE PROXY Nishanth Kumar n|u Bangalore Chapter Lead n|u / OWASP / g4h Monthly Meet 17th Oct 2015

2. Who am I ? • Info Security enthusiast • Consulting service for enterprises to implement security • Null moderator • OWASP Contributor • @nishanthkumarp

3. Wannaa tweet ? • @null0x0 • @nullblr • @OWASPBangalore • @garage4hackers • #BurpSuite • @nishanthkumarp

4. Disclosure • The view expressed are my personal. • Non of my employers are responsible for my talk. • No offense to any one

5. Contents • BurpSuite Proxy • BurpSuite Features • Demo

6. BurpSuite Proxy • Used in any client-server model application testing. • Commonly used to Intercept http/https request between client and Server. • Webapplication , moblie application testing. • exploiting vulnerabilities, fuzzing web applications, carrying out brute force attacks

7. BurpSuite Features - 1 • Interception Proxy: Designed to give the user control over requests sent to the server. • Repeater: The ability to rapidly repeat/modify specific requests. • Intruder: Feature that allows automation of custom attacks/payloads • Decoder: Decode and encode strings to various formats (URL, Base64, HTML, etc.)

8. BurpSuite Features - 2 • Comparer: Can highlight differences between requests/responses • Extender: API to extend Burps functionality, with many free extensions available via the BApp store.

9. BurpSuite Features - 3 • Spider and Discover Content feature: Crawls links on a web application, and the discover content can be used to dynamically enumerate unlinked content. • Scanner (Pro Only): Automated scanner that checks for web application vulnerabilities (XSS, SQLi, Command Injection, File Inclusion, etc.)

10. Demo • Manual Application Walkthrough • Intercept & Scope Configuration • Outbound SOCKS Proxy Configuration • Using The Spider & Discover • Using The Repeater Tab • Using The Intruder Tab • Text Specific Searching • Using The Automated Scanner

11. References • https://www.pentestgeek.com/web-applications/burpsuite-tutorial-1/ • https://www.pentestgeek.com/web-applications/burpsuite-tutorial-web-application-penetration-testing-part-2/ • http://www.hackingloops.com/burpsuite-web-application- penetration-testing.html

12. THANK YOU

BurpSuite Proxy

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

More from Nishanth Kumar Pathi

More from Nishanth Kumar Pathi (6)

Recently uploaded

Recently uploaded (20)

BurpSuite Proxy