Book Image

Burp Suite Cookbook

By : Sunny Wear
Book Image

Burp Suite Cookbook

By: Sunny Wear

Overview of this book

Burp Suite is a Java-based platform for testing the security of your web applications, and has been adopted widely by professional enterprise testers. The Burp Suite Cookbook contains recipes to tackle challenges in determining and exploring vulnerabilities in web applications. You will learn how to uncover security flaws with various test cases for complex environments. After you have configured Burp for your environment, you will use Burp tools such as Spider, Scanner, Intruder, Repeater, and Decoder, among others, to resolve specific problems faced by pentesters. You will also explore working with various modes of Burp and then perform operations on the web. Toward the end, you will cover recipes that target specific test scenarios and resolve them using best practices. By the end of the book, you will be up and running with deploying Burp for securing web applications.

Related Content you might be interested in

Current Title:

Small book image
Burp Suite Cookbook
Sunny Wear
Sep, 2018 | 358 pages
Small book image
Hands-On Application Penetration Testing with Burp Suite
Carlos A Lozano | Riyaz Ahemed Walikar | Dhruv Shah
Feb, 2019 | 366 pages
Small book image
Kali Linux Web Penetration Testing Cookbook
Gilberto NajeraGutierrez
Aug, 2018 | 404 pages
Small book image
Practical Web Penetration Testing
Gus Khawaja
Jun, 2018 | 294 pages
Table of Contents (13 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Sections
Get in touch
Disclaimer
Targeting legal vulnerable web applications
Free Chapter
1
Getting Started with Burp Suite
Getting Started with Burp Suite
Introduction
Downloading Burp (Community, Professional)
Setting up a web app pentesting lab
Starting Burp at a command line or as an executable
Listening for HTTP traffic, using Burp
2
Getting to Know the Burp Suite of Tools
Getting to Know the Burp Suite of Tools
Introduction
Software tool requirements
Setting the Target Site Map
Understanding the Message Editor
Repeating with Repeater
Decoding with Decoder
Intruding with Intruder
3
Configuring, Spidering, Scanning, and Reporting with Burp
Configuring, Spidering, Scanning, and Reporting with Burp
Introduction
Software tool requirements
Establishing trust over HTTPS
Setting Project options
Setting user options
Spidering with Spider
Scanning with Scanner
Reporting issues
4
Assessing Authentication Schemes
Assessing Authentication Schemes
Introduction
Software tool requirements
Testing for account enumeration and guessable accounts
Testing for weak lock-out mechanisms
Testing for bypassing authentication schemes
Testing for browser cache weaknesses
Testing the account provisioning process via the REST API
5
Assessing Authorization Checks
Assessing Authorization Checks
Introduction
Software requirements
Testing for directory traversal
Testing for Local File Include (LFI)
Testing for Remote File Inclusion (RFI)
Testing for privilege escalation
Testing for Insecure Direct Object Reference (IDOR)
6
Assessing Session Management Mechanisms
Assessing Session Management Mechanisms
Introduction
Software tool requirements
Testing session token strength using Sequencer
Testing for cookie attributes
Testing for session fixation
Testing for exposed session variables
Testing for Cross-Site Request Forgery
7
Assessing Business Logic
Assessing Business Logic
Introduction
Software tool requirements
Testing business logic data validation
Unrestricted file upload – bypassing weak validation
Performing process-timing attacks
Testing for the circumvention of work flows
Uploading malicious files – polyglots
8
Evaluating Input Validation Checks
Evaluating Input Validation Checks
Introduction
Software tool requirements
Testing for reflected cross-site scripting
Testing for stored cross-site scripting
Testing for HTTP verb tampering
Testing for HTTP Parameter Pollution
Testing for SQL injection
Testing for command injection
9
Attacking the Client
Attacking the Client
Introduction
Software tool requirements
Testing for Clickjacking
Testing for DOM-based cross-site scripting
Testing for JavaScript execution
Testing for HTML injection
Testing for client-side resource manipulation
10
Working with Burp Macros and Extensions
Working with Burp Macros and Extensions
Introduction
Software tool requirements
Creating session-handling macros
Getting caught in the cookie jar
Adding great pentester plugins
Creating new issues via the Manual-Scan Issues Extension
Working with the Active Scan++ Extension
11
Implementing Advanced Topic Attacks
Implementing Advanced Topic Attacks
Introduction
Software tool requirements
Performing XXE attacks
Working with JWT
Using Burp Collaborator to determine SSRF
Testing CORS
Performing Java deserialization attacks
12
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

What this book covers

Chapter 1, Getting Started with Burp Suite, provides setup instructions necessary to proceed through the material of the book.

Chapter 2, Getting to Know the Burp Suite of Tools, begins with establishing the Target scope and provides overviews to the most commonly used tools within Burp Suite.

Chapter 3, Configuring, Spidering, Scanning, and Reporting with Burp, helps testers to calibrate Burp settings to be less abusive towards the target application.

Chapter 4, Assessing Authentication Schemes, covers the basics of Authentication, including an explanation that this is the act of verifying a person or object claim is true.

Chapter 5, Assessing Authorization Checks, helps you understand the basics of Authorization, including an explanation that this how an application uses roles to determine user functions.

Chapter 6, Assessing Session Management Mechanisms, dives into the basics of Session Management, including an explanation that this how an application keeps track of user activity on a website.

Chapter 7, Assessing Business Logic, covers the basics of Business Logic Testing, including an explanation of some of the more common tests performed in this area.

Chapter 8, Evaluating Input Validation Checks, delves into the basics of Data Validation Testing, including an explanation of some of the more common tests performed in this area.

Chapter 9, Attacking the Client, helps you understand how Client-Side testing is concerned with the execution of code on the client, typically natively within a web browser or browser plugin. Learn how to use Burp to test the execution of code on the client-side to determine the presence of Cross-site Scripting (XSS).

Chapter 10, Working with Burp Macros and Extensions, teaches you how Burp macros enable penetration testers to automate events such as logins or response parameter reads to overcome potential error situations. We will also learn about Extensions as an additional functionality to Burp.

Chapter 11, Implementing Advanced Topic Attacks, provides a brief explanation of XXE as a vulnerability class targeting applications which parse XML and SSRF as a vulnerability class allowing an attacker to force applications to make unauthorized requests on the attacker’s behalf.

Previous Section
Next Section