What is Burp Suite?
Burp Suite is the industry-leading web application security testing (as discussed in OWASP ZAP Automation: Security Scanning in CI/CD) platform. For QA engineers, Burp provides a comprehensive toolkit for manual and automated security testing (as discussed in Penetration Testing Basics for QA Testers), including intercepting proxies, scanners, and specialized tools for vulnerability discovery.
Burp Suite Editions
- Community Edition - Free, limited automated scanning
- Professional - Full scanner, advanced tools ($449/year)
- Enterprise - CI/CD integration, team collaboration ($3,999/year)
Core Components
1. Proxy - Intercept and Modify Traffic
# Configure browser to use Burp proxy
# Proxy settings: localhost:8080
# Install Burp CA certificate
# Navigate to: http://burp
# Download cacert.der and install in browser
Intercepting Requests:
1. Turn on "Intercept is on" in Proxy tab
2. Navigate to target in browser
3. View/modify request in Burp
4. Click "Forward" to send or "Drop" to block
Useful Proxy Features:
- Match and Replace - Auto-modify requests/responses
- HTTP History - Review all traffic
- WebSocket History - Monitor WebSocket communications
2. Scanner - Automated Vulnerability Detection
// Burp Suite Professional API
import burp.*;
public class CustomScanner implements IScannerCheck {
@Override
public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) {
List<IScanIssue> issues = new ArrayList<>();
// Check for sensitive data in responses
String response = helpers.bytesToString(baseRequestResponse.getResponse());
if (response.contains("password") || response.contains("api_key")) {
issues.add(new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
"Sensitive data in response",
"High",
"Certain"
));
}
return issues;
}
@Override
public List<IScanIssue> doActiveScan(
IHttpRequestResponse baseRequestResponse,
IScannerInsertionPoint insertionPoint
) {
// Custom active scanning logic
return Collections.emptyList();
}
}
Scanner Configuration:
1. Right-click target in Proxy/Target
2. Select "Scan" or "Actively scan this host"
3. Configure scan settings:
- Crawl limits
- Scan speed
- Issue types to detect
3. Intruder - Automated Attacks
Fuzzing Example:
1. Send request to Intruder (Right-click → "Send to Intruder")
2. Set payload positions:
POST /api/users HTTP/1.1
{"user_id": §1§, "role": "§admin§"}
3. Configure payload types:
- Position 1: Numbers (1-1000)
- Position 2: Simple list (admin, user, guest)
4. Start attack and analyze responses
Attack Types:
- Sniper - Single payload position
- Battering Ram - Same payload in all positions
- Pitchfork - Iterate multiple payload sets in parallel
- Cluster Bomb - All permutations of payload sets
Detecting Vulnerabilities:
# Extract results programmatically
import json
def analyze_intruder_results(results_file):
"""Analyze Intruder attack results"""
with open(results_file) as f:
results = json.load(f)
vulnerabilities = []
for item in results:
# Check for SQL injection indicators
if 'syntax error' in item['response'].lower():
vulnerabilities.append({
'type': 'SQL Injection',
'payload': item['payload'],
'evidence': 'SQL syntax error in response'
})
# Check for IDOR
if item['status_code'] == 200 and item['payload'] != item['expected_id']:
vulnerabilities.append({
'type': 'IDOR',
'payload': item['payload'],
'evidence': 'Accessed resource with different user ID'
})
return vulnerabilities
4. Repeater - Manual Request Testing
1. Send interesting request to Repeater
2. Modify request parameters
3. Click "Send" to see response
4. Compare multiple responses side-by-side
Common Test Cases:
- Authentication Bypass: Remove tokens, modify user IDs
- Authorization Testing: Access resources with different user roles
- Input Validation: Test boundaries, special characters, encoding
5. Decoder - Encode/Decode Data
Supported encodings:
- URL encoding
- HTML encoding
- Base64
- Hex
- ASCII hex
- Gzip
6. Comparer - Visual Diff Tool
1. Send two responses to Comparer
2. Select "Words" or "Bytes" comparison
3. Review highlighted differences
Use Cases:
- Compare responses from different user roles
- Identify timing differences (timing attacks)
- Detect subtle changes in encrypted responses
Advanced Techniques
Session Handling
1. Project Options → Sessions
2. Add "Cookie jar"
3. Configure session handling rules:
- Extract cookies from responses
- Add cookies to requests
- Handle CSRF tokens
CSRF Token Handling:
# Burp extension for CSRF token extraction
from burp import IBurpExtender, ISessionHandlingAction
class CsrfTokenHandler(IBurpExtender, ISessionHandlingAction):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.registerSessionHandlingAction(self)
def getActionName(self):
return "Extract CSRF Token"
def performAction(self, currentRequest, macroItems):
# Extract CSRF token from macro response
if len(macroItems) > 0:
response = macroItems[0].getResponse()
token = self.extract_csrf_token(response)
# Update request with new token
updated_request = self.update_csrf_token(currentRequest.getRequest(), token)
currentRequest.setRequest(updated_request)
Testing APIs
GraphQL Testing:
# Introspection query
{
__schema {
types {
name
fields {
name
type {
name
}
}
}
}
}
# Test for authorization issues
query {
users {
id
email
password_hash # Should not be exposed
}
}
JWT Testing:
// Burp extension to decode/modify JWTs
function decodeJWT(token) {
const parts = token.split('.');
const header = JSON.parse(atob(parts[0]));
const payload = JSON.parse(atob(parts[1]));
return { header, payload, signature: parts[2] };
}
// Test for algorithm confusion
header = { "alg": "none" } // Remove signature requirement
header = { "alg": "HS256" } // Change from RS256 to HS256
// Test for weak secrets
// Use Intruder with common secret wordlist
Burp Extensions
Must-Have Extensions
1. Autorize - Authorization testing
1. Install from BApp Store
2. Configure authorized and unauthorized sessions
3. Autorize automatically tests each request with both sessions
4. Identifies authorization bypasses
2. Logger++ - Advanced logging
Features:
- Custom filters
- Grep extraction
- Export to CSV/JSON
- Scripting support
3. Turbo Intruder - High-speed attacks
# turbo_intruder.py
def queueRequests(target, wordlists):
engine = RequestEngine(
endpoint=target.endpoint,
concurrentConnections=50,
requestsPerConnection=100
)
for word in open('/path/to/wordlist.txt'):
engine.queue(target.req, word.rstrip())
def handleResponse(req, interesting):
if '200 OK' in req.response:
table.add(req)
4. JWT Editor - JWT manipulation 5. Retire.js - Detect vulnerable JavaScript libraries
Custom Extension Development
// Simple Burp extension
package burp;
import java.io.PrintWriter;
public class BurpExtender implements IBurpExtender, IHttpListener {
private IBurpExtenderCallbacks callbacks;
private PrintWriter stdout;
@Override
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
this.callbacks = callbacks;
this.stdout = new PrintWriter(callbacks.getStdout(), true);
callbacks.setExtensionName("Custom Security (as discussed in [Security Testing for QA: A Practical Guide](/blog/security-testing-for-qa)) Checks");
callbacks.registerHttpListener(this);
stdout.println("Extension loaded successfully");
}
@Override
public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
if (!messageIsRequest) {
// Analyze response
byte[] response = messageInfo.getResponse();
String responseStr = new String(response);
// Check for sensitive data
if (responseStr.contains("ssn") || responseStr.contains("credit_card")) {
stdout.println("WARNING: Sensitive data detected in response!");
// Add issue to scanner
callbacks.addScanIssue(new CustomScanIssue(
messageInfo.getHttpService(),
callbacks.getHelpers().analyzeRequest(messageInfo).getUrl(),
new IHttpRequestResponse[] { messageInfo },
"Sensitive Data Exposure",
"Response contains sensitive information",
"High"
));
}
}
}
}
Collaboration Features (Enterprise)
Team Sharing
# Export site map
1. Right-click target → "Save selected items"
2. Choose "Burp state file" format
3. Share .burp file with team
# Import into another Burp instance
1. File → "Restore state"
2. Select .burp file
CI/CD Integration (Enterprise)
# Jenkins pipeline
pipeline {
stages {
stage('Security Scan') {
steps {
script {
// Start Burp Enterprise scan
sh '''
curl -X POST https://burp-enterprise.example.com/api/v1/scan \
-H "Authorization: Bearer ${BURP_API_KEY}" \
-d '{
"scope": {
"included": [{"rule": "https://app.example.com"}]
},
"scan_configurations": [{"type": "audit"}]
}'
'''
}
}
}
stage('Check Results') {
steps {
script {
def issues = sh(
script: 'curl https://burp-enterprise.example.com/api/v1/scan/${SCAN_ID}/issues',
returnStdout: true
)
def highSeverity = sh(
script: 'echo ${issues} | jq "[.issues[] | select(.severity == \\"high\\")] | length"',
returnStdout: true
).toInteger()
if (highSeverity > 0) {
error("Found ${highSeverity} high-severity vulnerabilities")
}
}
}
}
}
}
Best Practices
Efficient Workflow
Reconnaissance Phase:
- Map application with Spider
- Review Proxy history for interesting endpoints
- Identify authentication/authorization mechanisms
Manual Testing:
- Use Repeater for targeted testing
- Test authentication/authorization with different roles
- Verify input validation on all parameters
Automated Scanning:
- Run passive scans continuously
- Active scan specific areas of interest
- Use Intruder for fuzzing and brute forcing
Documentation:
- Tag interesting requests
- Add comments to explain findings
- Export results for reporting
Security Testing Checklist
## Authentication & Session Management
- [ ] Test for SQL injection in login form
- [ ] Check password policy enforcement
- [ ] Verify session timeout
- [ ] Test for session fixation
- [ ] Check for concurrent session handling
## Authorization
- [ ] Test IDOR vulnerabilities
- [ ] Verify role-based access control
- [ ] Check for privilege escalation
- [ ] Test API endpoint authorization
## Input Validation
- [ ] XSS in all input fields
- [ ] SQL injection in parameters
- [ ] Command injection testing
- [ ] File upload validation
- [ ] XXE in XML parsers
## Configuration
- [ ] Check security headers
- [ ] Verify HTTPS enforcement
- [ ] Test CORS configuration
- [ ] Review error messages
- [ ] Check for sensitive data in responses
Conclusion
Burp Suite is the Swiss Army knife of web security testing. From intercepting traffic to automated scanning and advanced exploitation, Burp empowers QA engineers to identify and validate security vulnerabilities comprehensively.
Key Takeaways:
- Master the Proxy for traffic analysis
- Use Scanner for automated vulnerability detection
- Leverage Intruder for fuzzing and brute forcing
- Employ Repeater for manual exploitation
- Extend functionality with custom extensions
- Integrate into CI/CD for continuous security testing
Security testing is a skill — practice regularly with Burp to build expertise.