Anyways, this week I want to go over setting up Burps Suite, really quick!
BurpSuite is a tool I deeply appreciate and want everyone to know how get started using it. In case you don’t
know, Burp Suite is a tool used for finding vulnerabilities in web applications, ranging from detecting
unencrypted communications, to passwords sent in plain text, to altering variables sent from the client to the
server. It’s a really handy tool, and I highly recommend anyone who does not know what this is become familiar
with it ASAP. It will help you in your bug bounty path or just making sure your web application is less terrible.
So let’s just jump into it!
Step 2: Tweak your Browser
Why do you need to do this you may ask? This is so that you can set up a proxy and Burp can listen in on a
specific IP and port. My preferred browser is Firefox, so I’ll go over that browser, as well as its similar
to Iceweasel which is the standard browser on a Kali box. Your browser settings should be set as the picture
shows below.
To do so just type about:preferences in the address bar > Networking settings. If you’re using a different
browser then figure it out for yourself. You ain’t dumb!
[add archived image here]
Now Burpsuite needs to know where you are listening in on, at what IP, and what port. Below is what Burpsuite
settings should be at.
Step 3: Add the CA Cert to your browser
Start Burp Suite, then go to http://burp in your browser.
Click CA Certificate, download the cacert.der file, and remember where its saved.
The image below is all that should be happening.
[add archived image here]
Then in the address bar go to
about:preferences#privacy > Certificates > View Certificates > Authorities > Import
> find where you saved your cacert.der file > Click Trust this CA to ID websites.
Boom! Browser is set!
[add archived image here]
Step 5: Explore a site MANUALLY
With Burp Suite open, go to a site, in my example I just went to http://hackthissite.org/ which is a site your
are allowed to play with for the benefit of practicing your skills.
And that should get you started in using Burp Suite in no time. Now notice I said manually to search the site.
This is because while automation is very useful, your curiosity is your friend. “oh whats that, and if i change
this what happens?” Have more of those moments, and you’re golden.
There are several other features to this amazing tool. But I figured I would do that in a later post exploring
all the tabs. Didnt want this post to get long. Long post aren’t my style.
Bonus Step!
If you’re really intrigued by the possibilities of what BurpSuite is capable of, I highly recommend you get
your copy of Web Hacking 101 by Peter Yaworski.
https://www.hackerone.com/blog/Hack-Learn-Earn-with-a-Free-E-Book
You wont regret it. 🙂
Happy hacking!
Note:
Now this is just a quick run down of what a new comer to infosec will see, and is not mean to be an all
inclusive post. I’m writing this in hopes that it gives others a quick snapshot of what to expect, as well as
become familiar with a topic which may otherwise be new to them.