Burp - Advanced

Given you alredy know the basics of Burp (proxy, repeater and intruder) this article covers advanced features to be more efficient in testing.

Hot Keys

Shortcuts are extremely useful and can be configured from the User settings. These are the ones I use the most.

Action Hotkey
From proxy history send request to repeater CTRL R
From proxy history send request to intruder CTRL I
Add Intruder payload position marker CTRL Shift M
Clear Intruder payload position markers CTRL L
Insert Collaborator URL CTRL O
Issue Repeater Request CTRL space
Issue Intruder Attack CTRL Enter
Go back in repeater history CTRL <
Go forward in repeater history CTRL >
Go to previous tab CTRL Shift -
Go to next tab CTRL Shift +
Switch to target CTRL Shift T
Switch to dashboard CTRL Shift D
Switch to proxy CTRL Shift P
Forward Intercepted Proxy Message CTRL F
Forward Intercepted Proxy Request and Intercept the Response CTRL Shift F

Clean Project - Dashboard and Target

When creating a project two tasks are active by default: live passive crawl from proxy and live audit from proxy.

Live audit will perform passive checks on the proxy traffic and populate the issue activity. Personally I consider these findings to pollute the list of issues rather than providing real value. I prefer to disable this task. In this manner only findings from active scans will be displayed.

Similar reasoning goes for live passive crawl which populates the Target tree. Let’s say that you open google.com in the Burp browser by mistake, the Target will be polluted by multiple domains which are completely out of scope.

Instead I recommend to keep the Passive Crawl task but to set it to Scope traffic only.

Now the Target contains only in-scope domains.

Proxy

Requests in proxy history can be highlighted or annotated with a comment.

A use case is to mark something as interesting to go back to it later.

Another use case is leveraging colors to explains topics, e.g. if you are explaining SAML where three parties are involved (client, service provider and identity provider) you can match colors to each party.

Match And Replace

Match and Replace is extremly useful. Here are some usecases.

Replace the username or email with something easy to type. This is especially useful if you have distinct roles and you can just type something like myclient, mypartner, myadmin instead of looking up and copy pasting each email address.

Note that I use the prefix “my” as in “mypartner” instead of the plain “partner” to avoid having unrelated parameters being unintentionally replaced.

The same reasoning applies to passwords, why copy pasting them from a document or password manager when it is possible to quickly type something easy to remember?

It is also possible to use Match and Replace for a custom payload, e.g.

However I have not yet found a satisfying solution to this approach as the same Web Application might send user input URL encoded for some requests and not URL encoded in JSON requests, thus I do not see a way to have a single mnemonic keyword to inject payloads for both URL encoded and JSON requests.

It is also possible to replace headers, I personally like to remove unneeded client headers to have a cleaner request which also takes less space in reports. In the example below I use two match and replace rules with regexes ^Sec-Ch-Ua.*$ and ^Sec-Fetch.*$.

Repeater

Repeater tabs can be renamed and grouped into named and colored grups.

Moreover when a request is sent to Repeater it is possible to choose a default Tab group to keep Repeater even tidier.

Scanner

The Scanner is your friend. I believe that doing intelligent scanning by coupling your intutition with the scanner is valuable use of testing time.

How to scan effectively?

I used to send a request to Intruder, manually set some insertion points on the parameters I found interesting, then right click and “Scan defined insertion points.”.

Now I recommend Pentagrid Scan Controller. See how it works in the Presentation at Area41

Enhance the scanner with Backslash Powered Scanner. See how it works in the Portswigger blogpost.

Extensions

Hackvertor

Hackvertor is a tag based convertor.

Example.

GET /infosec/conferences/<@urlencode>insomnihack?q=' or '1'='1<@/urlencode> HTTP/2
Host: darkvolumes.nz

Everything inside the tags will be converted (in the example to url encoding). This is very convenient because it is easier to work with plaintext payload which is converted automatically when the request is sent.

Hackvertor supports nesting of tags, e.g.

GET /infosec/conferences/<@urlencode><@base64>insomnihack<@/base64>/<@/urlencode>/ HTTP/2
Host: darkvolumes.nz

which then results in

GET /infosec/conferences/aW5zb21uaWhhY2s%3D%2F/ HTTP/2
Host: darkvolumes.nz

The example does not make too much sense but you get the idea.

Hackvertor can also run python.

Remark. You need to enable code execution.

An example where it was useful was a web application where javascript computed an hmac for each URL which was then validated server-side. This would have made testing very annoying since for each URL I would have had to manually compute the HMAC (the secret key is known client side).

However I could automate it with hackvertor with the following:

GET <@set_path>/rest/endpoint?param=foo<@/set_path>&mac=<@base64url><@hex2ascii><@python('  
import binascii  
import hashlib  
import hmac  
output = hmac.new(binascii.unhexlify("secret-key"), input, hashlib.sha256).hexdigest().upper()','58fa64a1fc80dcaa4730289edde792c9')><@get_path/><@/python><@/hex2ascii><@/base64url> HTTP/1.1

Some extensions which I find usueful.

Extension Purpose
Auth Analyzer Test access control, replaying requests with the cookie of another user and comparing the response
Stepper Check the official stepper doc
CORS* Test CORS
Piper Diff requests/responses and View PDFs
Upload Scanner Check the documentation at https://github.com/PortSwigger/upload-scanner
Pentagrid Scan Controller Check how it works in the Presentation at Area41
HTTP Mock Replace NSFW content or get rid of AI help chats
Param Miner Find hidden parameters
JSON Web Tokens Decode and manipulate JWT on the fly
InQL Parse GraphQL schema
Wsdler Parse WSDL schema
SAML Raider Inspect SAML messages and perform multiple attacks
Turbo Intruder See Portswigger blog post. Example of usage: race conditions for file upload

Up-to-date Bapp Extensions

When testing on a laptop behind a corporate proxy it is convenient to have an updated archive with the needed extensions.

The following script fetches Burp extensions from a list and zips them into an archive ready to copy paste.

BApp Downloader

Misc

SOCKS proxy

Burp supports a SOCKS proxy.

A use case example could be testing a web application available via Citrix. A socks proxy can be established to Citrix with SocksOverRDP and then the application can be tested using Burp locally via the proxy.

NTLM Authentication

Burp supports NTLM authentication.