Burp - Advanced
Given you alredy know the basics of Burp (proxy, repeater and intruder) this article covers advanced features to be more efficient in testing.
Hot Keys
Shortcuts are extremely useful and can be configured from the User settings. These are the ones I use the most.
| Action | Hotkey |
|---|---|
| From proxy history send request to repeater | CTRL R |
| From proxy history send request to intruder | CTRL I |
| Add Intruder payload position marker | CTRL Shift M |
| Clear Intruder payload position markers | CTRL L |
| Insert Collaborator URL | CTRL O |
| Issue Repeater Request | CTRL space |
| Issue Intruder Attack | CTRL Enter |
| Go back in repeater history | CTRL < |
| Go forward in repeater history | CTRL > |
| Go to previous tab | CTRL Shift - |
| Go to next tab | CTRL Shift + |
| Switch to target | CTRL Shift T |
| Switch to dashboard | CTRL Shift D |
| Switch to proxy | CTRL Shift P |
| Forward Intercepted Proxy Message | CTRL F |
| Forward Intercepted Proxy Request and Intercept the Response | CTRL Shift F |
Clean Project - Dashboard and Target
When creating a project two tasks are active by default: live passive crawl from proxy and live audit from proxy.
Live audit will perform passive checks on the proxy traffic and populate the issue activity. Personally I consider these findings to pollute the list of issues rather than providing real value. I prefer to disable this task. In this manner only findings from active scans will be displayed.
Similar reasoning goes for live passive crawl which populates the Target tree. Let’s say that you open google.com in the Burp browser by mistake, the Target will be polluted by multiple domains which are completely out of scope.
Instead I recommend to keep the Passive Crawl task but to set it to Scope traffic only.
Now the Target contains only in-scope domains.
Proxy
Requests in proxy history can be highlighted or annotated with a comment.
A use case is to mark something as interesting to go back to it later.
Another use case is leveraging colors to explains topics, e.g. if you are explaining SAML where three parties are involved (client, service provider and identity provider) you can match colors to each party.
Match And Replace
Match and Replace is extremly useful. Here are some usecases.
Replace the username or email with something easy to type. This is especially useful if you have distinct roles and you can just type something like myclient, mypartner, myadmin instead of looking up and copy pasting each email address.
Note that I use the prefix “my” as in “mypartner” instead of the plain “partner” to avoid having unrelated parameters being unintentionally replaced.
The same reasoning applies to passwords, why copy pasting them from a document or password manager when it is possible to quickly type something easy to remember?
It is also possible to use Match and Replace for a custom payload, e.g.
However I have not yet found a satisfying solution to this approach as the same Web Application might send user input URL encoded for some requests and not URL encoded in JSON requests, thus I do not see a way to have a single mnemonic keyword to inject payloads for both URL encoded and JSON requests.
It is also possible to replace headers, I personally like to remove unneeded client headers to have a cleaner request which also takes less space in reports.
In the example below I use two match and replace rules with regexes ^Sec-Ch-Ua.*$ and ^Sec-Fetch.*$.
Repeater
Repeater tabs can be renamed and grouped into named and colored grups.
Moreover when a request is sent to Repeater it is possible to choose a default Tab group to keep Repeater even tidier.
Scanner
The Scanner is your friend. I believe that doing intelligent scanning by coupling your intutition with the scanner is valuable use of testing time.
How to scan effectively?
I used to send a request to Intruder, manually set some insertion points on the parameters I found interesting, then right click and “Scan defined insertion points.”.
Now I recommend Pentagrid Scan Controller. See how it works in the Presentation at Area41
Enhance the scanner with Backslash Powered Scanner. See how it works in the Portswigger blogpost.
Extensions
Hackvertor
Hackvertor is a tag based convertor.
Example.
GET /infosec/conferences/<@urlencode>insomnihack?q=' or '1'='1<@/urlencode> HTTP/2
Host: darkvolumes.nz
Everything inside the tags will be converted (in the example to url encoding). This is very convenient because it is easier to work with plaintext payload which is converted automatically when the request is sent.
Hackvertor supports nesting of tags, e.g.
GET /infosec/conferences/<@urlencode><@base64>insomnihack<@/base64>/<@/urlencode>/ HTTP/2
Host: darkvolumes.nz
which then results in
GET /infosec/conferences/aW5zb21uaWhhY2s%3D%2F/ HTTP/2
Host: darkvolumes.nz
The example does not make too much sense but you get the idea.
Hackvertor can also run python.
Remark. You need to enable code execution.
An example where it was useful was a web application where javascript computed an hmac for each URL which was then validated server-side. This would have made testing very annoying since for each URL I would have had to manually compute the HMAC (the secret key is known client side).
However I could automate it with hackvertor with the following:
GET <@set_path>/rest/endpoint?param=foo<@/set_path>&mac=<@base64url><@hex2ascii><@python('
import binascii
import hashlib
import hmac
output = hmac.new(binascii.unhexlify("secret-key"), input, hashlib.sha256).hexdigest().upper()','58fa64a1fc80dcaa4730289edde792c9')><@get_path/><@/python><@/hex2ascii><@/base64url> HTTP/1.1
Recommended Extensions
Some extensions which I find usueful.
| Extension | Purpose |
|---|---|
| Auth Analyzer | Test access control, replaying requests with the cookie of another user and comparing the response |
| Stepper | Check the official stepper doc |
| CORS* | Test CORS |
| Piper | Diff requests/responses and View PDFs |
| Upload Scanner | Check the documentation at https://github.com/PortSwigger/upload-scanner |
| Pentagrid Scan Controller | Check how it works in the Presentation at Area41 |
| HTTP Mock | Replace NSFW content or get rid of AI help chats |
| Param Miner | Find hidden parameters |
| JSON Web Tokens | Decode and manipulate JWT on the fly |
| InQL | Parse GraphQL schema |
| Wsdler | Parse WSDL schema |
| SAML Raider | Inspect SAML messages and perform multiple attacks |
| Turbo Intruder | See Portswigger blog post. Example of usage: race conditions for file upload |
Up-to-date Bapp Extensions
When testing on a laptop behind a corporate proxy it is convenient to have an updated archive with the needed extensions.
The following script fetches Burp extensions from a list and zips them into an archive ready to copy paste.
Misc
SOCKS proxy
Burp supports a SOCKS proxy.
A use case example could be testing a web application available via Citrix. A socks proxy can be established to Citrix with SocksOverRDP and then the application can be tested using Burp locally via the proxy.
NTLM Authentication
Burp supports NTLM authentication.