Introduction
There are 7 functions discussed in this Burp Suite room:
1) Proxy
2) Repeater
3) Intruder
4) Decoder
5) Comparer
6) Sequencer
7) Extender
Proxy, Repeater and Intruder were summarized in Part 1.
The remaining 4 functions will be summarized here in Part 2.
Burp Suite: Decoder
Decoder allows us to:
- Decode information that we captured during an attack.
- Encode our payload to send to our target.
- Create hash values (MD5, SHA1, SHA256, etc.)
- Use the function ‘Smart Decode’: An attempt to automatically decode encoded text will be made.
- Edit the input byte-by-byte via ‘Hex’ View
Different types of decoding/encoding methods
- Plain: Plaintext is what we have before performing any transformations.
- URL encoding: To make data safe to transfer in the URL of a web request. It is a useful method for any kind of application testing.
- HTML: Allow special characters in HTML language to be rendered safely in HTML pages and can be used to prevent attacks such as XSS.
- Base64: To encode data in an ASCII-compatible format.
- ASCII Hex: Each letter in the original data is taken individually and converted from numeric ASCII representation into hexadecimal.
- Hex, Octal, and Binary: Only apply to numeric inputs. They convert between decimal, hexadecimal, octal (base eight) and binary.
- Gzip: To compress data, commonly used to reduce file sizes.
Useful tools:
GZip (https://codebeautify.org/gzip-decompress-online)
Cyberchef (https://gchq.github.io/CyberChef/))
Burp Suite: Comparer
Comparer allows us to:
- Select two datasets for comparison.
- Load data from a file for comparison.
- Make a comparison with either words or bytes.
Comparer is useful for:
- Comparing large data sets, as the differences can be easily identified.
Burp Suite: Sequencer
Sequencer allows us to:
- Measure the entropy (randomness) of “tokens”.
- Analyze the randomness of a session cookie or Cross-Site Request Forgery (CSRF) token.
Main methods to perform token analysis:
- Live Capture: Making the same request (captured live in Proxy > sent to Sequencer) thousands of times automatically and storing the generated token samples for analysis.
- Manual Load: Loading a list of pre-generated token samples and avoid making thousands of requests to our target.
Burp Suite: Extender
4 functions in Extender that were discussed in this room:
- Extensions: Provides a list of extensions that were installed and allows us to activate/deactivate them.
- BApp Store: Allow us to easily list official extensions and integrate them seamlessly with Burp Suite.
- Jython: To use Python modules in Burp Suite.
- APIs: Existing modules that can be integrated with Burp Suite.
More information on Burp Suite extensions:
https://portswigger.net/burp/documentation/desktop/extensions/installing-extensions
Conclusion
In my own opinion, if you are planning to become a Penetration Tester, you must learn how to use Burp Suite and be familiarized with it, especially the three functions that were mentioned above. Spend some time to explore Burp Suite in your own lab environment. Trust me, it will be worth it.
If you have any questions, feedback or tips, let me know in the comment section!
