Copyright statement: This article is an original article by the blogger and follows the CC 4.0 BY-SA copyright agreement. Please attach the original source link and this statement when reprinting. Please watch the original: Link to this article: BurpSuite usage guide (detailed explanation)_Alphabets26's blog-CSDN blog_burpsuite
#BurpSuite usage guide (detailed explanation) 18-chapter series
#BurpSuite usage guide (detailed explanation) 18-chapter series
Chapter 1 Burp Suite installation and environment configuration
Chapter 2 Burp Suite proxy and browser settings
Chapter 3 How to use Burp Suite proxy
Regular expression configuration
Table of Contents
Chapter 1 Burp Suite installation and environment configuration
Burp Suite is an integrated penetration testing tool that integrates a variety of penetration testing components, allowing us to better complete penetration testing and attacks on web applications automatically or manually . In penetration testing, our use of Burp Suite will make
the testing work easier and more convenient. Even if skilled skills are not required, as long as we are familiar with the
use of Burp Suite, the penetration testing work will become easier and more efficient.
Burp Suite is written in Java language, and Java's cross-platform nature makes the software more convenient to learn and use
. Burp Suite is unlike other automated testing tools. It requires you to manually configure some parameters and trigger some automated
processes before it starts working.
The Burp Suite executable program is a jar file of java file type. The free version can be downloaded from the free version download address .
The free version of Burp Suite has many limitations, and many advanced tools cannot be used. If you want to use more advanced features
, you need to pay for the professional version. The main differences between the professional version and the free version are
- Burp Scanner
- Saving and restoring workspaces
- Extension tools, such as Target Analyzer, Content Discovery and Task Scheduler.
This chapter mainly describes the basic configuration of Burp Suite, including the following content:
How to start Burp Suite from the command line
How to set the JVM memory size Debugging
IPv6 issues
How to start Burp Suite from the command line
Burp Suite is There is no need to install software. After downloading, you can activate it directly from the command line. However, Burp Suite is
developed in Java language, and its runtime depends on JRE, which requires a Java runnable environment in advance. If you have not configured the Java environment or
do not know how to configure it, please refer to the Java environment configuration on the win7 computer . After configuring the Java environment, first verify
whether the Java configuration is correct. If you enter java -version and the result shown in the figure below appears, it proves that the configuration is correct and completed.
At this time, you only need
to execute java -jar /your_burpsuite_path/burpSuite.jar in cmd to start Burp Suite, or you can put
the jar of Burp Suite into the class_path directory and directly execute java -jar burpSuite.jar to start it. Note: your_burpsuite_path is the path where your Burp Suite is located. The burpSuite.jar file name must be consistent with the name of the jar file
you downloaded. How to set the JVM memory size
If the Java runnable environment is configured correctly, you can start the software when you double-click burpSuite.jar. At this time, Burp Suite
will automatically allocate the maximum available memory. Specifically, how much memory is actually allocated, the default is generally 64M. When we are in the penetration
testing process, if thousands of requests pass through Burp Suite, it may cause Burp Suite to crash due to
insufficient , thereby losing relevant data during the penetration testing process. This is something we do not want to do. Hope to see. Therefore, when we
start Burp Suite, we usually specify the memory size it uses. Generally speaking, we usually allocate 2G of memory for
Burp Suite to use. If your computer has enough memory, you can allocate 4G; if your computer has small enough memory, you can also
allocate 128M. When you allocate enough memory to Burp Suite, it can do more work. The specific configuration method to specify the memory size occupied by Burp
Suite is to add the following command line parameters to the startup script: Assume that the name of the startup script is burp_suite_start.bat
, then the content of the bat script is wherejava -jar -Xmx2048M /your_burpsuite_path/burpsuite.jar
the parameter -Xmx specifies the maximum memory available to the JVM. The unit can be M or G. If the unit is G,
the script content is:
java -jar -Xmx2G
/your_burpsuite_path/burpsuite.jar
For more knowledge about JVM performance tuning, please read Oracle JVM Tuning
IPv6 Problem Debugging.
Burp Suite does not support IPv6 addresses for data communication. In this case, the following exception will be thrown in the cmd console.
java.net.SocketException: Permission denied
At the same time, exceptions will also occur when the browser accesses
Burp proxy error: Permission denied: connect
When the above problem occurs, we need to modify the startup script, add the specification of IPv4, and restart Burp Suite.
java -jar -Xmx2048M
-Djava.net.preferIPv4Stack=true /your_burpsuite_path/burpsuite.j ar
By setting the -Djava.net.preferIPv4Stack=true parameter, tell the Java running environment to use the IPv4 protocol stack for
data communication, and the IPv6 protocol will be prohibited. This error is most common on 64-bit Windows operating systems, using
a 32-bit JDK
Chapter 2 Burp Suite proxy and browser settings
The Burp Suite proxy tool intercepts all network traffic passing through the proxy, such as client request
data, server return information, etc. Burp Suite mainly intercepts the traffic of http and https protocols. Through interception, Burp
Suite can perform various processing on client request data and server return in the form of a middleman to achieve the
purpose of security assessment and testing.
In our daily work, our most commonly used web client is the web browser. We can intercept the
traffic of the web browser through proxy settings and process the traffic data that passes through the Burp Suite proxy.
Let's take a look at how to configure the Burp Suite proxy in IE, Firefox, and Google Chrome respectively.
IE settings
When Burp Suite is started, the default assigned proxy address and port are 127.0.0.1:8080, which we can
view from the options on the proxy tab of Burp Suite. As shown in the figure: 
Now, we can complete the relevant configuration of IE through the Burp Suite proxy by setting the following steps.
- Start Internet Explorer
- Click the [Tools] menu and select the [Internet] option
3. Open the [Connection] tab and click [LAN Settings] to perform proxy settings. 
4. Fill in 127.0.0.1 in the address input box of the proxy server settings and 8080 for the port. Click [OK] to complete the proxy server settings. 
5. At this time, the IE settings have been completed. You can visit http://burp and you will see the welcome interface of Burp Suite.
FireFox settings
Similar to the settings of IE, in FireFox, we also need to set some parameters to transmit the communication traffic of the FireFox browser
through the Burp Suite proxy. The detailed steps are as follows:
- Start the FireFox browser, click the [Tools] menu, and click [Options].
2. In the newly opened about:preferences#advanced window, click [Advanced]-[Network], and we will
see the setting options for FireFox to connect to the network.
3. Click [Settings], in the pop-up [Connection Settings] dialog box, find "http proxy", fill in 127.0.0.1,
fill in the port 8080, and finally click [Confirm] to save the parameter settings and complete the FireFox proxy configuration.
Of course, in the FireFox browser, you can add FireFox extension components to manage the proxy server. For example,
FireX Proxy and Proxy Swither are very useful components. Interested readers can download and try them out.
Google Chrome settings
The configuration steps for Google Chrome to use Burp Suite as a proxy server are as follows:
- Start the Google Chrome browser, enter chrome://settings/ in the address bar, and press Enter to display the
configuration interface of the Google Chrome browser.
2. Click [Show advanced settings] at the bottom to display the advanced settings of the Google Chrome browser. 
3. Of course, you can also directly enter "proxy" in the search box and press Enter to automatically navigate to the proxy server setting function. 
4. Click [Change proxy server settings], and the proxy settings of the IE browser will pop up under the Windows system. At this time, follow the
settings steps of the IE browser to complete the proxy server configuration.
In addition to the three commonly used browsers mentioned above, there is also the Safari browser, which is also used by many users. Please click to read to view its proxy configuration.
Chapter 3 How to use Burp Suite proxy
Burp Proxy is the core of Burp Suite's user-driven testing process function. Through the proxy mode, we can intercept,
view, and modify all data transmitted between the client and the server.
This chapter mainly covers the following contents:
Basic use of Burp Proxy
Data interception and control
Optional configuration Options
History History
Basic use of Burp Proxy
Through studying the previous chapter, we have a basic understanding of Burp Suite proxy mode and browser proxy settings. The use of Burp
Proxy is a step-by-step process. When you first start using it, you may not be able to get
the results when you become familiar with its functions and usage, you will be able to use it well. Conduct a security capability
assessment on a product system. Generally, when using Burp Proxy, the general steps involved are as follows:
- First, confirm that JRE has been installed, Burp Suite can be started and running normally, and the browser's proxy
server configuration has been completed. - Open the Intercept tab in the Proxy function and confirm that the interception function is in the "Interception is on" state. If it is displayed
as "Intercept is off", click it to turn on the interception function.
3. Open the browser, enter the URL you need to access (take http://baike.baidu.com/ as an example) and press Enter. At this time, you
will see that the data traffic passes through Burp Proxy and is paused until you click [ Forward], the transmission will continue
. If you click [Drop], the data passed this time will be lost and will no longer be processed. - When we click [Forward], we will see all the data returned by this request. 5. After the client and server intercepted by Burp Suite interact, we can view the entity content, message headers, request parameters and other information of the request in the
message analysis tab of Burp Suite .
The message analysis option view mainly includes the following four items:
6. Raw This view mainly displays the raw format of web requests, including request address, http protocol version, host header, browser
information, Accept acceptable content type, character set, encoding method, cookie, etc. You can manually
modify this information to perform penetration testing on the server side.
7. params This view mainly displays the parameter information requested by the client, including GET or POST request parameters and
Cookie parameters. Penetration personnel can complete server-side penetration testing by modifying these request parameters.
8. headers The information displayed in this view is similar to the information in Raw, except that in this view, the display is more intuitive and
friendly.
9. Hex This view displays the binary content of Raw. You can modify the requested content through the hex editor.
By default, Burp Proxy only intercepts requested messages. Ordinary file requests such as css, js, and pictures will not be intercepted.
You can modify the default interception options to intercept these static files. Of course, you can also modify the interception options. Scope
, parameters or keywords returned by the server are used to control Burp Proxy's message interception. We will learn more about these in later chapters. All messages flowing through Burp Proxy will be recorded in http history. We can
view the transmitted data content through the history tab and test and verify the interactive data. At the same time, intercepted
messages and historical messages can be sent to other Burp components, such as Spider, Scanner,
Repeater, Intruder, Sequencer, Decoder, Comparer, and Extender, for further testing through the right-click pop-up menu. As
shown below:
Data interception and control
The interception function of Burp Proxy is mainly composed of Forward, Drop, Interception is on/off, Action, Comment and Highlight in the Intercept tab
. Their functions are: The function of Forward is when you have viewed
the message or re-edited the message. After that, click this button to send the message to the server. The function of Drop is that you want to lose
the currently intercepted messages and no longer forward them to the server. Interception is on means that the interception function is turned on, intercepting all
request data through Burp Proxy; Interception is off means that the interception function is turned off, and
all request data through Burp Proxy is no longer intercepted. The function of Action is that in addition to passing the current request message to the Spider, Scanner,
Repeater, Intruder, Sequencer, Decoder, and Comparer components, it can also make some
modifications , such as changing the GET or POST request method, and changing the request body. Encoding, you can also change the interception
settings of request messages, such as no longer intercepting messages from this host, no longer intercepting messages from this IP address, no longer intercepting
messages , no longer intercepting messages in this directory, You can also specify a server-side return message to intercept for this message. 
The function of Comment is to add comments to intercepted messages. During a penetration test, you will usually encounter a series of request messages. In order to facilitate distinction, you can add comment information on a key request message. 
The function of Highlight is somewhat similar to that of Comment, that is, highlighting the currently intercepted message so that other request messages can be distinguished.
In addition to the control of messages passing through the Proxy in Intercept, there are also many functional settings in the Options tab that can also control and process the messages flowing through.
Options configurationOptions
When we open the options settings tab Options, judging from the interface display, it mainly includes the following major sections (
functions involving https are not included in this chapter, and will be described in a later chapter):
Client request message interception
server return Message interception.
The server returns a message to modify
the regular expression configuration
. Other configuration items.
Client request message interception.
Client request message interception refers to the relevant configuration options for intercepting messages sent from the client to the server. The interface is as follows: It 
mainly includes interception rule configuration and error messages. Automatically repair and automatically update the first three parts of the Content-Length message.
- If the checkbox of intercept request based on the follow rules is selected, all
messages that match the request rules in the list below the check button will be intercepted. When intercepting, the rules are filtered from top to bottom
.
Of course, we can adjust the location and sorting of the rules through the [Up] and [Down] buttons according to our own needs . At the same time, we can click [Add] to add a rule, or we can select a rule and click
[Edit] to edit it, and click [Remove] to delete it. When we click the [Add] button,
the input dialog box for adding a rule will pop up, as shown below:
When adding an interception rule, it contains a total of 4 input items. Boolean opertor indicates whether the current rule coexists with other rules in an AND (And) or an OR (Or) manner; Match type indicates the matching type, where the matching type can be based on domain name, IP address, protocol, request method, URL, file Type, parameters, cookies, header or content, status code, MIME type,
title of HTML page, etc. Match relationship indicates whether this rule matches or does not match the keyword entered by Match condition. When we enter this information and click the [OK] button, the rules will be saved. - If the Automatically fix missing checkbox is selected, it means that Burp Suite will automatically fix missing or redundant new lines during a message transmission. For example, if a modified request message loses the blank line at the end of the header, Burp Suite will automatically add it; if the message body of a request contains
any will be removed. This function has a good protection effect in order to prevent errors when manually modifying the request message. - If the Automatically update Content-Length checkbox is selected, when the requested message is modified, the Content-Length message header will automatically be modified and replaced with the corresponding value.
Server-side return message interception Server-side return message interception, as the name suggests, refers to the relevant configuration items for intercepting messages returned by the server. Its interface is as follows: Its functions
mainly include intercept response based on the follow rules and Automatically update
Content-Length header when the response The functions of the two edited options correspond to intercept request based on the follow rules and Automatically update Content-Lengthheader when the request edited in client request message interception. They will not be described in detail. Please refer to the previous section.
Server return message modification Server return message modification refers to automatically modifying the relevant settings of the server return message. The interface is as follows:
from top to bottom,
the functions corresponding to each selection item are to
display hidden fields in the form,
highlight hidden fields in the form,
make the disable field in the form effective and turn it into an input field, and remove the
input field. Length limit
Move JavaScript validation
Move all JavaScript
removal tags
Convert https hyperlinks to http links
Remove security flags from all cookies
Modifying the settings of optional items through the server return message can facilitate penetration testers to break through the original data limitations during the security assessment process and
detect server-side security better and faster.
Regular expression configuration
This configuration is mainly used to automatically replace certain values and text in request messages and server-side return messages. It is different from the previous rules in that it supports regular expression language. 
When the [Add] button is clicked, we can see in the matching or replacement rule input dialog box that pops up that it can modify the message header, message body, request parameter name, request parameter value, and the first character of the request and return message. Lines are matched and replaced.
For example, when we want to replace the email address in all returned messages with [email protected], we can refer to the settings in the figure below to fill in the input items and save the verification.
Other configuration items
Other configuration items are mainly miscellaneous settings. The interface is as follows: 
The functions from top to bottom are
Specify the use of HTTP/1.0 protocol to communicate with the server. This setting is used to force the client to use the HTTP/1.0 protocol to communicate with the server. Generally, the HTTP protocol version used by the client depends on the client browser, but some servers or applications, The HTTP/1.0 protocol must be used. At this time, you can check this option to specify the use of the HTTP/1.0 protocol to feedback messages to the client. Currently, all browsers support the HTTP/1.0 protocol and the HTTP/1.1 protocol. The mandatory specification of the HTTP/1.0 protocol is mainly used Used to display certain aspects of the browser's features, such as preventing HTTP pipe attacks.
Setting "Connection:close" in the return message header can be used to prevent HTTP pipeline attacks in some cases.
Remove Proxy-* from the request header. Browser request messages usually carry proxy server-related information. This option is mainly used to clear the proxy server information from the message header.
Decompress the compressed file in the request message. Some applications will compress the message body when interacting with the server. If you check this option, Burp Suite will automatically decompress the message body. Decompress the compressed file in the return message. Most browsers support compression. Message body, check this option, BurpSuite will automatically decompress the message body compressed by the server. Disable http://burp. Allow access to the web interface through DNS and host name. That is, allow access through domain name or host name. Burp Suite will not be displayed in the browser. Burp Suite Error When we use Burp Suite, if an error occurs in Burp Suite itself, it will be displayed in the browser. If this option is checked, such errors will not be displayed in the browser.
Disable logging to history and site map. This option is to prevent logging to history and site map. It may be useful in some cases, for example, when authenticating through an upstream server or doing regular expression replacement, in order to reduce memory usage. Consumption, reduce log storage, you can check this option.
Start setting up the interception function
This option is mainly used to configure the effective method of the intercept function, which is divided into three methods: always effective, always invalid, and restoring settings from the last Burp Suite.
HistoryHistory
The history of Burp Proxy consists of two parts: HTTP history and WebSockets history. 
The HTTP history interface consists of three parts: filter, history list, and message details. 
When we click on a certain historical record, the text details of this message will be displayed in the message details block below. When we double-click on a message, the detailed dialog box of this message will pop up. 
We can click the [Previous] and [Next] buttons on the upper right side of the dialog box to browse the content of the previous or next message, or modify the Raw request parameters, and then perform multiple [Action] operations. 
The historical message list mainly includes information such as request sequence number, request protocol and host name, request method, URL path, request parameters, cookies, whether the user has edited the message, and the HTTP status code returned by the server. Through this information, we can make an accurate analysis of the HTTP message details of an interaction between the client and the server. At the same time, in the details view below, a matching search function based on regular expressions is also provided to better facilitate penetration. Testers look for
relevant information in the message body. 
When we are doing the security assessment of the product system, a large number of log records will be saved in the HTTP history. For more friendly message management, Burp provides a filter function. When we click on the Filter issued by the HTTP history tag, the filter interface will pop up. 
According to different filtering conditions, the filter is divided into 7 sub-sections, namely filtering
by request type. You can choose to display only the current scope, only display the server-side response, and only display messages with request parameters. When you check "Only show the current scope", this scope needs to be configured in the Scope option of Burp Target. Please read the relevant chapters of Burp Target for details.
Filtering by MIME type You can control whether to display messages of different file types returned by the server, such as only displaying HTML, CSS, or images. This filter currently supports 8 forms of HTML, Script, XML, CSS, other text, images, Flash, and binary files.
Filter Burp according to the HTTP status code returned by the server. According to the status code of the server, Burp filters according to 2XX, 3XX, 4XX, and 5XX respectively. For example, if you only want to display the request success message with a return status code of 200, check 2XX.
Filter according to the search conditions. This filter is based on the message content returned by the server and
matches For specific matching methods, you can choose from 3 methods: 1. Regular expression 2. Case sensitive 3. Negative search Any
combination of , the first two matching methods are easy to understand, and the third matching method means that those matching the keyword will no longer be displayed
.
Filter by file type In the filter message list by file type, there are two options available. One is to only
show which ones, and the other is to not show which ones.
If you want to only display which file types, fill in the displayed file types in the show only input box . Similarly, if you do not want to display which file types, just fill in
the file types that do not need to be displayed in the hide input box. Filtering by annotations The function of this filter is to control which messages are displayed in the history list
based on the comments or whether they are highlighted when intercepting each message as a filter condition. Filtering by listening port This filter is usually used when we have multiple listening ports in Proxy Listeners to only display messages communicated by a certain listening port. Under normal circumstances, we rarely use it. Now, let's take a look at the function of the WebSockets history option. From the interface, we can see that the WebSockets history
The functions and options provided are a subset of HTTP history, but are separated into
a specialized view because of the different communication methods used. Its function is used in the same way as HTTP history, so I won’t go into details here.
Through the study of this chapter, you have a deeper understanding of the proxy mode of Burp Suite. You know that Burp
Proxy, as the middleman, can make various modifications to the request message and response message during the message interception process, and can pass the message Perform
further testing on other components of Burp. At the same time, Burp Proxy's historical log function and various filters allow us to
quickly find the required data and key information during use. These greatly help you improve your work efficiency
.
Your likes are my motivation to update!