OFFSITE.DARK
← Tools
  • web
  • proxy

Market

Burp Suite

Overview

Burp Suite sits between browser and application as an intercepting HTTP/S proxy. Every request and response passes through Burp's pipeline where you can modify, replay, fuzz, or automate analysis before forwarding to the destination.

The core workflow: configure browser proxy → intercept on → browse target → send interesting requests to Repeater for manual tampering → scale with Intruder (position markers + payload sets) → Scanner (Pro) for active vuln checks. Extensions via the Extender API add custom checks in Java or Python (Jython).

Burp holds session state through cookies, CSRF tokens, and macro sequences. Sequences and session handling rules re-apply login flows before Intruder or Scanner runs so authenticated endpoints stay in scope.

Collaborator (Pro) provides out-of-band interaction detection for blind SSRF, XXE, and deserialization bugs via DNS/HTTP callbacks to burpcollaborator.net or a private collaborator server.

Primary use cases

  • Manual testing of auth, access control, and business logic flaws
  • Parameter fuzzing for SQLi, XSS, and IDOR via Intruder sniper/battering ram modes
  • Mapping attack surface with Site map and content discovery
  • Active scanning (Pro) for reflected/stored XSS, SSRF, and injection classes
  • Extension development for bespoke API formats (gRPC, GraphQL, custom JSON)

Key commands

Launch Burp (Kali)

burpsuite &

Headless project load (Pro automation)

java -jar burpsuite_pro.jar --project-file=project.burp --unpause-spider-and-scanner

Notable modules / features

  • Proxy: intercept, match/replace rules, HTTP history, WebSockets
  • Repeater: single-request editor with render/raw/hex views
  • Intruder: sniper, battering ram, pitchfork, cluster bomb attack types
  • Decoder, Comparer, Sequencer (token entropy), Logger++, DOM Invader
  • BApp Store extensions: Autorize, Turbo Intruder, JWT Editor, Logger+

Detection / defense notes

  • WAF/IPS may fingerprint Burp default User-Agent and TLS JA3; rotate profiles
  • Rate-based blocking on Intruder; monitor 429/503 spikes from single client IP
  • Log X-Forwarded-For at app layer when proxy chains obscure origin

Related tools

  • SQLMapSQL injection automation. DB fingerprinting, data dump, file read, and OS command execution via SQLi.
  • niktoWeb server scanner. Tests for outdated software, dangerous files, and misconfigs.
  • NucleiTemplate scanner. YAML checks for CVEs, misconfigs, and exposed services at scale.
  • ShannonWhite-box web pentester from Keygraph. Reads source repos, maps attack surfaces, runs browser and CLI exploits in Docker workers. Reports only validated PoCs. AGPL CLI; targets Injection, XSS, SSRF, auth, and authorization flaws.
→ official site