An introduction to Burp Suite

Burp Suite is a simple platform for web application security testing. This application has many tools, combining to form a monster at your fingertips. It will help you to test every component of your web application.

Burp will be the key in cases where you need to check how strong your website security is, how predictable your session tokens are, or how valid the checkpoint data in your application is. Furthermore, Burp allows for detailed manual assessments and automated technique combinations, leading to enumerate and analyze web application security analysis.

Burp has two editions that are available for download:

• Burp Suite Community Edition (pre-installed on Kali)
• Burp Suite Professional Edition (requires a yearly license, around 350 USD per year)

In summary, Burp is a local web proxy that allows you to manually modify, intercept, and inspect HTTP/S requests and responses between a user's browser and the target website that you're trying to test. While the user navigates through the web application manually, the tool intercepts all of the necessary details on all visited pages. The traffic between the server and the browser can be analyzed, modified, visualized, and, eventually, repeated multiple times. The professional version of Burp allows you to scan and find web application vulnerabilities.

The different tools included in Burp Suite can be seen in the tabs area (see the following screenshot):

• Target: This tool allows you to visualize your target application's contents in a folder structure hierarchy that corresponds to the site's URL structure. This section shows all of the content that has been discovered until now, by manually browsing the site's pages. 
• Proxy: This is the main engine of Burp, which allows it to intercept and modify all web traffic.
• Spider: This is a web spider tool that crawls applications to locate contents and functionalities.
• Scanner: This tool is a web vulnerability scanner, which discovers numerous types of web vulnerabilities (SQLi, XSS, and CSRF) automatically. It is available in the professional version only.
• Intruder: This is a powerful tool for carrying out automated, customized attacks against web applications. I call it the web fuzzer; web fuzzing typically involves sending unexpected input to the target application. This process may help to identify web application security flaws.
• Repeater: As the name suggests, it is used to manually modify and reissue web requests.
• Sequencer: This analyzes the quality of randomness in an application's session tokens or other important data items that are intended to be unpredictable.
• Decoder: This allows for encoding and decoding data.
• Comparer: The Burp Comparer is a handy utility for performing a visual diff between any two items of data, such as pairs of similar web responses.
• Extender: Burp Extender (BApp Store) allows you to load Burp extensions, which extend Burp's functionalities through using third-party apps.