This will be the start of a collection of Burp tips and tricks aimed primarily at beginners, but you may find a feature you didn’t know about even as a veteran user. If you have suggestions drop them in the comments below and we will check it out and add them as well! We hope to update this document as we find new features and ways to use them over the years to come.
Edited 7/7/2024 – Additions from Favorite BurpSuite Tips/Tricks? : r/AskNetsec (reddit.com):
Timing attacks are always a fun little logical case to look to abuse. One common area these crop up is, as cyberbl333p noted, in login functions, or username lookups of some sort. This happens quite simply because if a username exists (or some other object you wish to enumerate) then the application processes additional logic before returning a response. Bear in mind in some scenarios this can be reversed so use your judgement as you assess a given piece of logic.
On the contrary, a negative response is typically a very fast response to where you may see a noticeable difference. To showcase this, we loaded the extension up when working on an older application and found an endpoint for looking up available usernames. Yes, this specific instance is kind of cheating, but it is what was available at the time of writing.
After installing the extension, we captured a request to availability lookup and sent it to Intruder to guess lists of usernames. Then we navigated to the Request Timer extension to configure it for this review by selecting Intruder as the tool for the extension to monitor and starting the tool. After that we simply ran intruder as normal and came back when it was done to see the response times:
In this case a valid username was guessed, and it took longer to return a response as a result.
/u/ablativeyoyo suggests using a handy feature to auto scroll your view to a text search match. For example, if you are scrolling through requests in HTTP history, or trying payloads in Repeater, you can set a search string in the response tab and enable “Auto-scroll to match when text changes”. This will make it so that the view will jump to the first match in your response text each time it triggers.
In this example we had submit a bunch of XSS payloads to an application, and wanted to double check which request specifically they were embedded into responses on so we searched “alert” and scrolled through our HTTP history with it helpfully jumping to the first instance of the word “alert”. This made it very obvious while quickly moving through which responses to look at further since it was in the body of the message instead of the header as well.
/u/ablativeyoyo also suggests using the Hackvertor extension to make life working with encoded data easier. Hackvertor – PortSwigger
We mentioned encoding can be handled a little easier by default in the Inspector, but Hackvertor offers the ability to automatically convert strings back to their encoded formats without having to remember to set anything else up. Simply add the appropriate tag for your encoding needs around the string and as the request is sent the Hackvertor extension will re-encode it for you.
As we see we can place our string between these base64 tags to cause the extension to encode it as base64 when submit:
Then checking the log to see what was actually submit we see that the extension correctly encoded this as base64:
Please note that Hackvertor can do so much more than this and is a great tool overall and worthy of everyone learning to use at least a little bit!
/u/ablativeyoyo further advises how to use Burp’s active scan for limited issue types. For example, maybe you only want to run the SQLi checks with active scan. You can easily create a new scan profile for this (and even save it to the library to use without have to re-create it again in another project).
When creating a new scan task go to the scan configuration, select use custom configuration, and create a new profile:
From here navigate to the Issues Reported section and deselect all, then simply pick which issues you want to check for. The fastest way is to ctrl+a in the box and right click then select “enabled” which will toggle them all to disabled:
The scope settings have not changed much over the years. There is a newer-ish “include subdomains” option for simple scope settings, but we have found that the apps we work on typically have a common theme, such as part of the company name, across multiple supporting domains, and don’t just use subdomains.
An ecommerce store on store.example.com might have an api.example.com for handling users, store.exampleproducts.com, and api.exampleproducts.com for managing the cart/checkout flow.
In this scenario, just looking for subdomains won’t cut it. We recommend using basic regular expressions in your scope control to capture these supporting domains as “in scope” for your engagement.
If you aren’t comfortable writing regex we suggest a simple .* which means (.) any character, followed by (*) any number of occurrences. So, in the simple regex below if “example” has any characters before AND after it in the URL it will be in scope:
Conveniently, working on your engagements in this manner we recommend NOT limiting history logging for out-of-scope content, and instead simply setting the “show only in-scope items” in both HTTP history and the site map filters:
Is your repeater looking horribly cluttered halfway through an engagement? Do you have to click through each tab trying to figure out what one you needed to come back to? Sure, you can double click the tab and name them (and we strongly recommend you do) but let us step that organization up even more with tabbed groups.
Simply right click the tab you want, navigate to “add tab to group”, and create a new group or add to an existing group:
Here are some organizational ideas for your tab groups:
TODO – This one needs no explanation, but just stick the tabs you want to come back to in here.
XSS- We picked on XSS here, but grouping by finding type on confirmed findings is great when you have to come back and retest later!
REF- Have you found areas of the application with complex requests, or a workflow that generates an auth token, or anything useful you want to be able to repeat later at will? Stick it here!
???- Pick your favorite phrase or word of frustration and place those annoyingly suspicious, yet thus far non-exploited, requests here. Time management is important and if you have time later you can try again with these. Don’t get stuck in the rabbit hole and miss out on other issues for your client though!
How many times have you accidentally closed a Burp repeater tab? Go on admit it we know we have and became super frustrated having to, excuse the pun, repeat all the effort of crafting the payloads used in that repeater history etc.
Redoing work is a waste of time, and just annoying. While on a rant recently about the tabs not asking if you are sure you want to close we were informed of a great feature to re-open a closed tab:
So next time you accidentally close a tab make sure to stop immediately, as in our testing this feature only stores the most recent tab closed, and only ever one tab, and go to the top right to press the triple dots and select “reopen closed tab”.
You may pay us back with a time machine so we can go back and tell past us about this feature and save countless amounts of time over the years.
This next one you have almost certainly seen before as it always seems to open by default and clog up the request/response views. That is the Inspector! Now before you just close this to be able to read the response better, take a look at what it offers. The inspector gives a nice readable, and in repeater an editable, overview of all URL and body parameters allowing you to easily find and review them:
Now while this is obviously useful if you don’t want to dig through particularly large requests or responses to find the data we consider the second portion of inspection even better.
Inspector is available while working in repeater!
If you are working on a request in repeater and need to decode something to edit it, don’t send it to decoder and manually copy/paste back. Just look at it in inspector, select the encoding you need to remove, edit in the plaintext box, and hit apply. This will even work when just selecting text in the repeater tab to specify what you need decoded/edited. Burp will then automagically change the request for you:
Ah the good ole intruder. One of other most useful features of Burp is being able to plug in lists of passwords, or iterate identifiers such as numbers searching for IDORs. This is most commonly done in intruder as it is a lightning fast automated repeater that handles iterations for you.
While the default “sniper” attack mode is pretty simple, the others are super useful once you understand how to use them:
We will quickly touch on how each of these attack types functions.
Sniper – This tab lets you add a single set of payloads on the payload tab. Then when running the attack it will go through your list placing them all, one insertion point at a time, into the application. This is great if say you are want to check a bunch of parameters at once for a simple XSS or SQLi.
Battering Ram- This is another single set of payloads like Sniper, but instead of doing one insertion point at a time this one shoves the same payload into all insertion points at once and goes through the list doing this. We don’t find this one as useful, but it has its moments. Especially if for example you have an application taking an identifier as a header and URL value or something weird, but want to check for IDOR so they must match.
Pitchfork – The pitchfork is the first type to offer multiple payload sets. Pitchfork is more complicated as you may define up to 20 payload sets in the payload tab, but they need to be the same length to have all iterations utilized.
An example scenario might be you have a request with 3 defined insertion points and the following 3 payload sets:
Payload Set 1: a, b, c, d
Payload Set 2: 1, 2, 3, 4
Payload Set 3: z, x, c, v
Keep in mind the insertion point and payload set grouping is based on the order they occur in the request not the order you set them in.
The behavior can be seen in this simplified example:
Cluster Bomb- The last, and most chaotic, attack type. Honestly, we don’t use this one nearly as often, but it has its uses. Cluster bomb as the name implies allows for multiple payload sets (up to 20 like pitchfork).
The difference is the cluster bomb attack will iterate through every permutation between lists and insertion points. This is fairly self-explanatory, so we just wanted to point out something to keep an eye on.
Burp is nice enough to give a payload, and request count in the payloads tab:
Keep this increase in mind before sending hundreds or thousands of requests at your target accidentally. As a quick example our 4 requests under pitchfork become 64 requests under cluster bomb.
The intruder has a very powerful payload processing feature which would require a post on its to cover. We are going to recommend checking out the documentation on this feature from Portswigger before using it here: Burp Intruder payload processing – PortSwigger
If you scroll all the way to the bottom of the payloads tab you can turn this default behavior off, or modify it:
A feature that gets neither enough use, nor love, is the Grep – Match and Grep – Extract features. To put it shortly, these let you defined a regex to key off of certain strings and either extract the line into the results table for nice exporting, or labeling the entry.
This is great when iterating through large numbers of requests such as password spraying, or testing for IDOR.
Sure, you could do it the simple way of looking at the response length, but where is the fun in that? Also, it may not be significantly different enough, or vary based on error which makes this method less effective.
Instead try out some of Portswigger’s suggested matches, or define your own:
That’s all for now let us know if these were helpful, and leave a comment with suggestions of others to add so we can make this list more complete. Thank you and have a great day!
Interested in a demo of the portal and our service offerings? Please contact us at info@mccormackcyber.com. We appreciate your trust and partnership with McCormack Cyber Solutions.