*Warning

(for adventurous eaters only)


Burp Suite Owasp

broken image


The following is a list of recommended books, articles, and other Burp Suite resources. Each resource is thoroughly analyzed before adding it to the list.

Books

Burp Decoder is a very simple yet useful functionality that allow us to encode and decode URLs, ASCII, Octal, Binary, Hex, HTML and even hashes such as Base64. For instance, the hash b3dhc3AganVpY2Ugc2hvcA can be decoded using Burp Decoder. It decodes to owasp juice shop. You have to setup burp suite proxy with the browser in order to capture POST data you can do that by going to Settings Preferences Advanced Network. Now, select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Autowasp - a Burp Suite extension that integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow for the modern-day penetration tester; Replicator - Replicator helps developers to reproduce issues discovered by pen testers. Nov 22, 2020 OWASP ZAP is a free and open-source project actively maintained by volunteers while Burp Suite is a commercial Product maintained and sold by PortSwigger, They have been selected almost on every top 10 tools of the year, and in this post, I will compare version 2020.x of burp suite which saw the first release on January 2020.

Hands-On Application Penetration Testing with Burp Suite - Carlos A. Lozano, Dhruv Shah, Riyaz Ahemed Walikar (2019)

A beginner-friendly book that teaches you web app pentesting mindset with Burp Suite's help. This book is my recommendation for anyone who wants to learn Burp Suite.

In a nutshell, what makes this book stand out from other books on Burp Suite is:

  • It uses examples and features from Burp Suite v1.7.30, a comparatively recent version. Most, if not, all samples present in the book work on current versions of Burp Suite (2020.x and 2021.x).
  • The author(s) haven't complicated the book by giving workarounds for features not present in the Community edition. The book is focused on Burp Suite Pro and tells you if the feature is not present in the Community edition.
  • It has many examples using Burp extensions (like CSRF Scanner, EsPReSSO, etc.) to exploit specific vulnerabilities.
  • It has a chapter on extending Burp's functionality and setting up an environment to develop Java extensions. Such extensive information is something I haven't found in other books so far.

Now let me describe the book in detail. It's divided into 12 chapters. The first few chapters talk about some basics of Burp Suite and how to configure it on browsers, mobile devices, etc. Then the next few chapters talk about stages of web app pentest, Burp's suite of tools, and which tool can be handy while checking for different vulnerability types.

The chapters on detecting and exploiting vulnerabilities are the fascinating part of the book. These chapters describe the vulnerability and tell you if Burp Scanner detects it; if not, how you can do that in a manual / semi-automated (using Intruder) / automated (using extensions) way.

Also, there is a complete chapter on setting up an environment to develop Burp extensions in Java. Finally, the last few chapters summarise the pentest methodology with real-life targets.

Burp Suite Torrent

(Note: Requests and responses in examples might not render well on Kindle.)

Even though the book describes the vulnerabilities, it still uses some jargon. If you are a complete beginner, you might end up searching a few terms/techniques on the internet before completing the book.

Burp Suite Essentials - Akash Mahajan (2014)

A fantastic book for beginners. The book has well-structured chapters, uses simple language, and has many images. This book covers features from both Community and Professional versions. It's terrible if someone describes the book without talking about the hacks packed with the book (like Java hacks to increase RAM usage, using FoxyProxy, more). Even though the book was published in 2014 and Burp Suite has introduced many new features since then, the core Burp Suites features described in the book haven't changed much.

Even if you are already familiar with Burp Suite, you'll find something new. The chapters Using Burp Tools as a Power User (both parts 1 and 2) describes all the commonly used Burp tools. The chapters like Setting scope and dealing with upstream proxies and Searching, Extracting, Pattern Matching and More are icing on the cake. If you haven't read the book, give it a try, and I'm pretty sure you would learn something new.

Burp Suite Cookbook - Sunny Wear (2018)

Interesting cookbook with 'recipes' on manually using Burp Suite for testing common web app vulnerabilities. The book starts with an obvious introduction to Burp Suite and other tools (Message editor, Repeater, etc.). The following chapters are collections of recipes grouped under common vulnerability types (Authentication, Authorization, Input Validation, etc.). The book uses vulnerable web apps from OWASP Broken Web Applications VM to demonstrate each vulnerability and how to test/exploit it using Burp Suite.

Lol elo

The initial few chapters look great for beginners; however, the book's charm fades after few chapters. It is due to a lack of information in the intermediate chapters. These chapters are a collection of recipes. Each recipe has a pattern: introduction to the vulnerability, how to set up the vulnerable web app (if required), and finally, manual steps on how to exploit the vulnerability.

The book doesn't cover the vulnerabilities in detail - just a paragraph or two. Additional effort is required to understand specific terms / advanced concepts mentioned in the book. A lot of the vulnerabilities mentioned in the book are covered in depth in Portswigger's free Web Security Academy. Finally, the last few chapters bring back the charm by talking about a few Burp extensions and using macros.

A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities - Sagar Rahalkar (2020)

An interesting short book with the author's opinion on most of the features in Burp Suite Professional. Cloudflare joomla. If the author asks me for my opinion on the book, I will give him two: either add more content to the book or change the book's name (anything without the term Complete in it).

Suite

Don't get me wrong, a few sections of the book (like browser plugins to enable Burp proxy when required, Burp Infiltrator, etc.) are pretty interesting. The only drawback is the content.

The book neither gives an in-depth knowledge of each feature nor ample examples. The book doesn't cover technical details about vulnerabilities (even though it has a theoretical section on OWASP Top 10 vulns). It means you need to read this book and then understand how to use Burp's Suite of tools to detect those vulnerabilities. The book has links to many OWASP projects, some details on Burp's Suite of tools, and a final chapter that concludes with a (3 step) mindset on how to proceed with pentests in general.

The final chapter, which I expected to be the better part, doesn't do it right—for example, the section where Burp proxy is set up on the mobile device. There are no steps to add Burp's CA certificate to the mobile device and the rooting/jailbreaking process. The reader who follows the steps won't successfully set up Burp proxy to intercept mobile devices' requests.

(I value my readers' time & money like I value mine. Looking at this book's knowledge per cost factor, it's not worth buying it. So I have intentionally not added links to buy this book. I would suggest purchasing the above books / learn from the free resources mentioned below.)

YouTube videos

  • Burp Training by Secure Ideas - https://www.youtube.com/playlist?list=PLqG-wtrX3aA_wYTrnDHoCBkKBoI4z9oLd

Blogs & Articles

  • Quality of Life Tips and Tricks - Burp Suite by Parsia

Burp Suite Owasp Top 10

Burp Suite Owasp

The initial few chapters look great for beginners; however, the book's charm fades after few chapters. It is due to a lack of information in the intermediate chapters. These chapters are a collection of recipes. Each recipe has a pattern: introduction to the vulnerability, how to set up the vulnerable web app (if required), and finally, manual steps on how to exploit the vulnerability.

The book doesn't cover the vulnerabilities in detail - just a paragraph or two. Additional effort is required to understand specific terms / advanced concepts mentioned in the book. A lot of the vulnerabilities mentioned in the book are covered in depth in Portswigger's free Web Security Academy. Finally, the last few chapters bring back the charm by talking about a few Burp extensions and using macros.

A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities - Sagar Rahalkar (2020)

An interesting short book with the author's opinion on most of the features in Burp Suite Professional. Cloudflare joomla. If the author asks me for my opinion on the book, I will give him two: either add more content to the book or change the book's name (anything without the term Complete in it).

Don't get me wrong, a few sections of the book (like browser plugins to enable Burp proxy when required, Burp Infiltrator, etc.) are pretty interesting. The only drawback is the content.

The book neither gives an in-depth knowledge of each feature nor ample examples. The book doesn't cover technical details about vulnerabilities (even though it has a theoretical section on OWASP Top 10 vulns). It means you need to read this book and then understand how to use Burp's Suite of tools to detect those vulnerabilities. The book has links to many OWASP projects, some details on Burp's Suite of tools, and a final chapter that concludes with a (3 step) mindset on how to proceed with pentests in general.

The final chapter, which I expected to be the better part, doesn't do it right—for example, the section where Burp proxy is set up on the mobile device. There are no steps to add Burp's CA certificate to the mobile device and the rooting/jailbreaking process. The reader who follows the steps won't successfully set up Burp proxy to intercept mobile devices' requests.

(I value my readers' time & money like I value mine. Looking at this book's knowledge per cost factor, it's not worth buying it. So I have intentionally not added links to buy this book. I would suggest purchasing the above books / learn from the free resources mentioned below.)

YouTube videos

  • Burp Training by Secure Ideas - https://www.youtube.com/playlist?list=PLqG-wtrX3aA_wYTrnDHoCBkKBoI4z9oLd

Blogs & Articles

  • Quality of Life Tips and Tricks - Burp Suite by Parsia

Burp Suite Owasp Top 10

Burp Suite Owasp Top 10

Others

Burp Suite Vs Owasp Zap

  • Awesome Burp Extensions - https://github.com/snoopysecurity/awesome-burp-extensions




broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save