CLICK ON EVERYTHING (in Burp)
By Red Siege | October 5, 2023
In this blog post I wanted to share a few tips and tricks I’ve found in Burp that have really helped me in the past.
There is so much functionality (for better or worse) that’s hidden in the Burp GUI. One of the first and best examples of this, is newcomers finding the filtering options for the site map. I’ve met multiple people that were unaware of this and that’s a really rough way to live.
Simply right-clicking, or double clicking on the box that states “Filter: Hiding out of scope and not found items…” will bring up this additional filter menu.
There is ZERO indicators that this is the way you are suppose to interact with the filter or even that that portion of the GUI has that functionality.
For example, I sometimes need to do really granular scans, instead of the traditional “let it rip” scan. This usually results in a bunch of smaller scans that I have no clue what they were targeting unless I click the pop-out button in the top right and review what it was specifically.
Once again the power of double clicking saves the day. Double clicking the title box of the scan allows editing.
At this point you can rename the scan to something useful to help you remember which scan did what.
Some markdown fonts will work in this title field. Is this useful, probably not, but is it neat little feature, absolutely.
Double clicking will allow you to edit that tab name as shown below.
But right clicking that same tab opens up useful functionality such as grouping, naming the groups, and color-coding tabs. I love to use this feature to group functionality and/or ideas I have while working on web application pentests.
Go to Proxy -> Settings Cog -> Tools -> Proxy -> Response Interception Rules
Do yourself a huge favor, make your settings look like my settings so that you only see responses you care about, instead of everything.
Now that we have proxy set up to be actually really useful. There’s one additional feature we can really make use of now. This little off to the side functionality, if used correctly, is a game changer. Welcome to the first day of the rest of your life. The proxy intercept Comment and Color tool!
This tool allows you to input comments and select colors from the Burp Intercept tool that directly stores this into your Burp Proxy History.
For example, when I review login functionality I’ll start with a known “bad” state, such as fake username and a fake password. In the intercept I can edit the data, in the comments add “Fake User Fail” and mark it red. Then compare it with a real user, bad password combination, add a comment “Real User Fail” and mark it yellow. When we pop back over to Burp we can easily and visually spot the requests we marked in the proxy to review later.
For example, by the power of clicking on unsuspecting boxes, double clicking the “Filter: Hiding out of scope items;” area will bring up a proxy history filter. If you check both of the check boxes below, it’ll only show you things you either highlighted or added comments.
Related StoriesView More
By Red Siege | November 28, 2023
from Ian Briley, Security Consultant The weakest link in your information security chain will always be the human behind the keyboard. No matter how much death by PowerPoint security training […]Learn More
By Tim Medin | November 13, 2023
As the CEO of Red Siege Information Security, I’ve had the privilege of building an outstanding team of ethical hackers to conduct numerous penetration tests for organizations across many industries. […]Learn More
By Red Siege | September 22, 2023
from Jason Downey, Security Consultant In our digital world today, where cyber stuff keeps changing all the time, there’s this sneaky attack method that’s been popping up more and more […]Learn More