Click on Everything (in Burp)

By Red Siege | October 5, 2023

In this blog post I wanted to share a few tips and tricks I’ve found in Burp that have really helped me in the past.

Double Click and Right Click Everything! (Literally Everything)

There is so much functionality (for better or worse) that’s hidden in the Burp GUI. One of the first and best examples of this, is newcomers finding the filtering options for the site map. I’ve met multiple people that were unaware of this and that’s a really rough way to live.

Simply right-clicking, or double clicking on the box that states “Filter: Hiding out of scope and not found items…” will bring up this additional filter menu.

There is ZERO indicators that this is the way you are suppose to interact with the filter or even that that portion of the GUI has that functionality.

For example, I sometimes need to do really granular scans, instead of the traditional “let it rip” scan. This usually results in a bunch of smaller scans that I have no clue what they were targeting unless I click the pop-out button in the top right and review what it was specifically.

Once again the power of double clicking saves the day. Double clicking the title box of the scan allows editing.

At this point you can rename the scan to something useful to help you remember which scan did what.

Bonus Tip:
Some markdown fonts will work in this title field. Is this useful, probably not, but is it neat little feature, absolutely.

Double clicking will allow you to edit that tab name as shown below.

But right clicking that same tab opens up useful functionality such as grouping, naming the groups, and color-coding tabs. I love to use this feature to group functionality and/or ideas I have while working on web application pentests.

Go to Proxy -> Settings Cog -> Tools -> Proxy -> Response Interception Rules
Do yourself a huge favor, make your settings look like my settings so that you only see responses you care about, instead of everything.

The Request Being Intercepted:

The Response Being Intercepted:

Now that we have proxy set up to be actually really useful. There’s one additional feature we can really make use of now. This little off to the side functionality, if used correctly, is a game changer. Welcome to the first day of the rest of your life. The proxy intercept Comment and Color tool!

This tool allows you to input comments and select colors from the Burp Intercept tool that directly stores this into your Burp Proxy History.

Why does it matter?

For example, when I review login functionality I’ll start with a known “bad” state, such as fake username and a fake password. In the intercept I can edit the data, in the comments add “Fake User Fail” and mark it red. Then compare it with a real user, bad password combination, add a comment “Real User Fail” and mark it yellow. When we pop back over to Burp we can easily and visually spot the requests we marked in the proxy to review later.

For example, by the power of clicking on unsuspecting boxes, double clicking the “Filter: Hiding out of scope items;” area will bring up a proxy history filter. If you check both of the check boxes below, it’ll only show you things you either highlighted or added comments.

If you are crafty, you can even add tags, or search terms into your comments to make filtering a breeze. Such as below, I entered the string “Real User” to filter anything that contained that string including comments. I could easily find and review how the application login handled real user logins, and I don’t have to slog through the rest of the proxy history.
In future blog posts I’ll go over in detail on how I use the color and commenting systems in burp for better filtering results, and generally how to stay organized during a web application penetration test. I hope you found some if not all of these tips useful, there is probably more Burp functionality hidden that I’m not aware of. Would love to read about any Burp hacks you have found in our discord!

Adventures in Shellcode Obfuscation! Part 1: Overview

By Red Siege | June 17, 2024

by Mike Saunders, Principal Security Consultant This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate shellcode to […]

Learn More
Adventures in Shellcode Obfuscation! Part 1: Overview

Essential Steps for Management to Maximize the Value of a Penetration Test Report

By Red Siege | June 3, 2024

by Tim Medin, CEO Penetration testing is a critical component of a well-rounded cybersecurity strategy. Penetration testing identifies vulnerabilities before malicious actors can exploit them. However, the true value of […]

Learn More
Essential Steps for Management to Maximize the Value of a Penetration Test Report

Fun With JWT X5u

By Red Siege | May 30, 2024

by Senior Security Consultant Douglas Berdeaux On a recent web application penetration test engagement, I came across a JSON Web Token (JWT) that contained an x5u header parameter. I almost […]

Learn More
Fun With JWT X5u

Find Out What’s Next

Stay in the loop with our upcoming events.