CLICK ON EVERYTHING (in Burp)

In this blog post I wanted to share a few tips and tricks I’ve found in Burp that have really helped me in the past.

Double Click and Right Click Everything! (Literally Everything)

There is so much functionality (for better or worse) that’s hidden in the Burp GUI. One of the first and best examples of this, is newcomers finding the filtering options for the site map. I’ve met multiple people that were unaware of this and that’s a really rough way to live.

Simply right-clicking, or double clicking on the box that states “Filter: Hiding out of scope and not found items…” will bring up this additional filter menu.

There is ZERO indicators that this is the way you are suppose to interact with the filter or even that that portion of the GUI has that functionality.

For example, I sometimes need to do really granular scans, instead of the traditional “let it rip” scan. This usually results in a bunch of smaller scans that I have no clue what they were targeting unless I click the pop-out button in the top right and review what it was specifically.

Once again the power of double clicking saves the day. Double clicking the title box of the scan allows editing.

At this point you can rename the scan to something useful to help you remember which scan did what.

Bonus Tip:
Some markdown fonts will work in this title field. Is this useful, probably not, but is it neat little feature, absolutely.

Double clicking will allow you to edit that tab name as shown below.

But right clicking that same tab opens up useful functionality such as grouping, naming the groups, and color-coding tabs. I love to use this feature to group functionality and/or ideas I have while working on web application pentests.

Go to Proxy -> Settings Cog -> Tools -> Proxy -> Response Interception Rules
Do yourself a huge favor, make your settings look like my settings so that you only see responses you care about, instead of everything.

The Request Being Intercepted:

The Response Being Intercepted:

Now that we have proxy set up to be actually really useful. There’s one additional feature we can really make use of now. This little off to the side functionality, if used correctly, is a game changer. Welcome to the first day of the rest of your life. The proxy intercept Comment and Color tool!

This tool allows you to input comments and select colors from the Burp Intercept tool that directly stores this into your Burp Proxy History.

Why does it matter?

For example, when I review login functionality I’ll start with a known “bad” state, such as fake username and a fake password. In the intercept I can edit the data, in the comments add “Fake User Fail” and mark it red. Then compare it with a real user, bad password combination, add a comment “Real User Fail” and mark it yellow. When we pop back over to Burp we can easily and visually spot the requests we marked in the proxy to review later.

For example, by the power of clicking on unsuspecting boxes, double clicking the “Filter: Hiding out of scope items;” area will bring up a proxy history filter. If you check both of the check boxes below, it’ll only show you things you either highlighted or added comments.

In future blog posts I’ll go over in detail on how I use the color and commenting systems in burp for better filtering results, and generally how to stay organized during a web application penetration test. I hope you found some if not all of these tips useful, there is probably more Burp functionality hidden that I’m not aware of. Would love to read about any Burp hacks you have found in our discord!