An introduction to Burp Suite for web developers

Security testing tools are tools that help us detect and verify whether the information contained in a system or an application is protected and if it has the expected behavior. Even though they are typically used by security researchers, security testers and bug bounty hunters, they are also excellent tools for developers.

As we all know, security should be a focus in every step of the development process and using a security testing tool makes it easy to verify that the produced code is secure before it is deployed to production.

There are many available tools out there, but in this article I will focus on Burp Suite.

Burp Suite comes in both a community edition (free) and a paid version called Burp Suite Professional. In both cases, it is a web application testing tool that acts as a proxy for intercepting and manipulating network traffic, which makes it easy to verify the intended behavior of an application and discover bugs. The community edition provides the necessary tools to carry out manual testing of web applications, while the pro version contains powerful automatic and customizable tools that make your testing more effective.

For basic testing, the community edition is sufficient. Therefore, I will focus on presenting some of the available tools that can help you to debug your APIs, verify your authentication/authorization mechanisms, and ensure correct handling of cookies and security headers.

Burp Suite has several built-in tools and features that makes it easy to learn about the security state of your application. Here, I will provide you with a quick introduction of the basic functionality that you can use to ensure security as you code.

Burp has some useful features to make it easier for you to map out your application. When you manually click through your application or use an automated scan, Burp populates the Proxy history or a Target site-map which gives you an overview of the content of the application. This can then be used to identify functionality that should be investigated further and can also reveal possible information leakage issues.

The repeater can be used to replay modified requests. You can select any previously intercepted request and send it to the repeater tool, where you can modify the raw request as you wish and replay it. This feature is especially useful for API and web debugging. By making small modifications to a request and re-issuing it over and over, you are able to verify the behavior in different cases by analyzing the application's responses.

The intruder tool comes in handy when you want to test for input-based bugs, as for example enumeration bugs or injection vulnerabilities. You can use this tool to perform fuzzing of input fields, i.e. submitting different variations of test strings and analyzing the response. If you have already identified a type of bug, the intruder also offers possibilities to exploit the bug.

Burp also includes some smaller tools that are useful in application testing.

• The integrated decoder lets you transform application data using common encoding and decoding schemes.
• The sequencer lets you analyze session tokens to see if the quality of randomness is sufficient.
• The comparer lets you compare data, and provides you with a visual "diff". This can be useful to see if there are any differences in the responses for login requests with valid and invalid usernames to reveal possible username enumeration.

Lastly, another great feature of Burp is all the available third-party extensions located in the Extender tab. There you can find several plugins that can assist you in your testing based on your needs. Some that are worth to mention are: Logger++, JSON Decoder, Turbo Intruder and Authorize.

In this article we have gained a brief overview over the basic tools available in Burp, and why they are useful for web developers. Want to get started using Burp?

• Here is a guide that explains the first steps of getting started.
• Here is a guide on how to use Burp Suite for penetration testing.