Penetration testing workflow

You can use Burp's automated and manual tools to obtain detailed information about your target applications. The diagram below is an overview of the key stages of Burp's penetration testing workflow:

Stage 1: Map the target application

You can use a combination of manual and automated tools to map the application.

Manually browse the application in Burp's browser. Your traffic is proxied through Burp automatically. As you browse, the Proxy history and Target site map are populated. By default, a live task also discovers content that can be deduced from responses, for example from links and forms.

To manually discover additional content, you can identify any unrequested items on the site map, then review these in Burp's browser.

You can also automate the mapping process and discover additional content:

• Configure a scan to crawl the application's content. Burp Scanner uses Burp's browser to navigate the application, which dramatically increases coverage.
• When using Burp Scanner, configure login credentials for a site to discover content that is only accessible to authenticated users.
• Use the content discovery tool to find content that is not linked from visible content.
• Use Burp Intruder to enumerate additional subdomains or paths.

Stage 2: Analyze the attack surface

Use the Proxy history and Target site map to analyze the information that Burp captures about the application. While you use these tools you can quickly view and edit interesting message features in the Inspector.

You can send HTTP messages that you want to investigate further to Burp Organizer. This tool enables you to store and annotate HTTP messages to organize your workflow. For more information, see the Burp Organizer documentation.

You can also use other Burp tools to help you analyze the attack surface and decide where to focus your attention:

• Use the Target analyzer to analyze how many static and dynamic URLs the target application contains, and how many parameters each URL takes. This can help you to understand the extent of the attack surface.
• Use Burp Scanner to scan a specific interesting request. Burp Scanner audits only this request. This can flag issues quickly.

Stage 3: Test for vulnerabilities

You can use a combination of Burp tools to detect and exploit vulnerabilities.

You may already have identified a range of issues through the mapping process. By default, Burp Scanner scans all requests and responses that pass through the proxy. Burp lists any issues that it identifies under Issue activity on the Dashboard.

You can also use Burp Scanner to actively audit for vulnerabilities. Scanner sends additional requests and analyzes the application's traffic and behavior to identify issues.

To investigate the identified issues, you can use multiple Burp tools at once. To send a request between tools, right-click the request and select the tool from the context menu. Some example strategies are outlined below for different types of vulnerabilities:

Input-based vulnerabilities

The following are examples of input-based vulnerabilities:

• SQL injection.
• Cross-site scripting.
• File path traversal.

You can use Burp in various ways to exploit these vulnerabilities:

• Scan the interesting request.
• Use Burp Intruder to fuzz for error messages or other exceptions.
• Use Burp Repeater to manually modify and reissue the request repeatedly.
• Actively exploit any vulnerabilities with Burp Intruder. For example, use the recursive grep payload type to exploit SQL injection vulnerabilities.

Logic and design flaws

The following are examples of logic and design flaws:

• Unsafe use of client-side controls.
• Failure to enforce account lockout.
• Ability to skip steps in a multi-stage process.

You generally need to work manually to exploit these types of flaws:

• Use Burp Repeater to issue the requests individually. You could also turn on Proxy interception and manually change requests in the browser.

• Use Burp Intruder to exploit the logic or design flaw, for example to:

  • Enumerate valid usernames or passwords. To learn more about how to test authentication mechanisms, see Testing authentication mechanisms.
  • Cycle through predictable session tokens or password recovery tokens.
  • Reissue the same request a large number of times.
• Use match and replace rules or session handling rules to change the request in systematic ways and exploit the flaw.

Access control vulnerabilities

To test for access control and privilege escalation vulnerabilities, you can:

• Compare site maps to:

  • Identify functionality that is visible to one user and not another.
  • Test whether a low privileged user can access restricted functions.
  • Discover where user-specific identifiers are used to segregate access to data by two users of the same type.

• Access the request in different Burp browsers to determine how requests are handled in different user contexts:

  • Use a different user context and a separate proxy listener with a different port for each browser.
  • Open additional Proxy history windows for each browser.
  • Filter each window to show items received on a specific listener port. Each history window shows only the items for the associated user context.
  • Switch requests between browsers, to determine how they are handled in the other user context. To do this, right-click the request in the Proxy history, select Request in browser, then Current session.
• Some privilege escalation vulnerabilities arise when the application passes a user identifier in a request, then uses that to identify the current user context. To test for this, use Burp Intruder to cycle through identifiers and retrieve interesting user-specific data from the application's response.

Other vulnerabilities

Burp contains tools that can be used to perform virtually any task when probing for other types of vulnerabilities, for example:

• Review the contents of the Target site map to identify information leakage issues.
• Use the CSRF generator to create a proof-of-concept attack for a CSRF vulnerability. Review the browser results and Proxy history to verify whether the attack is successful.
• Use Burp Sequencer to analyze the quality of randomness in a sample of session tokens. To learn more about how to test session management mechanisms, see Testing session management mechanisms.
• Use Burp Intruder with the bit flipper and ECB block shuffler payload types to blindly modify the encrypted data of session tokens, to meaningfully change the application's decrypted data.
• To carry out specialized or customized tasks - write your own custom Burp extensions.