Home » Cybersecurity » Application Security » Quick and Dirty BurpSuite Tutorial (2019 Update)

Quick and Dirty BurpSuite Tutorial (2019 Update)

Introduction

In this article we look at BurpSuite, a framework of tools that can be used during penetration testing. We’ll cover the latest release of BurpSuite, version 2.0, getting our hands dirty with the OWASP Juice Shop vulnerable Web application.

Overview

This article is intended for penetration testers and bug bounty hunters as well as software developers who find it important to have security as a component of their development.

BurpSuite has three editions that you can select from:

1. BurpSuite Enterprise
2. BurpSuite Professional
3. BurpSuite Community

We’ll be making use of the BurpSuite Professional Edition v2.0 Beta for the course of this article.

It’s worth noting also is that BurpSuite Community (free) Edition comes bundled with Kali Linux. You will have to pay for the Pro Edition if you need extended functionality. With the Pro Edition, the intruder function will not be throttled, functionality of Extenders, Discover Content, CSRF PoC and Project File saving will all be supported, and your payloads and plugins will be available.

OWASP Juice Shop Initial Setup

Installing the OWASP Juice Shop can either be done from sources using node.js, on a Docker container, Vagrant, on an Amazon EC2 instance or on an Azure Container instance. The detailed steps to achieve this can be found here.

Our preferred method will be using node.js. Our setup is running on Ubuntu 18.04 LTS with node.js installed.

For our setup, the very first step is to run npm start within the juice-shop directory. The server will begin listening on port 3000. It is important to ensure that no server is already listening there before you begin. See below:

When you load http://localhost:3000 on your browser, you will see the default juice-shop page. The idea is basically to have an “online” shop where shoppers (Read more...)