Burp Suite is a suite of tools from PortSwigger designed to aid in the penetration testing of web applications over both HTTP and HTTPS. The primary tool is a proxy designed to allow the analysis and editing of web traffic. The proxy can intercept web requests and responses and read and edit them in real-time before they reach their respective destinations. Versions are available for Windows, MacOS, and Linux, along with a JAR file.
The proxy itself allows you to configure which domains have their web traffic intercepted and what sort of traffic is shown. For example, intercepting web requests is helpful as you can edit them to test how the website reacts to unusual requests, however intercepting the responses as there’s no real point in editing them.
Many of the tools included in Burp Suite are designed to integrate with the main proxy and can have requests imported to them. Intruder allows you to import a request and then configure arrange of payloads to attempt and can then run through them automatically. Repeater allows you to import a web request and then make manual modifications to it and see the response side by side allowing you to make minor adjustments to attempted exploits and easily see if it’s working. A dashboard feature shows a list of identified issues, although these need to be manually checked for false positives.
Tip: The issue tracker is a premium feature, while the automated attacks are rate-limited in the free version.
Sequencer is designed to analyse the randomness of data such as session IDs, CSRF tokens, and password reset tokens. The analysis requires more than 100 samples but can identify weaknesses in how supposedly random values are being generated. Decoder allows you to decode strings from a range of encoding standards as well as allowing you to encode data again. Comparer allows you to compare two strings to check for minor differences.
A broad range of community-written extensions is available for free from within the app, although some require features limited to the paid version of Burp Suite. The free version of Burp Suite supports most features, a professional licence to unlock all the features costs $399 a year, while an “enterprise edition” costs $3999 a year, plus $399 per scanning agent which can only be added in batches of 10.