BSCE

Burp Suite Community Edition

This guide provides detailed instructions on installing, setting up, configuring, implementing, and troubleshooting Burp Suite API for web application security testing of this project. It covers all necessary steps, including how to interact with Burp Suite's API for automated testing and vulnerability scanning, with relevant screenshots and examples.

Contents

1. Installation
2. Configuration
3. Implementation
4. Usage
5. Troubleshooting

---

Installation

Further installation instructions can be found on the PortSwigger website

Installing Burp Suite on Mac

• Step 1: Download Burp Suite

Download the Burp Suite Community Edition from the PortSwigger website.

https://portswigger.net/burp/communitydownload

• Step 2: Run the installer script to set up Burp Suite:

Run the installer script to set up Burp Suite.

burpsuite_community_installer.sh

---

Configuration

Launch Burp Suite

• Step 1: Launch Burp Suite from the Applications folder and choose "Temporary Project" to create a new project session.

• Step 2: Select "Use Burp Defaults" and click "Start Burp." This will open the main dashboard, where tabs like Proxy, Target, and Repeater are accessible.

• Step 3: Go to the Proxy tab and turn on "Intercept" mode to capture and view HTTP requests as you load pages.

---

Implementation

Capturing HTTP Requests

• Step 1: Set Up the Intercept

In the Proxy tab, click "Open Browser" to launch Burp's browser and begin intercepting requests.

• Step 2: Capture Team Project URL Requests

Enter the team project URL in Burp's browser to see the intercepted HTTP requests.

• Step 3: Forward and Monitor Requests

In the Proxy tab, click "Forward" to pass through requests, and use "HTTP history" to monitor all HTTP traffic.

• Step 4: Click Forward to allow the requests to pass through while monitoring the traffic and select http history option

---

Usage

Using Repeater for Testing WebSocket Vulnerabilities

• Step 1: Select a WebSocket request to test for vulnerabilities by sending it to the Repeater tab.

• The request is attempting to upgrade the connection to a WebSocket.

• We focus on testing how the server responds to unexpected modifications in Host, Connection, Sec-WebSocket-Key, Sec-WebSocket-Version and Origin

• Step 2: In Repeater, modify headers:

• Origin Header: Changing this header helps test if the server restricts connections based on the origin, enhancing security against CSWSH.

• Sec-WebSocket-Key: Altering this key tests if the server verifies requests, which prevents unauthorized access.

• Sec-WebSocket-Protocol: Removing this tests server response to missing protocols, identifying if protocol validation is enforced.

• Step 3: Click "Send" to observe server response and verify if connections from unauthorized origins are blocked.

• Step 4: Response from the server will be displayed at the right side

• The response we received is "Cross origin websockets not allowed", It prevents WebSocket connections from unauthorized origins

• The server is blocking WebSocket requests from any origins that aren't the anticipated one.

• This is a form of protection against Cross-Site WebSocket Hijacking (CSWSH), ensuring that only WebSocket requests from allowed origins can establish a connection

• Step 5: Original request response

---

Troubleshooting

1. Unable to Launch Burp Suite

   • Verify Java is installed.

   java -version
   

2. SSL/TLS Certificate Error

• If you encounter SSL/TLS certificate errors, ensure Burp Suite's certificate is installed in your browser.
• Go to Proxy > Options > Import / export CA Certificate, and follow the instructions.

3. High CPU Usage

   • Reduce threads in Burp Suite settings:
     • Go to Settings > Project Options > Connections > Reduce threads.

---