Burp Suite is an easy-to-use integrated platform for web application security. Burp includes multiple tools that are seamlessly integrated and allow you to test every component and aspect of modern web applications. Whether you need to verify the robustness of your authentication mechanism, the predictability of your session tokens, or the input validation checkpoints present in your application, Burp is the Swiss-army knife for security practitioners. Not only does it allow in-depth manual assessments, but it also combines automated techniques to enumerate and analyze web application resources.
Burp has been developed by PortSwigger Ltd. and it is distributed in two editions:
- Burp Free
- Burp Professional
In its essence, Burp is a local web proxy that allows to intercept, inspect, and modify HTTP/S requests and responses between the user’s browser and the target website. While the user navigates through the web application, the tool acquires details on all visited pages, scripts, parameters, and other components. The traffic between the browser and the server can be eventually visualized, analyzed, modified, and repeated multiple times. The different tools included in Burp Suite can be easily distinguished by the upper tabs:
- Target: This tool allows to aggregate all web application resources, thus guiding the user throughout the security test.
- Proxy: It is the core component of the tool, which allows to intercept and modify all web traffic.
- Spider: An automatic crawler that can be used to discover new pages and parameters.
- Scanner: A complete web application security scanner, available in the Professional version only.
- Intruder: Burp Intruder allows to customize and automate web requests. Repeating multiple times the same request with different content allows to perform fuzzing. Web fuzzing typically consists of sending unexpected inputs to the target application. This process may help to identify security flaws.
- Repeater: A simple yet powerful tool that can be used to manually modify and re-issue web requests.
- Sequencer: Burp Sequencer is the perfect tool for verifying the randomness and predictability of security tokens, cookies, and more.
- Decoder: It allows to encode and decode data using multiple encoding schemes (for example, URLencode) or common hash functions (for example, MD5)
- Comparer: A visual diff tool that can be used to detect changes between web pages.