Categories

Archives

Website Hacking

Burp Suite for Pentester: Burp’s Project Management

A Burp project is basically a file over where we store and organize our work for a specific test. But what if you’re working on a particular application and you might take days to test that?

Today, in this article, we’ll focus on the project types and the options featured by the burp suite professional version, that will help the pentester to save an incomplete test or resume it by loading the project file either with the default burp project options or by importing the customized ones.

Table of Content

  • Initiating with the Project Files
    • Temporary Project
    • Project on Disk
    • Open Existing Project
  • Manipulating Project Files
  • Playing with Project Options
    • Exporting the customized options
    • Importing options into new projects

Initiating with the Project Files

Let’s initiate things up by turning ON our burp suite application. But wait, with the turn ON, we didn’t mean to reach the dashboard. We’ll simply stop when we would have the burp’s first look, and it is the project widget on startup.

Over at the startup panel, there are several sections within the radio buttons, let’s explore them in detail.

Temporary project

You might have used the temporary project over the majority of the time when you launch the burp application as it is idle for quick tasks and helps you to set things faster.  So, let’s reach the dashboard panel once again with the Temporary project aligned.

The Next button would lead us to the Project options window where we’ll opt for the “Use Burp defaults” and initiate with the Start Burp button.

Once the key got fired up, we’ll be redirected to the dashboard screen with a Temporary project listed at the top.

In order to enhance the working speed, burp temporary project stores all its generated data into the system’s memory, and nothing is saved by default. Thereby whenever the burp exits, everything will be lost and we need to configure the burp again for the other projects.

Project on Disk

That was the major problem that the burp users faced about their system memory usage and saving the project parts.

Thereby in order to sort things out, PortSwigger offers a great feature for its professional edition users, that they could create project files on their disks. That means the data will be shared with a project file and the contents within it will be saved incrementally on a real-time basis as we work.

However, the memory usage will be a bit lower because a lot of data has been pushed onto the disk.

So, let’s create a project file and will see how things work on. Back onto the Select Project widget, opt “New project on disk” and name it as Demo_Project.

Once we hit the “Choose file…” button, a new window popped up asking us to add the location where the project will be saved.

So, let’s make it to the Desktop and we’ll thus hit the Save button.

Within an eye blink, we’ll be on the Select project screen. Hit “Next”, and follow up to the next window.

Again, we’re back on the project options window, let’s keep the default one. And the rest of the options we’ll discuss later in this article.

Hit Start Burp and let the dice rollover. Within a few seconds, the burp opens with the project name reflected at the top.

Time to generate some data, let’s capture something. Turn ON your browser’s proxy and surf the OWASP Juice Shop there.

With the Intercept option turned OFF on our burp suite’s proxy tab, let’s switch to the Target tab, and there we can see the Site map is full of shared Requests and Responses.

However, in HTTP History, a number of requests are aligned up there too.

With all this, let’s create a scan task too with a basic crawl and audit at testphp.vulnweb vulnerable web-application. If you want to learn how to set up a New scan, check out our previous article.

And as we hit the OK button, the task got lined up at our dashboard window. Within a few minutes, it crawled about 32 locations by sharing about 150+ requests.

About 45 seconds left for the crawler to end its work, let’s close the burp application with the scan running on the dashboard and we’ll restart it again.

Open Existing Project

As the burp launches again, this time we’ll select the “Open existing project” at the Project section window and will further hit the Choose file button in order to select our project file.

The “Pause Automated Tasks” was checked by default, this will pause all the automated scans there were running over in our file.

So, let’s select the Demo_Project.burp in the Open project file option and then hit the “Open” button in order to load the same.

Time to load the configuration, as we’ve opened our existing project thereby the default would be “Use options saved with the project” as whatsoever changes or configuration we made during the project, everything got saved automatically with the project file.

Hitting the Start Burp button will open our project. Let’s check that out what it carries.

From the below image, we can see that we got a pop-up as “Task execution is paused”, we got this due to its default behaviour that had the check box enabled for Pause Automated Tasks. And along with this, we can see that our task is there where we’ve left off, however, some requests and some locations have been crawled while we were exiting the burp application.

Let’s check the Site map, is it carrying the same things or not. And there it is, the crawled web-applications are there.

If these things are the same, then the HTTP History might be the same too, let’s switch to the panel there. And there the things are.

Note :

While working with these project options, a point made me scratch my head that what about the burp collaborator’s polling, like what if we exit the application with the collaborator client ON, how we’ll get to know that the vulnerability got triggered or not?

However, nothing to be worried about that, the project file saves this thing too i.e., the burp will resume the collaborator polling and will identify the vulnerabilities that were triggered at the end of the previous scanning.

Manipulating Project Files

With all these great options, the burp suite even gives us the opportunity to Save a copy of our running project or merge the work from other projects by importing them from the disk.

The Save copy option is for both the project types – Project on disks and temporary projects. But the Import project file feature is only for Project on disk scenarios. So, let’s check where we can find them all.

At the top of the Burp Suite’s panel, when we hover the Project option there, we got a dropdown where a number of options aligned, let’s hit the Save Copy one.

As soon as we do so, a new window will pop-up asking to check the tools from where the data needs to be saved. Let’ check them all and will name the new project file as Demo_Project_Copy.

Hitting the Next button will redirect us to one of the most important pages i.e., include the burp collaborator identifier or not.  Let’s make it to default because we want the collaborator identifier to be saved with the project data and as soon as we hit the Next button the copy of our project will be saved.

However, in a similar way, we can do it for temporary projects too.

There are times when we want to merge some other project contents into our current working project, thereby we can do this by simply selecting the “Import project” open directly from the dropdown list.

The best part of this thing is that the importing will not affect our work and we can continue to do that.

Playing with Project Options

Burp Suite offers a wide range of options that determines the behaviour and the working of all built-in tools. However, we can customize these options, load them, or save them at the global level with the Project tab or the options tab within the individual tool.

Note

If we’re working on an on-disk project, all the options that we change or customize got automatically saved within the project data, thereby we don’t need to save the options separately. But if we’re working with the temporary project, we need to save them in order to make the changes available whenever we reload the file with some other project.

Let’s initiate and explore where the options are and how we can export them to the drive and load them within a new project.

Exporting the customized options

Over with a temporary project, let’s manipulate the proxy listener in the Options section of the Proxy tab by adding a one there with all interfaces bound to port “8081”

Now, further heading to the top panel, opt “Project” and over from the dropdown list “Select Project options” there, hit the “Save project options” in order to save all the customizations made within any of the tools.

The Save project option will redirect to a pop-up window and there we’ll enter the configuration file name as Interface_Options, and will then hit the Save button.

Let’s restart the burp application and this time we’ll open our Demo_Project again.

Over at the Project Options window, we’ll select the “Load from configuration file” option and will hit the Choose file button and select Interface_Options.json file from there.

As soon as we hit the Start Burp button, we‘re back on the dashboard panel, let’s switch to the Proxy tab then.

Over on the Options section at the Proxy tab, we can see that the Interface had been configured with the configuration file and we’re having the port 8081 bounded.

But what if we want to save or load the options of a single tool only like we did in the above scenario?

To do so, simply switch to the tools option tab and hit the gear icon, so for the time being let’s remove the 8081 bounded services, and then we’ll load the file again but this time we’ll do it from the Proxy tab.

As soon as we hit the load button, we got the window to select the file, simply choose the respective one and hit the Open button there.

Once loaded, we’ll get all of our configurations back into the tool.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here