Proceedings of the National Conference on Emerging Computer Applications (NCECA)-2021 271

Vol.3, Issue.1

Penetration Testing and Vulnerability Scanning of

Web Application Using Burp Suite
Dona Rose Mathew Jetty Benjamin
Department of Computer Application Department of Computer Application
Amal Jyothi College Of Engineering Amal Jyothi College Of Engineering
Kanjirapally, Kottayam Kanjirapally, Kottayam
[email protected] [email protected]

Abstract—The aim of this paper is to identify a web manual and automated security testing should use this
application that can be used to test the effectiveness of Burp version. [1][2].
Suite web application vulnerability scanners. Burp suite is a
prominent penetration testing and vulnerability detection tool E. Enterprise Edition
created by the Portswigger firm. Burp Suite is designed to be an F. While both other editions were targeted at individual
all-in-one toolkit, and its capabilities can be expanded by practitioners, the Burp Suite Enterprise Edition is
installing add-ons called BApps. Its simplicity makes it a better
useful for organisations looking to integrate security
choice than free options like OWASP ZAP.
scanning in software pipelines [1][2].
Keywords—Vulnerability, Burp Suite, Vulnerability Scanner Tools in burpsuite
I. INTRODUCTION Burp Suite includes a number of tools for performing
various research activities. The tools work well together, and
Burp Suite was founded in 2004 by Dafydd Stuttard, who saw you can transfer interesting requests between them while you
a need for a reliable web application security testing tool. The work to complete various tasks [3].
tool has advanced by leaps and bounds over the last 16 years,
adding a slew of new features. Capabilities that support the A. Target: This tool provides detailed information about
community of security testers Burp Suite is a programme that your target applications and allows you to control the
Web application protection testing has undeniably become a vulnerability testing process [3].
method of choice. It has also progressed to the point that it can B. Proxy: This is a man-in-the-middle web proxy that
now detect bugs in APIs and mobile apps. As per Sugar intercepts traffic between the end browser and the
Rahalkar’s opinion to test the security of web applications target web application [3].
effectively, one must first understand the numerous web
application vulnerabilities, as well as have a thorough C. Scanner: This is a sophisticated web vulnerability
understanding of the testing methods [1]. scanner that can crawl content and audit it for a
variety of vulnerabilities. And is available only in
Editions professional version [3].
Burp Suite, like most other software, comes in a variety of
D. Intruder: It is a versatile tool for automating and
formats. Different users can have different requirements, and
customising web application attacks. It can be used
one size does not necessarily suit everything. Burp Suite is
to automate a variety of tasks that occur during the
available in three different editions to meet the needs of
testing of software [3].
different users.
E. Repeater: Simple yet powerful tool that manually
A. Community Edition
modify and re-issue web request [3].
B. The Burp Suite Community Edition is the most basic
F. Sequencer: It is the perfect tool for verifying the
version of the software, and it is available for free
cookies and more [3].
download and use. To get started with web application
security testing, it comes with a limited collection of G. Decoder: This is a useful tool for decoding and
tools and features. If you're new to application security encoding application data manually or intelligently
and want to learn the basics, the Burp Suite Community [3].
Edition is an excellent place to start [1][2].
H. Comparer: This is a useful tool for visually
C. Professional Edition comparing any two pieces of data, such as pairs of
identical HTTP messages [3].
D. If you have a strong understanding of web application
security and are regularly expected to test applications I. Extender: This enables you to load Burp plugins,
as part of your employment, the Burp Suite which you can use to expand Burp's features with
Professional Edition is strongly recommended. your own or third-party code [3].
Individual practitioners who want to undertake both

DOI: 10.5281/zenodo.5094090
ISBN:978-93-5426-386-6@2021 MCA, Amal Jyothi College of Engineering Kanjirappally, Kottayam
Proceedings of the National Conference on Emerging Computer Applications (NCECA)-2021 272
Vol.3, Issue.1

Burp suite alternatives eventhough detecting cross-site scripting capability is low for
Vulnerability Scanner Software is not limited to Burp Burp Suite security misconfiguraton vulnarability detection
Suite. Look at other solutions and competing choices. Features is high. The third author 1 provides a thorough explanation of
and functionality are important to remember when evaluating burp suite.
Burp Suite alternatives. The following are some of the burp
suite alternatives [4]: III. METHODOLOGY
A. Nessus: It is a vulnerability management software [4]. a. Burp suite installation
B. Acunetix: A technology for scanning and auditing all We must first ensure that Java is installed on the device
web applications, including HTML5, JS, and single- before installing or running the Burp Suite. It's a must-have
page applications [4]. for Burp Suite to work. To check whether Java is installed on
a Windows machine, simply open a command prompt and
C. Netsparker: Netsparker is a web application security type “java –version,” as shown below in Fig: 3.1.1:
scanner that detects security vulnerabilities in
websites, web apps, and web services in an automated
and user-friendly manner [4].
D. OpenVAS: OpenVAS is a collection of resources and
software that together provide a comprehensive and Fig: 3.1.1. Java Install
efficient vulnerability scanning and management
solution [4].
E. Zenmap: The official Nmap Security Scanner GUI is Once java is installed the next step is to install Bur Suite. We
Zenmap. It is a free, open source and multi-platform. can download the edition from:
It aims to make Nmap simple to use for beginners https://portswigger.net/burp/releases/professional-
while still offering advanced features for seasoned community-2021-5-1?requestededition=community and is as
Nmap users [4]. shown below in fig:3.1.2:
II. LITERATURE SURVEY
Prajakta Subhash Jagtap's “Vulnerability Scanning”
examines the current state of open source vulnerability
scanning software. A review of the literature on vulnerability,
vulnerability scanning, vulnerability scanning software,
security vulnerabilities, device security, and application
security is carried out. This article examines vulnerability
scanning techniques in depth. The author of this paper
compared the efficiency of two widely used vulnerability
scanning tools, Nessus and Burp Suite [5]. Fig:3.1.2. Burp suite installation
And Chanchala Joshi and Umesh Kumar Singh analyse the
efficiency of burp suite and other tools web application
After downloading just open the downloaded file and the pop-
vulnerability scanners in “Security testing and assessment of up window will be as follows in fig:3.1.3 [7],
vulnerability scanners in quest of current information security
landscape”. The defence measures to protect the application
are also explained in this document. We may infer from this
paper that both Acunetix and Netsparker scanners are capable
of detecting cross-site scripting, but the Burp suite result is
very weak. However, Acunetix does not properly detect
security misconfiguration vulnerabilities; in this case, the
results of Netsparker and Burp Suite scanners are superior
[6].
We saw how we could use Burp Suite's capabilities for
performing security testing on APIs and mobile apps in sugar
Rahalkar's “A complete guide to burp suite”. We also
outlined the steps to take in order to get the most out of Burp
Suite for web application security testing [1].

All these above authors speakes about Burp Suite. The first
author 5 speakes about vulnarability scanning tools and also
compare Burp Suite with Nessus. While the second auther 6
compare 3 tools and analyse the advantages and Fig:3.1.3. pop up window
disadvantages. From that paper 6 we can conclude that

DOI: 10.5281/zenodo.5094090
ISBN:978-93-5426-386-6@2021 MCA, Amal Jyothi College of Engineering Kanjirappally, Kottayam
Proceedings of the National Conference on Emerging Computer Applications (NCECA)-2021 273
Vol.3, Issue.1

Choose where you want the Burp suite to be installed on your

computer as shown in fig:3.1.4.

Fig 3.1.7. Burp Suite start Screen

Accept the certificate (fig:3.1.8) in order to continue with the
start-up.
Fig: 3.1.4. Select Destination

Select the start menu option for the Burp Suite as in fig.3.1.5

Fig:3.1.8. Terms & Conditions

If you're using the community version of Burp Suite, you'll
need to create a Temporary project.
Fig:3.1.5. Burp suite

Now installation will begin as in fig:3.1.6

Fig:3.1.9. create temporary project

Fig:3.1.6. Installation
You can start the Burp suite after it has been successfully
mounted, and you will see the following screen as in fig:3.1.7: To start Burp suite, click the Start Burp button in the bottom-
right corner.

DOI: 10.5281/zenodo.5094090
ISBN:978-93-5426-386-6@2021 MCA, Amal Jyothi College of Engineering Kanjirappally, Kottayam
Proceedings of the National Conference on Emerging Computer Applications (NCECA)-2021 274
Vol.3, Issue.1

Fig:3.1.12. Browser
Fig:3.1.10. Burp Suite start
 Go back to activation wizard and click on copy
request button
With that, the Burp suite has been successfully built and
started. You can use the Chromium browser that comes pre-
configured with the new version of the Burp Suite.
If it’s a professional edition you need to activate your licence
key:
When launching burp suite for first time, you need to provide
your burp suite license key. Your license key can be
downloaded from your account page.
Standard activation process is as follows [8]:
 When prompted to enter your licence key, either
paste it or choose it from a file using the select
licence key file button. After that, press the next Fig:3.1.13. Activation Wizard
button.
 Enter your proxy details in the corresponding field if  Return to licence activation page in your browser and
you are only able to access the internet using a web paste request into activation request field and click
proxy server. on send. Select and copy the text appeared in
 To activate your licence, click the next button. The activation respond field.
wizard for getting started will appear.

In some case you need to manually activate your license

(computer with no internet connection) [8]:
 In such circumstances, rather than clicking next,
select manual activation.
 Click on copy URL

Fig:3.1.14. Manual License Activation

 Go back to licence activation wizard. Click on paste

response button to paste response.

Fig:3.1.11. Manual Activation

 Paste the URL into your browser to access manual

licence activation page as in fig:3.1.12

DOI: 10.5281/zenodo.5094090
ISBN:978-93-5426-386-6@2021 MCA, Amal Jyothi College of Engineering Kanjirappally, Kottayam
Proceedings of the National Conference on Emerging Computer Applications (NCECA)-2021 275
Vol.3, Issue.1

2. HTTP history
All requests and responses are saved in this tab. You can
view the request you've made in this tab even if intercept is
turned off.

 click on next. If the activation was successful, the

next screen will appear, prompting you to click
Finish to complete the process and load the Burp
start-up wizard.

Fig:3.2.1.2.1. HTTP history tab

ii. Target
It contains detailed information about your targeted
application [9].

1. Site Map
Fig:3.1.15. success Window The site map of the target application generated by burp suite
can be viewed here. All of the URLs you've visited in your
If you don't want to use Burp's built-in browser, you can use browser are shown in the site map. Requested items are
any other browser. However, in this situation, you'll need to shown in black, while others are shown in grey.
take some extra measures to configure your browser (you need
to change your proxy setting), as well as install Burp's CA
certificate.
b. Burp Suite tabs and uses

i. Proxy
acts as a web proxy server between your browser and the
applications you want to use [9].
Fig:3.2.2.1.1. site map tab
1. Intercept
This is where your browser's http requests are shown. Each In order to add your URL to the scope just right click on the
message can be viewed and edited from this page. After URL in the site map and select “add to scope”.
you've made your changes, simply press the forward button.
To finish loading the tab, press this forward button if any iii. Scanner
intercepted messages are pending. Detects content and security flaws on websites automatically.
We can toggle intercept on/off to search normally without The scanner can crawl the application depending on its
being tracked. configuration [9].

Fig:3.2.1.1.1. Intercept tab

DOI: 10.5281/zenodo.5094090
ISBN:978-93-5426-386-6@2021 MCA, Amal Jyothi College of Engineering Kanjirappally, Kottayam
Proceedings of the National Conference on Emerging Computer Applications (NCECA)-2021 276
Vol.3, Issue.1

Fig:3.2.3. Scanner This is used to perform a visual comparison of bit of

application data to find interesting difference.
iv. Intruder
It's a platform for automating custom web application attacks.
It's flexible and strong. It can be used for a wide variety of
tasks.

Fig:3.2.7.1. Comparer

viii. Extender
Burp Extender allows you to expand Burp’s features with
your own or third-party code by using Burp extensions.

Fig:3.2.4.1. Payloads tab

v. Repeater
Burp repeater is a method for manually altering HTTP
requests and checking the page's responses. Right click on a
request and select “send to repeater” (fig:3.2.5.1).

Fig:3.2.8.1. Extender

IV. RESULT
Burp Suite aspires to be an all-in-one toolkit, and its
features can be expanded by adding BApps, or add-ons . Burp
Suite is available as a community edition which is free,
professional edition that costs $399/year and an enterprise
edition that costs $3999/Year [10].
To use Burp Suite for research, simply go to the proxy tab and
on/off intercept. Burp Suite can behave as a man in the centre
Fig:3.2.5.1. Repeater tab after that. All requests will be routed via this Burp Suite, and
the resulting page will only be loaded if you click forward.
vi. Decoder While intercept is enabled, you can see all of your browsing
It's a straightforward method for converting encoded data into history in HTTP history.
its canonical form, as well as raw data into different encoded
By just right clicking on each link you can send them to
and hashed formats (fig 3.2.6.1).
repeater tab, intruder tab, comparer tab etc.

V. CONCLUSION
From this paper we can conclude that Burp Suite is one of the
most popular penetration testing and vulnerability detection
tool that is used to assess the security of web applications. By
comparing with some alternative tools Burp Suite have both
advantages and disadvantages. In terms of discovered bugs,
ease of use, licencing versatility, and breadth of features,
Burp Suite provides the most value to independent security
consultants.

Fig:3.2.6.1. Decoder tab

vii. Comparer
DOI: 10.5281/zenodo.5094090
ISBN:978-93-5426-386-6@2021 MCA, Amal Jyothi College of Engineering Kanjirappally, Kottayam
Proceedings of the National Conference on Emerging Computer Applications (NCECA)-2021 277
Vol.3, Issue.1

VI. FUTURE WORKS [3] https://portswigger.net/burp/documentation/desktop/tools

[4] https://www.g2.com/products/burpsuite/competitors/alternativ
This paper is about the Burp Suite. There could be some es
changes that can be made to make it more user-friendly. The [5] Prajakta Subhash Jagtap, “Vulnarability Scanning”, M.Tech
following ideas could be some of them: Student, K J Somaiya College of Engineering, 2012.
[6] Chanchala Joshi, Umesh Kumar Sigh, “security testing and
 The capability of detecting cross-site scripting assessment of vulnerability scanner in quest of current
information security landscape”, Institute of Computer Science
would need to be improved in the future. Vikram University, Ujjain, M.P. India, 2016.
 Providing an extension to anyone who wishes to use [7] https://www.studytonight.com/post/how-to-install-burp-suite-
the prototype in a scanner is almost impossible[11]. on-windows-10
It will be better if this problem is solved. [8] https://portswigger.net/burp/documentation/desktop/getting-
started
[9] portswigger.net
[10] https://www.geeksforgeeks.org/what-is-burp-suite/
VII. REFERENCE
[11] https://raw.finnwea.com/similar-request-
excluder/TijmeGommers-GraphWave-Thesis-Public-Digital-
[1] Sugar Rahalkar, “A complete Guid to Burp Suite Pune, 1.103.6-bd716cc3.pdf
Maharashtra, India,2021
[2] https://portswigger.net/burp#:~:text=Burp%20Suite%20Enter
prise%20Edition%3A%20automated,scanning%20across%20t
heir%20entire%20portfolios

DOI: 10.5281/zenodo.5094090
ISBN:978-93-5426-386-6@2021 MCA, Amal Jyothi College of Engineering Kanjirappally, Kottayam