TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Security

Pentest Your Web Apps with Burp Suite on Kali Linux

Burp Suite can be used to identify brute-force attacks, dictionary attacks, and rate-limit attacks on your servers.
Nov 25th, 2023 6:00am by
Featued image for: Pentest Your Web Apps with Burp Suite on Kali Linux

Kali Linux is one of the most popular Linux distributions for penetration testing (Pentesting). If you have a need to test your websites, network, systems, or web applications for vulnerabilities, Kali Linux is not just a great place to start, it’s also a great place to finish. Why? Because Kali Linux has all the tools you need for pentesting, forensics, and much more.

Kali

There are so many pentesting tools in Kali Linux that you will likely never go through them all. Even better, some of the apps have multiple tools. One such app is Burp Suite.

Burp Suite is a set of pentesting tools geared specifically for web applications. Burp Suite has a number of included tools and can be extended with add-ons, called BApps.

The version of Burp Suite included with Kali Linux is the community edition, which means not every tool and feature is available for free. If you want to migrate to the Pro edition of Burp Suite, the cost is US$449/year. The Enterprise edition has a few different pricing plans you can choose from. You can learn about the differences, from the Pro Edition page and the Enterprise Edition page.

Before you dive in and purchase a license, I would recommend kicking the tires of the Community Edition first, which is what ships with Kali Linux. The free version will give you a good idea of just how powerful Burp Suite is and can even serve you well enough until you find it necessary to pay for either a Pro or Enterprise license.

Let’s walk through the process of using Burp Suite’s Sniper attack. The Sniper attack is part of the Intruder package, which is a fuzzer used to run a set of values through an input to observe success, failures, and responses. Intruder is used for brute-force attacks, dictionary attacks, and rate-limit attacks.

We’re going to use a payload of usernames to test against localhost:80 (which is the actual Kali Linux host but you can change the target to whatever web app you want to test).

Ready for the testing?

Let’s go.

What You’ll Need

The only things you’ll need for this are a running instance of Kali Linux and a web app to test. That’s it.

Open Burp Suite

The first thing you must do is log into Kali Linux. Remember, if you’re using the VirtualBox or VMware appliance, the login credentials are kali/kali. Once logged in, click the Kali desktop menu and then Web Application Analysis > Burp Suite.

Figure 1: The Kali Linux desktop menu is filled with pentesting tools.

In the first interactive window (Figure 2), keep the defaults and click Next.

Figure 2: Because we’re using the Community Edition, Temporary projects are the only type we can work with.

In the next window (Figure 3), keep the defaults, and click Start Burp.

Figure 3: You can also configure Burp to always default to this selection.

Select and Configure the Test to Run

Now that Burp Suite is up and running, click the Intruder tab and select Sniper from the Attack type (Figure 4).

Figure 4: You can select from Sniper, Battering Ram, Pitchfork, or Cluster Bomb attacks.

Although I’m going to demonstrate with http://localhost:80 as my target, you can change the Target string to whatever address you need.

Before you run the test, you must first add a payload. We’re going to use a sample list of usernames, which can be copied from the Portswigger site (which is the company that maintains and Burp Suite). Of course, you can always create your own list of usernames.

Click the Payloads tab. Copy the list of names to your clipboard, and click Paste (Figure 5).

Figure 5: The Payload section allows you to add whatever list of strings you want to use in the attack.

After pasting your payload, click Start Attack.

When the attack starts, click on the Dashboard (Figure 6), sit back, and either watch or start doing other work. This can take some time. As the attack runs, you’ll see the results appear in real-time (most likely in the form of error or timeout). In the above case, you’ll find 505 Intruder attacks are to be run. Wait until the test is completed, which can take some time.

Figure 6: Watching the action happen in real time.

When the test does come to its natural conclusion, you can scroll through the results to see if the test offers any information that can help you secure the website or app you’ve tested. Each test (depending on the target and the payload) will offer different results. When you go to close the results window, you’ll be prompted if you want to discard the attack or keep it in memory.

With the test complete, you can run the test again, changing some of the options or even running the same payload on a different target.

And that’s the basics of using Burp Suite to pentest your websites or web applications. There’s quite a bit more you can do with this tool, but this introduction will get you started on your journey.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.