A Burp project is basically a file over where we store and organize our work for a specific test. But what if you’re working on a particular application and you might take days to test that?
Today, in this article, we’ll focus on the project
types and the options featured by the burp suite professional version, that
will help the pentester to save an incomplete test or resume it by loading the
project file either with the default burp project options or by importing the
customized ones.
Table of
Content
·
Initiating with the Project Files
o Temporary
Project
o Project
on Disk
o Open
Existing Project
·
Manipulating Project Files
·
Playing with Project Options
o Exporting
the customized options
o Importing
options into new projects
Initiating
with the Project Files
Let’s initiate things up by turning ON our burp
suite application. But wait, with the turn ON, we didn’t mean to reach the
dashboard. We’ll simply stop when we would have the burp’s first look, and
it is the project widget on startup.
Over at the startup panel, there are several sections
within the radio buttons, let’s explore them in detail.
Temporary project
You might have used the temporary project over the majority
of the time when you launch the burp application as it is idle for quick
tasks and helps you to set things faster. So, let’s reach the dashboard panel once
again with the Temporary project aligned.
The Next button would lead us to the Project
options window where we’ll opt for the “Use Burp defaults” and
initiate with the Start Burp button.
Once the key got fired up, we’ll be redirected
to the dashboard screen with a Temporary project listed at the top.
In order to enhance the working speed, burp temporary
project stores all its generated data into the system's memory, and
nothing is saved by default. Thereby whenever the burp exits, everything will
be lost and we need to configure the burp again for the other projects.
Project on Disk
That was the major problem that the burp users faced
about their system memory usage and saving the project parts.
Thereby in order to sort things out, PortSwigger offers a
great feature for its professional edition users, that they could create
project files on their disks. That means the data will be shared with a
project file and the contents within it will be saved incrementally on a real-time
basis as we work.
However, the memory usage will be a bit lower because a
lot of data has been pushed onto the disk.
So, let’s create a project file and will see how
things work on. Back onto the Select Project widget, opt “New project
on disk” and name it as Demo_Project.
Once we hit the “Choose file…” button, a new
window popped up asking us to add the location where the project will be saved.
So, let’s make it to the Desktop and we’ll thus hit the Save
button.
Within an eye blink, we’ll be on the Select project screen.
Hit “Next”, and follow up to the next window.
Again, we’re back on the project options window,
let’s keep the default one. And the rest of the options we’ll discuss later in
this article.
Hit Start Burp and let the dice rollover. Within a
few seconds, the burp opens with the project name reflected at the top.
Time to generate some data, let’s capture something. Turn
ON your browser’s proxy and surf the OWASP Juice Shop there.
With the Intercept option turned OFF on our burp
suite’s proxy tab, let’s switch to the Target tab, and there we
can see the Site map is full of shared Requests and Responses.
However, in HTTP History, a number of requests are
aligned up there too.
With all this, let’s create a scan task too with a
basic crawl and audit at testphp.vulnweb vulnerable web-application. If you want
to learn how to set up a New scan, check out our previous
article.
And as we hit the OK button, the task got lined up
at our dashboard window. Within a few minutes, it crawled about 32 locations
by sharing about 150+ requests.
About 45 seconds left for the crawler to end its work,
let’s close the burp application with the scan running on the dashboard and
we’ll restart it again.
Open Existing
Project
As the burp launches again, this time we’ll select the “Open
existing project” at the Project section window and will further hit the Choose
file button in order to select our project file.
The “Pause Automated Tasks” was checked by
default, this will pause all the automated scans there were running over in our
file.
So, let’s select the Demo_Project.burp in the
Open project file option and then hit the “Open” button in order to
load the same.
Time to load the configuration, as we’ve opened our
existing project thereby the default would be “Use options saved with the project”
as whatsoever changes or configuration we made during the project,
everything got saved automatically with the project file.
Hitting the Start Burp button will open our project.
Let’s check that out what it carries.
From the below image, we can see that we got a pop-up as “Task
execution is paused”, we got this due to its default behavior that had the
check box enabled for Pause Automated Tasks. And along with this, we can see
that our task is there where we’ve left off, however, some requests and
some locations have been crawled while we were exiting the burp application.
Let’s check the Site map, is it carrying the same things
or not. And there it is, the crawled web-applications are there.
If these things are the same, then the HTTP History
might be the same too, let’s switch to the panel there. And there the things
are.
Note :
While working with these project options, a point made
me scratch my head that what about the burp collaborator’s polling, like what
if we exit the application with the collaborator client ON, how we’ll get
to know that the vulnerability got triggered or not?
However, nothing to be worried about that, the project
file saves this thing too i.e., the burp will resume the collaborator polling
and will identify the vulnerabilities that were triggered at the end of the
previous scanning.
Manipulating
Project Files
With all these great options, the burp suite even gives
us the opportunity to Save a copy of our running project or merge the
work from other projects by importing them from the disk.
The Save copy option is for both the project types
– Project on disks and temporary projects. But the Import project
file feature is only for Project on disk scenarios. So, let’s check
where we can find them all.
At the top of the Burp Suite’s panel, when we hover the Project
option there, we got a dropdown where a number of options aligned, let’s
hit the Save Copy one.
As soon as we do so, a new window will pop-up asking to check
the tools from where the data needs to be saved. Let’ check them all and
will name the new project file as Demo_Project_Copy.
Hitting the Next button will redirect us to one of
the most important pages i.e., include the burp collaborator identifier
or not. Let’s make it to default because
we want the collaborator identifier to be saved with the project data and as
soon as we hit the Next button the copy of our project will be saved.
However, in a similar way, we can do it for temporary
projects too.
There are times when we want to merge some other project
contents into our current working project, thereby we can do this by simply
selecting the “Import project” open directly from the dropdown list.
The best part of this thing is that the importing will
not affect our work and we can continue to do that.
Playing
with Project Options
Burp Suite offers a wide range of options that determines
the behavior and the working of all built-in tools. However, we can customize
these options, load them, or save them at the global level with the Project
tab or the options tab within the individual tool.
Note -
If we’re working on an on-disk project, all the
options that we change or customize got automatically saved within the
project data, thereby we don’t need to save the options separately. But if
we’re working with the temporary project, we need to save them in
order to make the changes available whenever we reload the file with some other
project.
Let’s initiate and explore where the options are and how
we can export them to the drive and load them within a new project.
Exporting the
customized options
Over with a temporary project, let’s manipulate the proxy
listener in the Options section of the Proxy tab by adding a one
there with all interfaces bound to port “8081”
Now, further heading to the top panel, opt “Project”
and over from the dropdown list “Select Project options” there, hit the “Save
project options” in order to save all the customizations made within any of
the tools.
The Save project option will redirect to a pop-up
window and there we’ll enter the configuration file name as Interface_Options,
and will then hit the Save button.
Let’s restart the burp application and this time we’ll
open our Demo_Project again.
Over at the Project Options window, we’ll select
the “Load from configuration file” option and will hit the Choose file
button and select Interface_Options.json file from there.
As soon as we hit the Start Burp button, we‘re
back on the dashboard panel, let’s switch to the Proxy tab then.
Over on the Options section at the Proxy tab,
we can see that the Interface had been configured with the configuration
file and we’re having the port 8081 bounded.
But what if we want to save or load the options of a
single tool only, like we did in the above scenario?
To do so, simply switch to the tools option tab and hit
the gear icon, so for the time being let’s remove the 8081 bounded
services, and then we’ll load the file again but this time we’ll do it from the
Proxy tab.
As soon as we hit the load button, we got the window to
select the file, simply choose the respective one and hit the Open button
there.
Once loaded, we’ll get all of our configurations back
into the tool.
0 comments:
Post a Comment