Reading Time: 4 minutes

Web Application Assessment Information

Firstly, we need to understand why Web Application Assessment is important to any organization out there. As people should be aware by now, Web Applications have played an important and vital role in an organization’s future which is also exposed to cybercriminals attacks.

A pentester will be doing Penetration Testing on the Web Application to find all vulnerabilities while the attacks need one. For Web, Application Assessment will use the testing methodology such as WSTG – Latest | OWASP Foundation

What is Burp Suite?

Burp Suite can be considered as one of the most popular Penetration Testing and Vulnerability Assessment tools that it can use for Web Application Security Assessment. For those who are not familiar with the tools, Burp Suite has normally been used to evaluate any security or vulnerability on the web-based application and the tester will proceed with the hands-on testing.

Burp Suite or also known as Burp can be classified into two categories like Professional and Community. The only difference between those categories is that the Professional version has a more advanced feature available than the Community Version of Burp Suite.

The tool Features:

Features	Burp Suite Community	Burp Suite Professional
Proxy	Allow the tester to intercept and modify requests and responses	Allow the tester to intercept and modify requests and responses
Repeater	Allows to capture, modify the packets, and retry sending the request over and over	Allows to capture, modify the packets, and retry sending the request over and over
Intruder	Rate-limited from the Professional version	Allow spraying an endpoint with requests which sometimes used on brute-force attacks/fuzz endpoints
Decoder	Decoding captured information, or encoding a payload prior and then sending the payload to the target	Decoding captured information, or encoding a payload prior and then sending the payload to the target
Comparer	Comparing two pieces of data at either word or byte level	Comparing two pieces of data at either word or byte level
Sequencer	Accessing the randomness of tokens such as session cookie values or other random generated data	Accessing the randomness of tokens such as session cookie values or other random generated data
Extra Features	The evidence or progress cannot be saved	The evidence or progress can be saved

The Startup of Burp Suite and Usage

We are required to start the tool for this Web Application Assessment which the step of starting up can be seen below

Disclaimer: I’m using Community Edition of the tools for demonstration

As a result, the first thing that you see after starting Burp Suite would be an interface shown as above so that we can proceed with the tools, you can click the button “Next“

We can click the “Start Burp” Button on the page shown above.

Normally, it will take a few seconds for it to fully start which somehow takes some time depending on your own Operating System

Therefore, the interface is shown above only means that you have properly started Burp Suite

Firstly, we are not touching the configuration unless we need to use different IP, port and use a different client request method on Proxy Tab.

In conclusion, we need to configure our browser while we can interact with the Burp Suite tool

For example, we can capture the curl command via Burp Suite and then send the packet to Repeater

We will obtain the interface as above.

Burp Suite Attacks

Those two pictures above show that we can modify the payload which will be sent to the application. For example, we can change any information or permission to the application where it can be scary sometimes.

Another interesting attack is to play with any agent but we use User-Agentt on the screenshot above. As a result, we can use methods such as zerodiumsystem to obtain a reverse shell on the victim’s machine.

Aside from that, we also can obtain a reverse shell during a Local File Inclusion attack or also known as LFI. On the other hand, LFI is being used to get a good understanding of the directory or file residing inside the machine.

A Pentester also can use a common attack such as SQLi via Burp Suite

The sample of the output is been show above.