Burpsuite Common Terminologies for Pentesters (PART-2)

In this blog we will understand the burpsuite common terminologies. These terminologies are essentially important for a beginner to understand the burpsuite in a more structured way.

BURSUITE COMMON TERMINOLOGIES: INTRODUCTION TAB

This is the tab where we may find the majority of the significant features that were not highly regarded by researchers.  Below is an image demonstrating that our passive crawling job is running in the background as we fill out the sitemap (which shows the URLs we have visited while browsing).

SITEMAP

A site map is an option where we can see various websites and also keep track of the sites we visit on our browsers It displays a tree-like view of content or a hierarchical representation that divides ULS into domains, folders, and files.

FILTERING

This is the feature of Sitemap that displays a filter feature that allows us to hide some of the content, which makes our work easier and helps us work on the specific content we wish to work on.

Some Filter options are available and are indicated above: –

•  Request Type: – This allows us to view or hide specific items, such as viewing only in-scope items, only requested items, or if we want to view or hide the parameterized item, which allows us to observe some types of requests that interact with the server.
• Filter by MIME type: -It allows us to view or include or exclude particular types of files such as HTML, CSS, XML, and so on.
• Filter by status code: –This option allows you to see or hide specific HTTP codes, and 4xx is disabled by default.
• Folders: – It is used to conceal the empty folders in the tree view, as well as all of them.
• Search Term: Use this field to try to find specific terms. We can also utilize regex, case-sensitive search, and negative search. Not-matching items will not be displayed in a negative search.
• File extension: -In this option, we can show or hide the extensions. But there’s a con that we can’t use both options as they will cancel out each other.

Annotation: -We can create a comment, and annotate it in the sitemap tab, which is used to show commented and highlighted items.

SCOPE

 This one is used to define our scope, and as the name implies, it is the most significant option in the entire topic if we do not adequately describe our scope. Also, available is the scan option, which allows us to create a fresh scan for a selected target. This function’s primary function is to select the entire program and then exclude the sensitive one.

• Here we can add or remove the target scope URLs and can also load or paste one.
• This is the tab where we can provide the in-scope URL.

Now we are going to discuss a brief about the engagement tools (As we all know these are provided with the pro version only, so we are just going to discuss them).

Engagement Tools

To begin with, these Tools are mostly used for obtaining information and analyzing any web application.

• Search-This enables us to execute a broad search in burp and searches the selected branch of sitemap for objects that match a specific keyword.
• Find Comments, References, Scripts – Here the purpose specifies that the comments and scripts are used to search that branch of the sitemap for the comments and scripts exclusively. The References function, on the other hand, gathers the HTTP response from all over the burp that is linked to the specified item. In addition, the details of the things discovered will be displayed in a sorted table format.
• Analyze Target-The main work/function is to analyze the specific selected items in sitemap, and it shows us how many static and Dynamic URLs it contains and the parameters in the URL, also stated to where to make our focus /attention during penetration testing.

Discover Content-This function can be used to find content that isn’t linked from the visible stuff To view this information, select an HTTP request from anywhere in burp or from the sitemap, and it will then discover the material and display it on a specific suit map for the discovery session.

Schedule Task-In summary, the function’s job is to perform or schedule tasks that will run automatically at regular intervals. It may also be used to perform tasks when we are not working because they take hours, which saves you work and time.

• Simulate manual testing-It is generally used to generate traffic and sends the common payloads to URLs at irregular intervals.
• Generate CSRF PoC-It’s generally an attack type which forces end users to perform unwanted actions on the web. It generally helps us to capture / hijack the user’s account by changing the details.

These are the configuration files that can be very useful, and then we can import the files via the import function, i.e., “Project >project options>load option.

The configuration files can be downloaded from Here.

Issue Definitions

This tab only contains the basic info, or we can say listing of definitions of all the issues which can be detected by burp scanner.

Thanks For Visiting, hope you enjoyed the burpsuite common terminologies.

In the Next part we are going to learn Further essential Topics of Burp Suite.