Burp Suite is a powerful and popular integrated platform for

performing security testing of web applications. Developed by

PortSwigger, it offers a range of tools that support the entire
testing process, from initial mapping and analysis of an
application’s attack surface to finding and exploiting security
vulnerabilities.
Burp Suite comes in several versions, each tailored to different
needs and levels of expertise. The main types are:
1. Burp Suite Community Edition
Features:
 Free version.
 Basic functionality for manual testing.
 Includes tools like Proxy, Repeater, Decoder, and
Comparer.
 Limited scanning capabilities.
Use Case:
 Ideal for students, hobbyists, and beginners in web security
testing.
2. Burp Suite Professional Edition
Features:
 Paid version with advanced features.
 Full suite of tools, including Scanner, Intruder, and
Collaborator.
 Automated vulnerability scanning.
 Advanced manual testing tools.
  Regular updates and support.
Use Case:
 Suitable for professional security testers, penetration
testers, and security researchers.
Key Features of Burp Suite
1. Intercepting Proxy: Allows you to intercept and modify
the traffic between your browser and the target application.
2. Spidering: Automatically crawls an application to create a
map of its content and functionality.
3. Scanner: Performs automated vulnerability scans to
identify common security issues.
4. Intruder: Facilitates automated and customized attacks
against web applications to find vulnerabilities like SQL
injection, XSS, etc.
5. Repeater: Allows you to manually modify and resend
individual HTTP requests to test how the application
responds.
6. Sequencer: Analyzes the randomness of tokens generated
by the application to assess their predictability.
7. Decoder: Provides a simple interface for encoding and
decoding various types of data.
8. Comparer: Compares two pieces of data to identify
differences.
9. Extender: Allows you to add extensions written in Java,
Python, or Ruby to extend Burp Suite’s functionality.
10. Collaborator: Enables testing of out-of-band
vulnerabilities by generating unique payloads and
monitoring interactions with them.
Usage of Burp Suite
1. Setting Up: Configure your browser to use Burp Suite’s
proxy. This allows you to intercept and analyze traffic.
2. Target Analysis: Use the spider to crawl the application
and map its structure.
3. Scanning: Run the automated scanner to identify potential
vulnerabilities.
4. Manual Testing: Use tools like Repeater and Intruder to
manually test and exploit vulnerabilities.
5. Analysis: Review the results, analyze the vulnerabilities,
and determine the appropriate mitigation measures.
Types of Vulnerabilities Detected
 SQL Injection
 Cross-Site Scripting (XSS)
 Cross-Site Request Forgery (CSRF)
 File Inclusion
 Command Injection
 Authentication and Session Management Issues
Editions of Burp Suite
 Community Edition: Free version with limited
functionality.
 Professional Edition: Paid version with full functionality,
including automated scanning.
 Enterprise Edition: Designed for organizations to perform
automated scans across multiple applications and
environments.
Best Practices
  Regular Updates: Keep Burp Suite updated to benefit
from the latest features and security fixes.
 Learning Resources: Utilize the extensive documentation,
tutorials, and community forums.
 Ethical Use: Always have permission to test the
applications to avoid legal consequences.

Intercepting proxy
An intercepting proxy, also known as a "man-in-the-middle" proxy, is a
tool that sits between your web browser and the target web server,
capturing and potentially modifying the data being sent and received.
In the context of Burp Suite, the intercepting proxy is one of the core
features that allows security testers to analyze and manipulate the
traffic between the client (your browser) and the server (the web
application).

Steps for executing Burp suite:

Add foxyproxy adds-on on your browser

Goto options from foxyproxy

from proxy tab, click on add give hostname (127.0.0.1) and port
(8080). To get hostname and port

- Open burpsuite
- Click on next and click on start burpsuite.
- Then click on proxy tab and click on proxy settings
Click on save

from burpsuite, in proxy tab, click on interception is off to turn it on.

Then open the browser and type http://burpsuite

Click on CA certificate to download

Now to install CA certificate, click on three bar on right top of the

browser

Click on settings and click on privacy and security

From certificates click on view certificates, and from certificate

manager select authorizes click on import and choose the certificate
which you download

Check Trust this CA to identify websites and Trust this CA to identify

email users and click on ok.

Site to make practice for attack using burpsuite:

Here are some recommended sites:

1. PortSwigger Web Security Academy:
o Website: PortSwigger Web Security Academy
o Description: This is the official training platform by the
creators of Burp Suite. It offers a wide range of labs and
challenges designed to teach you about various web
vulnerabilities and how to exploit them using Burp Suite.

2. Hack The Box (HTB):

o Website: Hack The Box
 o Description: HTB provides a platform to test and advance
your skills in penetration testing and cybersecurity. It offers
a variety of challenges and machines that you can legally
hack.

3. OWASP Juice Shop:

o Website: OWASP Juice Shop
o Description: Juice Shop is an intentionally vulnerable web
application developed by OWASP for security training
purposes. You can set it up locally and practice without any
legal concerns.

4. bWAPP:
o Website: bWAPP
o Description: bWAPP (Buggy Web Application) is another
intentionally insecure web application that helps you learn
about common web vulnerabilities. You can download and
run it locally.

5. DVWA (Damn Vulnerable Web Application):

o Website: DVWA
o Description: DVWA is a PHP/MySQL web application that is
intentionally vulnerable. It allows security professionals to
test their skills and tools in a legal environment.

6. PentesterLab:
o Website: PentesterLab
o Description: PentesterLab provides hands-on labs for
learning about web application security. It includes exercises
and tutorials on various vulnerabilities and how to exploit
them.

How to install owasp juice shop using docker?

Docker is a platform that allow you to run software in isolated
environments called containers. It is a way to package an app with
everything it needs i.e. code, libraries, settings so that it runs the same
everywhere regardless of Operating system.

download juice shop container from Docker Hub

sudo apt update

sudo apt install docker.io

sudo systemctl enable docker --now

sudo systemctl status docker

sudo usermod –aG docker $USER

This command adds your user to the docker group which gives
permission to run docker commands without sudo. However group
membership changes don’t take effect until you log out and log back in
or restart your session.

docker pull bkimminich/juice-shop

docker run --rm --p 3000:3000 bkimminich/juice-shop

The goto browser and type:

Localhost:3000

OWASP JUICE SHOP

OWASP Juice Shop simulates a real-world e-commerce
application with known vulnerabilities from the OWASP Top
Ten and beyond. It's designed for security professionals,
developers, and students to practice finding and exploiting
vulnerabilities in a safe, legal environment.
You can run juice shop in several ways:
1. Docker
2. Node.js
3. Online/cloud platforms like Heroku, Gitpod, OWASP juice
shop on Glitch
Juice shop covers a wide range of vulnerabilities, including SQL
injection, cross site scripting, broken authentication, insecure
deserialization, security misconfiguration, cross-site request
forgery, captcha bypass, data exposure, broken access control,
directory traversal.
You can run owasp juice shop project by enabling CTF (capture
the flag) mode for gamified learning
docker run –d –e “CTF_KEY=secret” –e
“NODE_ENV=ctf” –p 3000:3000 bkimminich/juice-shop
Tools while using juice shop:
a. Burp suite: For intercepting and modifying HTTP requests
b. OWASP ZAP: For automated vulnerability scanning and
testing
 c. Browser DevTools: To inspect elements, view source and
debug JS
d. PostMan : for API testing
The score board:
In order to motivate you to hunt for vulnerabilities, it makes
sense to give you at least an idea what challenges are available
in the application. Also you should know when you actually
solved a challenge successfully, so you can move on to another
task. Both these cases are covered by the application's score
board.
On the score board you can view a list of all available challenges
with a brief description. Some descriptions are very explicit
hacking instructions. Others are just vague hints that leave it up
to you to find out what needs to be done.
The challenges are rated with a difficulty level between ⭐ and
⭐⭐⭐⭐⭐⭐, with more stars representing a higher difficulty. To
make the list of challenges less daunting, they are clustered by
difficulty. By default only the 1-star challenges are unfolded.
You can open or collapse all challenge blocks as you like.
Collapsing a block has no impact on whether you can solve any
of its challenges.
When you pick a 5- or 6-star challenge you should expect a real
challenge and should be less frustrated if you fail on it several
times. On the other hand if hacking a 1- or 2-star challenge takes
very long, you might realize quickly that you are on a wrong
track with your chosen hacking approach.
The OWASP Juice Shop employs a simple yet powerful
gamification mechanism: Instant success feedback! Whenever
you solve a hacking challenge, a notification is immediately
shown on the user interface.

Challenge #1: Find hidden score-board link in owasp juice?

Single star
- For this open inspect element and search for score-board
- Navigate to http://localhost:3000/#/score-board to solve the
challenge.
- From now on you will see the additional menu item Score
Board in the navigation bar.
Challenge #2: OWASP Juice Shop Solution for Access the
administration section? Double Star
- Right click on web page and choose inspect element or
press f12 key
- Then choose debugger and then choose main.js
- Search for admin in path
Or
- Find the email of admin from products
- Then goto login and give the same email and try password
where password would be most common i.e. admin123 if
not try other’s
Challenge #3: Solution for access a confidential document
 Common Challenge Categories

1. Broken Access Control

o Access the administration section.
o View another user’s shopping basket.
o Log in with a deleted user account.
2. Injection Attacks
o Perform SQL Injection to bypass login.
o Exploit NoSQL Injection to retrieve data.
o XSS (Cross-Site Scripting) attacks (DOM, stored, reflected).
3. Sensitive Data Exposure
o Find exposed credentials in logs or GitHub repositories.
o Access sensitive files (e.g., package.json.bak).
o Decode weak encryption/hashing (e.g., base64, MD5).
4. Authentication Flaws
o Bypass 2FA (Two-Factor Authentication).
o Reset a password for an unregistered user.
o Bruteforce a weak password.
5. Business Logic Vulnerabilities
o Buy products for negative prices.
o Overload the system with too many requests.
o Exploit the "Christmas Special" offer.
6. Security Misconfigurations
o Access hidden API endpoints.
o Exploit directory listing.
o Find debug mode artifacts.
7. Privilege Escalation
o Log in as an administrator without credentials.
o Manipulate user roles (e.g., from "customer" to "admin").
8. Miscellaneous/Fun Challenges
o Find the Scoreboard (hint: solve the first challenge).
o Uncover hidden Easter Eggs (e.g., the "Confidential Document").
o Post a fake product review.

1. Access the Administration Section

Goal: Gain unauthorized access to the admin panel (e.g., /administration).

Steps & Techniques:

1. URL Manipulation:
o Try navigating directly to /admin or /administration (common admin panel URLs).
o If blocked, check for JWT token or cookie parameters (e.g., role=user). Modify role to admin using browser dev
tools or Burp Suite.

2. Privilege Escalation via Registration:

o Use SQL Injection in the registration form to assign yourself an admin role:

sql

Copy

Download

'; INSERT INTO Users (email, password, role) VALUES ('attacker@mail.com',

'password', 'admin')--
o Log in with the new admin account.

3. Hidden Endpoints:
o Check JavaScript files (e.g., main.js) for references to /administrator or /admin-dashboard.

o Use tools like DirBuster to brute-force hidden admin paths.

2. View Another User’s Shopping Basket

Goal: Access another user’s cart without authorization (IDOR vulnerability).

Steps & Techniques:

1. Parameter Tampering:
o Log in, open your basket, and note the URL (e.g., /basket/5).

o Change the basket ID (e.g., /basket/6) to view another user’s cart.

2. API Endpoint Exploitation:

o Use Burp Suite to intercept the basket request.

o Modify the userId or basketId parameter in the API call (e.g., GET /api/BasketItems?userId=2).

3. Session Hijacking:
o Steal a valid session cookie (e.g., via XSS) and use it to impersonate another user.

3. Log in with a Deleted User Account

Goal: Authenticate using an account that has been deleted.

 Steps & Techniques:

1. Re-Registration:
o Delete your account via the "Privacy & Security" page.

o Immediately re-register with the same email before the backend fully processes the deletion.

2. Session Persistence:
o Log in, delete your account, but do not log out.

o Refresh the page—some systems retain session validity even after account deletion.

3. Database Rollback:
o Use SQL Injection in the login form to reactivate a deleted account:

sql

Copy

Download

' OR 1=1; UPDATE Users SET deletedAt = NULL WHERE email='deleted@user.com';--

Tools to Use

 Burp Suite: Intercept and modify requests.

 Browser Dev Tools: Inspect cookies, network activity, and JavaScript.

 SQLMap: Automate SQL Injection payloads (if manual attempts fail).

Juice Shop-Specific Hints

 For admin access: Look for a JWT token in local storage and decode it (use jwt.io).

 For basket IDOR: Basket IDs are often sequential. Start with /basket/1.

 For deleted accounts: Check server responses after deletion—some APIs return the user’s data even after
deletion.