📋 Daftar Isi
1. Pengenalan Burp Suite
Burp Suite adalah platform terintegrasi untuk melakukan security testing pada aplikasi web. Dikembangkan oleh PortSwigger, Burp Suite telah menjadi tool paling populer dan diakui dalam industri web security — digunakan oleh penetration tester, bug bounty hunter, dan security auditor di seluruh dunia.
Burp Suite bekerja sebagai intercepting proxy yang ditempatkan antara browser dan server target. Ini memungkinkan Anda melihat, memodifikasi, dan menganalisis semua HTTP/HTTPS traffic yang melewatinya.
Edisi Burp Suite
| Fitur | Community (Gratis) | Professional (Berbayar) | Enterprise |
|---|---|---|---|
| Proxy | ✅ | ✅ | ✅ |
| Repeater | ✅ | ✅ | ✅ |
| Intruder | ⚠️ Throttled (lambat) | ✅ Full speed | ✅ |
| Scanner | ❌ | ✅ Automated | ✅ CI/CD |
| Decoder | ✅ | ✅ | ✅ |
| Comparer | ✅ | ✅ | ✅ |
| Sequencer | ✅ | ✅ | ✅ |
| Extensions (BApp Store) | ✅ | ✅ | ✅ |
| Scan Scheduling | ❌ | ❌ | ✅ |
| Harga | Gratis | ~$449/tahun | Custom |
Komponen Utama Burp Suite
Diagram: Arsitektur Burp Suite
┌────────────────────────────────────────────────────────────┐ │ BURP SUITE ARCHITECTURE │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ │ │ Browser │────▶│ PROXY │────▶│ Target │ │ │ │ (Korban) │ │ Intercept│ │ Server │ │ │ └──────────┘ └────┬─────┘ └──────────────┘ │ │ │ │ │ ┌───────────┼───────────┐ │ │ ▼ ▼ ▼ │ │ ┌───────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Repeater │ │ Intruder │ │ Scanner │ │ │ │ (Manual) │ │ (Auto) │ │ (Auto) │ │ │ └───────────┘ └──────────┘ └──────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌───────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Decoder │ │ Comparer │ │Sequencer │ │ │ │ (Encode) │ │ (Diff) │ │ (Random) │ │ │ └───────────┘ └──────────┘ └──────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ BApp Store │ │ │ │ Extensions │ │ │ └──────────────────┘ │ └────────────────────────────────────────────────────────────┘
⚠️ Peringatan Legal & Etika
- HANYA gunakan Burp Suite pada aplikasi yang Anda miliki atau memiliki izin tertulis
- Gunakan DVWA (Damn Vulnerable Web Application), WebGoat, atau PortSwigger Web Security Academy untuk latihan
- Bug bounty programs — pastikan Anda beroperasi dalam scope yang ditentukan
- Menyerang sistem tanpa izin adalah tindakan ilegal (UU ITE Indonesia)
2. Setup Proxy & Browser
Instalasi Burp Suite
Bash — Instalasi Burp Suite
# ============================================= # Download Burp Suite # ============================================= # Download dari: https://portswigger.net/burp/communitydownload # Tersedia untuk: Linux, Windows, macOS # Linux — installer .sh chmod +x burpsuite_community_linux_*.sh ./burpsuite_community_linux_*.sh # Atau gunakan package manager: # Arch Linux (AUR) yay -S burpsuite # Snap (Ubuntu) sudo snap install burpsuite # macOS — .dmg file # Buka .dmg, drag ke Applications # Windows — .exe installer # Jalankan installer, ikuti wizard # ============================================= # Alternatif: Burp Suite + PortSwigger Academy # ============================================= # Buat akun di https://portswigger.net/web-security # Akses lab gratis: https://portswigger.net/web-security/all-labs
Konfigurasi Browser
Panduan — Setup Browser Proxy
# ============================================= # Konfigurasi Browser untuk Burp Suite # ============================================= # Burp Suite Proxy default: 127.0.0.1:8080 # ---- Opsi 1: Firefox (REKOMENDASI) ---- # 1. Buka Settings → Network Settings → Manual Proxy # 2. HTTP Proxy: 127.0.0.1, Port: 8080 # 3. Centang "Also use this proxy for HTTPS" # 4. Centang "Enable DNS over SOCKS v5" (opsional) # ---- Opsi 2: FoxyProxy Extension (LEBIH MUDAH) ---- # 1. Install FoxyProxy Standard dari Firefox Add-ons # 2. Tambah proxy baru: # - Title: Burp Suite # - Proxy Type: HTTP # - Proxy IP: 127.0.0.1 # - Port: 8080 # 3. Aktifkan profile "Burp Suite" saat testing # 4. Nonaktifkan saat tidak testing # ---- Opsi 3: Chrome ---- # 1. Install "Proxy SwitchyOmega" extension # 2. Buat profile baru: Burp # - Protocol: HTTP # - Server: 127.0.0.1 # - Port: 8080 # 3. Switch ke profile "Burp" saat testing # ============================================= # Install CA Certificate (untuk HTTPS interception) # ============================================= # 1. Buka browser, akses: http://burpsuite # 2. Klik "CA Certificate" di pojok kanan atas # 3. Download file cacert.der # 4. Firefox: # → Settings → Privacy & Security → Certificates # → View Certificates → Import # → Centang "Trust this CA to identify websites" # 5. Chrome: # → Settings → Privacy and Security → Security # → Manage certificates → Authorities → Import # ============================================= # Verifikasi Koneksi # ============================================= # 1. Buka Burp Suite → Proxy → Intercept # 2. Pastikan "Intercept is on" (tombol orange) # 3. Buka browser, ketik: http://example.com # 4. Request harusnya terlihat di Burp Intercept # 5. Klik "Forward" untuk melanjutkan request
3. Proxy: Intercept & HTTP History
Proxy adalah jantung dari Burp Suite. Ini adalah intercepting proxy yang merekam semua HTTP/HTTPS request dan response antara browser dan server. Dengan Proxy, Anda bisa melihat, memodifikasi, dan menganalisis setiap request secara detail.
Fitur Utama Proxy
| Fitur | Fungsi |
|---|---|
| Intercept | Menghentikan request/response untuk dimodifikasi sebelum diteruskan |
| HTTP History | Log semua request/response yang melewati proxy |
| WebSockets History | Log WebSocket messages |
| Options | Konfigurasi proxy listener, intercept rules, response modification |
| Match & Replace | Otomatis mengganti bagian tertentu dari request/response |
HTTP — Contoh Intercepted Request
# ============================================= # Contoh Request yang di-intercept oleh Burp # ============================================= # Request: POST /login HTTP/1.1 Host: vulnerable-app.local Content-Type: application/x-www-form-urlencoded Content-Length: 45 Cookie: session=abc123xyz Connection: keep-alive username=admin&password=secretpassword123 # ============================================= # Response dari Server: # ============================================= HTTP/1.1 302 Found Location: /dashboard Set-Cookie: session=new_session_token_here Content-Length: 0 # ============================================= # Yang Bisa Dilakukan di Intercept: # ============================================= # 1. MODIFIKASI REQUEST sebelum dikirim ke server: # - Ubah username dari "admin" ke "admin' OR '1'='1" # - Tambah/tubah headers (Authorization, Cookie, dll) # - Ubah parameter form # - Modifikasi JSON body # 2. DROP REQUEST — blokir request agar tidak sampai ke server # 3. FORWARD — teruskan request (dengan atau tanpa modifikasi) # 4. ACTION — kirim ke tool lain (Repeater, Intruder, Scanner) # ============================================= # Intercept Filter yang Berguna # ============================================= # Di tab Intercept → Options: # - Intercept only in-scope items # - Don't intercept requests to out-of-scope items # - File type filter (hanya intercept HTML, JS, CSS, API) # - URL filter (hanya intercept URL tertentu) # - MIME type filter # - Status code filter (hanya response 200, 302, dll) # ============================================= # Match & Replace Rules (Otomatis) # ============================================= # Contoh: Otomatis ubah User-Agent # Match: Mozilla/5.0 (Windows NT 10.0; Win64; x64) # Replace: Burp Suite Testing # Contoh: Otomatis hapus CSP header di response # Match (Response header): Content-Security-Policy:.* # Replace: (kosong) # Contoh: Otomatis ubah cookie # Match (Request header): session=.* # Replace: session=attacker_controlled_value
Target Scope
Panduan — Target Scope Configuration
# ============================================= # Target Scope — Membatasi Target Testing # ============================================= # Mengapa Scope Penting? # 1. Hanya merekam traffic ke target yang ditentukan # 2. Mengurangi noise di HTTP History # 3. Scanner hanya menscan target dalam scope # 4. Menghindari scanning di luar izin # Cara Mengatur Scope: # 1. Buka Target → Site Map # 2. Klik kanan pada target → "Add to scope" # 3. Atau: Target → Scope → Add → masukkan URL/host # Contoh Scope: # Include in scope: # - https://vulnerable-app.local # - https://api.vulnerable-app.local # - https://*.vulnerable-app.local (wildcard) # # Exclude from scope: # - https://vulnerable-app.local/logout # - https://vulnerable-app.local/admin/reset-db # Setelah scope diatur: # - "Use advanced scope control" untuk fine-tuning # - HTTP History → filter "Show only in-scope items" # - Proxy → "Intercept only in-scope items" # ============================================= # Site Map — Peta Aplikasi Web # ============================================= # Target → Site Map menampilkan: # - Semua URL yang ditemukan # - Struktur direktori # - Parameter yang ditemukan # - Content type setiap resource # - Response size dan status code # Untuk otomatis crawl: # 1. Buka Target → Site Map # 2. Klik kanan pada root target # 3. Pilih "Spider this host" (Community) # atau "Scan" (Professional)
4. Repeater: Manual Testing
Repeater adalah tool untuk melakukan manual testing terhadap request HTTP. Anda bisa mengambil request dari Proxy atau HTTP History, memodifikasinya, dan mengirim ulang berkali-kali sambil menganalisis setiap response. Ini sangat berguna untuk menguji vulnerability seperti SQL Injection, XSS, IDOR, dan logic flaws.
Cara Menggunakan Repeater
HTTP — Contoh Repeater: SQL Injection Testing
# =============================================
# Langkah 1: Kirim request ke Repeater
# =============================================
# Di HTTP History → Klik kanan request → "Send to Repeater"
# Atau: Ctrl+R
# =============================================
# Langkah 2: Modifikasi dan kirim ulang
# =============================================
# Request Original:
GET /api/users?id=1 HTTP/1.1
Host: vulnerable-app.local
Cookie: session=abc123
Accept: application/json
# Response Original (normal):
HTTP/1.1 200 OK
{"id": 1, "name": "John Doe", "email": "john@app.com"}
# =============================================
# Test 1: SQL Injection — Basic
# =============================================
GET /api/users?id=1' HTTP/1.1
Host: vulnerable-app.local
Cookie: session=abc123
Accept: application/json
# Response (jika rentan — ada error):
HTTP/1.1 500 Internal Server Error
{"error": "You have an error in your SQL syntax..."}
# =============================================
# Test 2: SQL Injection — UNION Based
# =============================================
GET /api/users?id=1 UNION SELECT NULL,username,password,NULL FROM users-- HTTP/1.1
# Response (jika berhasil):
HTTP/1.1 200 OK
[
{"id": 1, "name": "John Doe", "email": "john@app.com"},
{"id": null, "name": "admin", "email": "$2b$12$hash..."}
]
# =============================================
# Test 3: IDOR (Insecure Direct Object Reference)
# =============================================
# Ganti id=1 (user biasa) ke id=2 (user lain)
GET /api/users?id=2 HTTP/1.1
Host: vulnerable-app.local
Cookie: session=abc123 # Session user id=1
# Response (jika rentan — bisa akses data user lain):
HTTP/1.1 200 OK
{"id": 2, "name": "Jane Smith", "email": "jane@app.com",
"ssn": "123-45-6789", "balance": 50000000}
# =============================================
# Test 4: XSS — Reflected
# =============================================
GET /search?q=<script>alert('XSS')</script> HTTP/1.1
# Response (jika rentan):
HTTP/1.1 200 OK
...
<div class="results">
Hasil pencarian untuk: <script>alert('XSS')</script>
</div>
...
# =============================================
# Test 5: Header Injection
# =============================================
GET /api/users?id=1 HTTP/1.1
Host: vulnerable-app.local
X-Forwarded-For: 127.0.0.1
X-Original-URL: /admin
Cookie: session=abc123; role=admin
# Cek apakah role manipulation bekerja
💡 Tips Repeater yang Efektif
- Gunakan tabs — buat tab terpisah untuk setiap jenis test
- Bandingkan response — perhatikan perbedaan ukuran response, status code, dan konten
- Gunakan "Follow redirect" — toggle untuk melihat redirect atau response pertama
- Perhatikan response time — perbedaan waktu bisa mengindikasikan blind SQLi
- Re-render response — lihat tampilan HTML di browser dalam Burp
- Gunakan keyboard shortcut — Ctrl+Space untuk mengirim request
5. Intruder: Automated Attacks
Intruder adalah tool otomatis dalam Burp Suite yang memungkinkan Anda mengirim ribuan request yang dimodifikasi secara otomatis. Ini digunakan untuk brute force, fuzzing, enumeration, dan parameter tampering dalam skala besar. Di Burp Suite Community, Intruder dibatasi kecepatannya — untuk full speed, gunakan Professional edition.
Attack Types Intruder
| Attack Type | Deskripsi | Penggunaan |
|---|---|---|
| Sniper | Satu payload set, satu position — mengganti satu posisi per iterasi | Fuzzing satu parameter |
| Battering Ram | Satu payload set, semua position — payload sama di semua posisi | Testing dengan payload yang sama di banyak tempat |
| Pitchfork | Multiple payload set — posisi 1 pakai set 1, posisi 2 pakai set 2, paralel | Username:password matching (cred stuffing) |
| Cluster Bomb | Multiple payload set — semua kombinasi (cartesian product) | Brute force username + password |
Diagram: Intruder Attack Types
┌────────────────────────────────────────────────────────────┐ │ INTRUDER ATTACK TYPES │ │ │ │ SNIPER: │ │ Request: username=§admin§&password=§pass123§ │ │ Iteration 1: username=admin&password=FUZZ │ │ Iteration 2: username=FUZZ&password=pass123 │ │ → Satu posisi di-fuzz, lainnya tetap │ │ │ │ BATTERING RAM: │ │ Request: user=§admin§&pass=§admin§ │ │ Iteration 1: user=FUZZ&pass=FUZZ │ │ → Payload SAMA di semua posisi │ │ │ │ PITCHFORK: │ │ Set1: [admin, user1, user2] │ │ Set2: [pass1, pass2, pass3] │ │ Iter 1: admin:pass1 │ │ Iter 2: user1:pass2 │ │ Iter 3: user2:pass3 │ │ → Paralel, satu per satu │ │ │ │ CLUSTER BOMB: │ │ Set1: [admin, user1] │ │ Set2: [pass1, pass2] │ │ Iter 1: admin:pass1 │ │ Iter 2: admin:pass2 │ │ Iter 3: user1:pass1 │ │ Iter 4: user1:pass2 │ │ → Semua kombinasi (cartesian product) │ └────────────────────────────────────────────────────────────┘
Contoh Penggunaan Intruder
Panduan — Intruder: Login Brute Force
# ============================================= # Contoh 1: Login Brute Force (Cluster Bomb) # ============================================= # Langkah 1: Intercept login request POST /login HTTP/1.1 Host: vulnerable-app.local Content-Type: application/x-www-form-urlencoded username=admin&password=password123 # Langkah 2: Kirim ke Intruder (Ctrl+I) # Langkah 3: Set Attack Type = "Cluster Bomb" # Langkah 4: Set payload positions (tandai dengan §) # Burp otomatis mendeteksi parameter: # username=§admin§&password=§password123§ # Langkah 5: Set payload # Payload set 1 (username): # - Simple list: admin, user, root, administrator, test # - Atau load dari file: usernames.txt # Payload set 2 (password): # - Simple list: password, 123456, admin, root, letmein # - Atau gunakan "Brute forcer" (karakter + panjang) # - Atau load dari file: passwords.txt (rockyou.txt) # Langkah 6: Set Grep - Match (untuk filter hasil) # Options → Grep - Match → Add: # - "Welcome" (indikasi login berhasil) # - "Dashboard" (redirect ke dashboard) # - "Invalid" (gagal login) # Langkah 7: Start Attack # Analisis hasil: # - Status 302 (redirect) + "Welcome" → kemungkinan berhasil! # - Response length berbeda → bisa jadi berhasil # - Status 200 + "Invalid credentials" → gagal # ============================================= # Contoh 2: Directory Fuzzing (Sniper) # ============================================= # Request: GET /§directory§ HTTP/1.1 Host: vulnerable-app.local # Payload: Wordlist directory # /usr/share/wordlists/dirb/common.txt # Atau: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt # Analisis: # Status 200 → direktori ditemukan! # Status 403 → direktori ada tapi dilarang # Status 404 → tidak ditemukan # ============================================= # Contoh 3: Parameter Fuzzing (Sniper) # ============================================= # Request: GET /api/users?id=§1§ HTTP/1.1 # Payload: Numbers 1-1000 # Type: Numbers, Range 1-1000, Step 1 # Atau fuzzing SQL injection payloads: # ' OR 1=1 -- # ' UNION SELECT NULL-- # 1; DROP TABLE users-- # dll.
Alternatif: Turbo Intruder (Extension)
Python — Turbo Intruder Script
# Turbo Intruder — Extension untuk high-speed fuzzing
# Install dari BApp Store
# Bisa mengirim 30,000+ request/detik
# Contoh script Turbo Intruder:
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=100,
pipeline=False)
# Queue requests dengan payload dari wordlist
for word in open('/usr/share/wordlists/dirb/common.txt'):
engine.queue(target.req, word.strip())
def handleResponse(req, interesting):
# Hanya simpan response yang menarik
if '200' in req.response or '301' in req.response:
table.add(req)
6. Scanner: Automated Scanning (Professional)
Burp Scanner (hanya tersedia di Professional edition) melakukan automated vulnerability scanning pada aplikasi web. Scanner mendeteksi berbagai jenis vulnerability termasuk SQL Injection, XSS, CSRF, open redirect, insecure deserialization, dan banyak lagi. Scanner menggunakan teknik crawling (spider) untuk menemukan semua endpoint, lalu melakukan passive dan active scanning.
Jenis Scanning
| Jenis | Deskripsi | Risiko |
|---|---|---|
| Passive Scan | Menganalisis traffic yang sudah ada tanpa mengirim request baru | Tidak ada — hanya observasi |
| Active Scan | Mengirim request berbahaya ke server untuk mendeteksi vulnerability | Bisa mempengaruhi server — gunakan hanya dengan izin |
| Crawl | Spider/meng-crawl aplikasi untuk menemukan semua halaman dan endpoint | Rendah — seperti bot biasa |
Panduan — Burp Scanner Workflow
# ============================================= # Passive Scanner (Otomatis) # ============================================= # Passive scanner selalu aktif di background # Menganalisis SEMUA traffic yang melewati Proxy # Yang dideteksi passive scanner: # - Missing security headers (HSTS, CSP, X-Frame-Options) # - Cookie tanpa HttpOnly/Secure/SameSite # - Information disclosure (server version, error messages) # - SSL/TLS issues # - Sensitive data in URL parameters # - Email addresses, internal IPs # - Cross-domain script inclusion issues # Hasil di: Dashboard → Advisory # ============================================= # Active Scanner (Professional Only) # ============================================= # Cara 1: Dari Target Site Map # 1. Target → Site Map # 2. Klik kanan pada target/host # 3. "Actively scan this host" # 4. Pilih scan type: # - Audit checks - Crawl and audit # - Crawl - Crawl only # - Audit - Audit only (tanpa crawl) # Cara 2: Dari HTTP History # 1. Select beberapa request # 2. Klik kanan → "Do active scan" # 3. Burp akan mengirim request aktif ke endpoint tersebut # ============================================= # Scan Configuration # ============================================= # Scan Configuration → New: # 1. Audit Checks: # - SQL Injection: semua teknik (error-based, blind, UNION, dll) # - XSS: reflected, stored, DOM-based # - OS Command Injection # - Path Traversal # - File Inclusion (LFI/RFI) # - SSRF # - Open Redirect # - CSRF # - Insecure Deserialization # - XML External Entity (XXE) # 2. Crawl Configuration: # - Maximum link depth # - Maximum URL parameters # - File extension handling # - Login credentials untuk authenticated scan # 3. Resource Pool: # - Concurrent request limit # - Throttle between requests # - Pausing saat mendeteksi masalah # ============================================= # Analisis Hasil Scan # ============================================= # Dashboard → Advisory: # - High: SQL Injection, RCE, Authentication Bypass # - Medium: XSS, CSRF, Open Redirect # - Low: Information Disclosure, Missing Headers # - Information: Info gathering findings # Setiap issue memiliki: # - Severity (High/Medium/Low/Info) # - Confidence (Certain/Firm/Tentative) # - Detail: Request/Response yang mendeteksi issue # - Remediation: Cara memperbaiki # - References: OWASP, CWE, CVE
7. Decoder & Comparer
Decoder
Decoder adalah tool untuk meng-encode dan decode berbagai format data. Ini sangat berguna saat menganalisis payload, cookie, token, dan data tersembunyi dalam request.
Panduan — Burp Decoder
# =============================================
# Burp Decoder — Encode/Decode Formats
# =============================================
# Supported encoding/decoding:
# 1. URL encoding
# Input: hello world
# Encoded: hello%20world
# 2. HTML encoding
# Input: <script>alert('xss')</script>
# Encoded: <script>alert('xss')</script>
# 3. Base64
# Input: Hello World
# Encoded: SGVsbG8gV29ybGQ=
# 4. Hex
# Input: Hello
# Encoded: 48656c6c6f
# 5. Octal
# Input: A
# Encoded: 101
# 6. Binary
# Input: A
# Encoded: 01000001
# 7. Gzip decompress
# Untuk meng-decode compressed response body
# =============================================
# Smart Decode
# =============================================
# Burp Decoder bisa auto-detect format dan decode bertingkat:
# Contoh:
# URL encoded → Base64 → Hex → Hasil akhir
# Input: SGVsbG8%3D
# Smart decode → "Hello"
# =============================================
# Contoh Praktis: Decode JWT Token
# =============================================
# JWT Cookie: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJyb2xlIjoiYWRtaW4ifQ.xxx
# Bagian 1 (Header): eyJhbGciOiJIUzI1NiJ9
# Base64 decode → {"alg":"HS256"}
# Bagian 2 (Payload): eyJ1c2VyX2lkIjoxLCJyb2xlIjoiYWRtaW4ifQ
# Base64 decode → {"user_id":1,"role":"admin"}
# Bagian 3 (Signature): xxx
# Ini signature yang perlu di-crack atau bypass
# =============================================
# Comparer — Membandingkan Response
# =============================================
# Fungsi: Membandingkan dua request/response secara visual
# Penggunaan:
# 1. Select dua item di HTTP History
# 2. Klik kanan → "Send to Comparer"
# 3. Buka tab Comparer
# 4. Pilih "Words" atau "Bytes" comparison
# 5. Perbedaan akan di-highlight
# Contoh penggunaan:
# - Bandingkan response login berhasil vs gagal
# - Bandingkan response sebelum dan sesudah exploit
# - Bandingkan response dari dua IDOR endpoint
# - Mendeteksi perubahan kecil yang mengindikasikan vulnerability
8. Workflow Penetration Testing dengan Burp Suite
Langkah-Langkah Comprehensive
Diagram: Burp Suite Penetration Testing Workflow
┌────────────────────────────────────────────────────────────┐ │ BURP SUITE PT WORKFLOW │ │ │ │ 1. PREPARATION │ │ ├── Setup Proxy + Browser + CA Certificate │ │ ├── Set Target Scope │ │ └── Configure Display / Filters │ │ │ │ │ ▼ │ │ 2. RECONNAISSANCE │ │ ├── Browse target manually (Proxy → HTTP History) │ │ ├── Spider/Crawl target (Target → Site Map) │ │ ├── Document all endpoints, parameters, cookies │ │ └── Identify technology stack │ │ │ │ │ ▼ │ │ 3. PASSIVE SCANNING │ │ ├── Review passive scan findings │ │ ├── Check security headers │ │ ├── Check cookie flags │ │ └── Look for information disclosure │ │ │ │ │ ▼ │ │ 4. ACTIVE TESTING (Manual) │ │ ├── Repeater: Test SQL injection │ │ ├── Repeater: Test XSS │ │ ├── Repeater: Test IDOR │ │ ├── Repeater: Test SSRF │ │ ├── Repeater: Test authentication bypass │ │ └── Intruder: Fuzzing parameters │ │ │ │ │ ▼ │ │ 5. ACTIVE SCANNING (Automated) │ │ ├── Run Burp Scanner on in-scope targets │ │ ├── Review findings │ │ └── Verify false positives manually │ │ │ │ │ ▼ │ │ 6. EXPLOITATION & VERIFICATION │ │ ├── Verify vulnerabilities with PoC │ │ ├── Document evidence (request/response) │ │ ├── Assess impact and severity │ │ └── Develop remediation recommendations │ │ │ │ │ ▼ │ │ 7. REPORTING │ │ ├── Document all findings │ │ ├── Include request/response evidence │ │ ├── Rate severity (CVSS scores) │ │ └── Provide remediation guidance │ └────────────────────────────────────────────────────────────┘
Extensions yang Direkomendasikan
Panduan — Essential Burp Extensions (BApp Store)
# ============================================= # Top Extensions dari BApp Store # ============================================= # Extender → BApp Store # 1. Autorize — Authorization Testing # Otomatis menguji IDOR dan broken access control # Kirim request sebagai user A, Autorize otomatis # mengirim ulang sebagai user B dan membandingkan # 2. Logger++ — Advanced Logging # HTTP history yang lebih powerful dengan filter lanjutan # 3. JSON Beautifier # Format JSON response agar mudah dibaca # 4. JWT Editor — JWT Token Manipulation # Decode, edit, sign, dan crack JWT tokens # 5. Turbo Intruder — High-Speed Fuzzing # Python-based high-performance intruder # Bisa 30,000+ requests/detik # 6. Active Scan++ — Enhanced Active Scan # Tambahan scan checks yang tidak ada di default scanner # 7. InQL — GraphQL Security Testing # Tools untuk testing GraphQL API # 8. Param Miner — Hidden Parameter Discovery # Menemukan parameter tersembunyi (hidden inputs, headers) # 9. Upload Scanner — File Upload Testing # Menguji upload bypass techniques # 10. Collaborator Everywhere # Inject Collaborator payloads di semua request # Untuk blind vulnerability detection (SSRF, blind RCE) # ============================================= # Collaborator — Out-of-Band Testing # ============================================= # Burp Collaborator memungkinkan deteksi "blind" vulnerabilities: # - Blind SQL Injection # - Blind OS Command Injection # - SSRF # - Out-of-Band XXE # Cara kerja: # 1. Burp generate unique subdomain: xyz.burpcollaborator.net # 2. Inject ke payload: http://xyz.burpcollaborator.net # 3. Jika server melakukan request ke domain tersebut # → Vulnerability terdeteksi! # Di Professional Edition, Collaborator otomatis tersedia # Di Community, gunakan alternative: Canarytokens.org
9. Quiz: Uji Pemahamanmu!
Setelah membaca tutorial di atas, jawablah 5 pertanyaan berikut untuk menguji pemahamanmu tentang Burp Suite: