A large number of commercial web analytics tools are also available, and they range in price from several hundred dollars to thousands of dollars. Burp Suite is such a tool that moves to the bottom of the cost scale for the professional version ($275 per year at the time of writing), but still offers a solid range of features. Burp Suite works in a graphical interface, as shown in Figure 10.6, and in addition to the standard features we find in each web evaluation product, there are several advanced tools for carrying out deeper attacks. For our purposes, we use Burp Suite Intercept (or burp in short) as our proxy, as it is widely regarded as one of the most functional web piracy platforms. We will use many tools in the Burp Suite for the duration of our hacking approach. Burp Suite is available in BackTrack, but for more information or to download burp Suite as a standalone file, check out www.portswigger.net. Burp Suite can be opened in BackTrack via apps → BackTrack → Vulnerability Assessment → Web Application Assessment → Web Application Proxies → Burpsuite, as shown in Figure 3.2. Burp Suite Enterprise Edition is a enterprise server class solution for the automated and planned continuous scanning solution, capable of performing a high volume of simultaneous scans (only the amount of agent must be authorized to cover the required instance). The main features of this new product are: server installation, access via a modern web interface and REST API. Automated scanning of the Burp Web vulnerability scanner scans an application on known vulnerabilities.

The Open Web Application Security Project (OWASP) attempts to document and provide security vulnerabilities and types of attacks. It appears that the Burp Suite Vulnerability Scanner can automate the detection of vulnerabilities described by OWASP`s Top 10 at www.owasp.org/index.php/Top_10_2013-Top_10. However, in this edition (and in this section), we will see the Burp Pro suite of tools available on portswigger.net/burp/. It`s also a commercial tool, but a tool that I found invaluable and something I personally buy every year for my web application tests. However, there is a trial version that gives you some of the features, allowing you to personally know whether it`s worth it or not for your own use. Burp Suite Enterprise Edition Delivery Conditions For all licensees who must accept and comply with Burp Suite Enterprise Edition, this is easier to read for customers who must submit to the license. Burp Suite Enterprise Edition Important Delivery Conditions NOTE: PLEASE THE Python sqlmap.py -r file_from_burp -T table_to_target –dump Developed by portswigger, Burp acts as IDS. This means you can use it to falsify and format form entries to the server as you wish. This allows you to manipulate all the JavaScript form fields that may occur. It is precisely for this reason that Javascript`s entry validation is unnecessary from a security point of view. Typically, a server only needs form entries in the right broadcast format.

Burp offers this. In addition, Burp follows up with a spider, a scanner and an intruder, a sequencer and a repeater. Burp Suite may take a few seconds to load the first time, so be patient if you don`t see immediate action. Depending on your version of BackTrack, a Java Execution Environment (JRE) warning can also be displayed.