I spend a lot of time in Burp and had to consciously fix time wasting habits so I could be more efficient at my job. In case it helps, here are some time savers. I tried to note where it applies to Burp Pro.
- Import the Burp HTTPS Certificate. If you haven’t done it, import the Burp certificate into your browser so that you don’t have to click past HTTPS warnings when testing a site served using HTTPS. Follow these instructions.
- Avoid proxying sites you are not investigating. I hate it when Burp proxy intercepts traffic to URLs like safebrowsing.googleapis.com and detectportal.firefox.com. The option “Never intercept requests to this domain” is labor intensive. I always forget to save these settings anyway. A better place to handle this is in the browser’s “No Proxy for:” field. Here is a suggested list of domains for that value: .mozilla.org, .google.com, detectportal.firefox.com, .firefox.com, .tiles.services.mozilla.com, .tiles-cloudfront.cdn.mozilla.net, safebrowsing.googleapis.com, .googleapis.com, snippets-stats.moz.works, stats.g.doubleclick.net, google-analytics.com
- Avoid logging traffic for out-of-scope sites. I get overwhelmed by the giant stack of traffic in the Target tab and I can’t find the sites I’m interested in quickly. To limit what gets logged here and in proxy HTTP History, you can specify this in User Option tab: You should then see this message if it is disabled.
- Remember to use Repeater. If you find yourself repeatedly turning off the intercept, going back to the browser, changing some small thing, and turning the intercept back on, and making something happen in the browser, Repeater will change your life. Just right click in the intercept window or in the Target tab and select “Send To Repeater”. Once there, make your changes and click “Go”
- Save settings and give them reasonable names. Burp allows very granular settings saving. However, if you don’t give them good names, you will not know what you are looking for when you want to use them again. Save and load settings is done through a gear icon next to the setting. You can see that I added a match and replace rule in the proxy options and clicked the gear icon to save my changes. Next time I want to use that rule, I’ll just “Load options” and find my excellently named file.
- Save and Load Intruder settings. I hate having to recreate the steps to set up an intruder attack that is very similar to one already performed. You can save your attack and open it later. These settings are not saved through a gear icon like most other settings. Instead, there is an Intruder menu where all of this is possible!
- Turn off Some Scanning Tests. Make scanning more efficient by turning off checks that you are not interested in. Are you just looking for Cross-site Scripting? Turn off all other types. Scan will go faster and cause less noise and possible disruption to the web application. Burp Scanner is only available in Burp Suite Pro.
- Use a browser extension to turn proxy on and off. Configuring Firefox to use the Burp proxy takes 7 clicks (hamburger icon –> Options –> Advanced –> Network –> Connection Settings –> Manual –> OK). Reduce this to two clicks with a proxy switcher extension for the browser. For Firefox, I’ve enjoyed Proxy Switcher. It very simple and works with the latest Firefox. As you can see below, the “No proxy for” domain list that I mentioned in item 2 is available through this interface.
- Streamline the handling of issues you discover. I used to find myself going back into Burp to retest results I’ve already confirmed just to find the URL and parameter again so I can report it. Huge waste of time! Instead, have a vulnerability management database such as DefectDojo or Threadfix that can digest exported Burp XML files. Once you find and confirm a security flaw with Burp, you want to never have to find it again. So, export the results to XML so that you can import it to your vulnerability tracker. Threadfix provides a Burp extension that makes this a one-click exercise. Read more about Burp integration with Threadfix. That link explains how to export entire scans into Threadfix. What if you find some flaw with Repeater or Intruder and want to send that to Threadfix or DefectDojo? For now, such a task would be done by hand.