Burp Suite tutorial: Starting up with Burp and OWASP BWA VM (Installation)
Setting up a web app penetration testing lab:
- The Broken Web Application (BWA) is an OWASP project that provides a self-contained VM complete with variety of applications with different kinds of known vulnerabilities.
- The applications in this VM will provide students or learners a good medium to learn about the web application security, practice their skills, observe the web attacks and make use of penetration tools such as Burp.
- The OWASP BWA VM that I mentioned above can be downloaded from https://sourceforge.net/projects/owaspbwa/
- We will download the OWASP BWA VM along with supportive tools to create our web application penetration testing labs.
Software Tool requirements:
- Oracle Virtual Box (https://www.virtualbox.org/wiki/Downloads)
- Mozilla Firefox Browser (https://www.mozilla.org/en-US/firefox/new/)
- 7-Zip file achiever (https://www.7-zip.org/download.html)
- OWASP BWA VM (https://sourceforge.net/projects/owaspbwa/)
- Burp Proxy Community or Professional (https://portswigger.net/burp)
- Oracle Java (https://www.java.com/en/download/)
How to do it (Process) :
Installing OWASP BWA VM:
- Download the OWASP BWA VM link provided earlier and unzip the file downloaded.
2. After unzip, it will be presented with a listing of several files, as follows:
3. All the file extension shown indicate the VM can be imported into the Virtual Box or VM Player/Workstation. Fur the purpose of this lab, we sill use Oracle Virtual box.
4. Make note that OWASP Broken Web Apps-cl1.vmdk file. Open the Virtual Box manager.
5. Within the Virtual Box Manager Screen, select Machine|New from the top menu and type a name for the machine, OWASP BWA.
6. Set the type to Linux and version to Ubuntu(64-bit) and click Next as follows:
7. Next screen allows you to adjust RAM or just leave it as suggested.
8. On the next screen, choose the option → Use an existing virtual hard disk file.
9. Use the folder icon to navigate and select the OWASP Broken Web Apps-cl1.vmdk file from the extracted list and click on the Create as follows:
10. Your VM is now loaded in the Virtual Box Manager. Let’s make some minor adjustments. Highlight the OWASP BWA entry and select Settings from the top menu.
11. Select the Network section in the left hand pane and change to Host only Adapter.Click OK:
12. Now let’s start the virtual machine. right click then choose Start|Normal Start:
13. Wait until the Linux System is fully booted, which probably will take few minutes. After the booting process is complete, you should have see the following screen. However, the IP address shown maybe different for your machine:
14. The information presented on this screen identifies the URL where you can access vulnerable web applications running on the VM. For example: the URL is http://192.168.56.101/ . You are given a prompt for administering the VM, but it is not necessary to log in at this time.
15. Open your browser on your host system (current), not in VM. Using the Firefox browser, enter the URL provided (for instance: http://192.168.56.101), where the IP address is specific to the OWASP BWA machine.
16. in your browser, you will be presented with an index page containing links to vulnerable web applications and these applications will be used as targets:
How it works:
taking advantage of the customized virtual machine created by OWASP, we can quickly set up a web app penetration testing lab that contain purposefully vulnerable applications, which we can use as legal targets for our exercises.
Starting Burp at command line or as an executable user interface:
For non-Windows users or those Windows users who chose the plain JAR file option, you may start Burp at command line each time when we wish to run it. In order to do so, you will require particular Java command.
In some circumstances, such as automated scripting, you may wish to invoke Burp at the command line as a line item in shell script or you just simply want to run Burp without a graphical user interface (GUI), referred to as headless mode. The next section describes how to perform these tasks.
How to do it:
Start Burp with command line:
1. When using plain JAR file, the executable java is followed by the option of -jar, followed by the name of the download JAR file. Start burp at the command line (minimal) with plain JAR file (Java must be installed first:
2. If you prefer more control over the heap size settings (amount of memory allocated for the program), then we can modify the java command accordingly. The java executable is followed by the jar, followed by the memory allocation. In this example, 2GB (that is 2g) is allocated for read access memory (RAM), then followed by the name of JAR file. → Note: if you get an error that you are unable to allocate that much of memory, just drop down the amount to something like 1024MB (1024m). Start burp with this command line:
3. It is possible to start Burp at command line and run in headless mode. Headless mode means that we will be running Burp without the GUI. Start burp with command line in order to run Burp in headless mode → Take note that the parameter -Djava.awt.headless=true will be placed after the -jar option and before the name of JAR file:
4. If successful, we should able to see the following and Press CTRL+C or CTRL+Z to stop process:
It is possible to provide configuration file to the headless command for customizing the port number and IP address where the proxy listener is located.
Start with GUI:
- In every startup scenario, you will be presented with a splash screen that match the edition that you decided to download. You may also prompted to update the current version.
- Next, you will be prompted with a dialog box asking about project files configurations:
3. If you are using the community edition, you will only be able to create a temporary project (if not mistaken). If you are using the professional edition, then create a new project in disk. Saving the file in a suitable location for you to find.
4. The subsequent screen will prompt you what configurations that you would prefer to use. Since we don’t have any yet, so choose Use Burp defaults. As you progress in your journey with Burp, you will definitely save the configuration setting and load them in this screen:
5. Then, we are ready to start Burp and explore the function in it.
How it works:
Using either the plain JAR file or Windows executable, you will be able to launch Burp to start the Proxy listener to capture the HTTP traffic.