Find answers, ask questions, and connect with our
welcoming community.

Home Page Forums General Discussions Burp Suite the holygrail ?

  • Burp Suite the holygrail ?

    Posted by Anthony on June 25, 2021 at 7:16 pm

    My question is in my time bug hunting it seems that PortSwiggers “BurpSuite” is the ultimate tool to pen test and find most vulnerabilities. What are your thoughts on this because i am tempted to get the professional edition because other tools i tried on countless occasions just don’t seem to either work or help me in any way. I don’t know, is it all hype, or is there real validation to all the talk about BurpSuite ?

    I am also learning on their “Web Academy” as well, alongside your course-work.

    Anthony replied 1 year, 4 months ago 2 Members · 6 Replies
  • 6 Replies
  • Christophe

    Administrator
    June 28, 2021 at 4:41 pm

    Using some kind of proxy tool for bug hunting is massively helpful, yes. Most people use Burp Suite, though I’ve been using ZAP exclusively for a while now because I want to make a course on it so I want to understand it really well.

    So, yes, if you’re not using a proxy tool yet, I’d highly recommend getting one and learning it really well.

    • Anthony

      Member
      June 28, 2021 at 5:35 pm

      Hmm, interesting because all the “XSS Tools” I use have done nothing for me, but does BurpSuite replace tools like SQLMap and Commix that are specifically designed for those particular vulnerabilities. I have heard that BurpSuite is the top tool in the profession currently, which is encouraging. But again, SQL Injection and OS Command Injection would those two tools that we can’t replace in the journey of bug hunting ?

      The point i am making is all these “Best” XSS Tools are just not working in my case, but SQLMap and Commix are a completely different story.

      • Christophe

        Administrator
        July 6, 2021 at 4:02 pm

        Burp does include plugins either by default or as extensions you can download and add that have some similar functionality, but a lot of times, 3rd party tools can still be more powerful. Not always – some of those extensions are fantastic.

        Do keep in mind that even the best tools in the world won’t give you anything if the tool is either improperly used or being used against endpoints that don’t have vulnerabilities. So regardless of the tool you use, personally I think the most important part is truly learning how the tool(s) work and when they should be employed against a target.

        • Anthony

          Member
          July 6, 2021 at 6:17 pm

          So basically before i even continue forward hunting i need to put more time into these tools and techniques or else it will be a continuing failed experiment. Sigh for some reason i just can’t catch a break focus one bug or multiple bugs in order to be a “Better” hacker or bug hunter, it really sucks.

          • Christophe

            Administrator
            July 13, 2021 at 9:50 pm

            Definitely get familiar with tooling before trying to use it on real environments. For one, your success rate won’t be high if you’re not properly using the tool(s), but also some of them can cause damage to environments or data, so it’s important to make sure you’re not abusing the environments you’re going after.

            • Anthony

              Member
              July 14, 2021 at 12:50 pm

              Yes but what i noticed is there is a difference between simulations vs real world environments