NB: this document currently more of a braindump. Please leave comments, so that the picture is more complete!
This document aims to describe, what improvements Burp needs in order to make manual web penetration testing an efficient and pleasing process.
An overview of what’s wrong
- Session management, macros, cookie jars
- Some repeater tabs are kept as proofs that certain actions or outcomes are possible (i.e. specific error in response or successful attack). In this case it usually happens that this tab is mistakenly reused to perform other requests. After that it is very hard to find that “POC I’ve done three days ago” or “that error I’ve seen but didn’t investigate”, the only way is to use search.
- The only place where a repeater tab can be commented is its header, which leaves not enough room for a sufficiently large comment.
- There is no indication as to which ‘action’ (in terms of webapp logic) is performed by the request and by which actor. There is no way to mark special circumstances (i.e. requests that are sent via 3G sometimes have special powers in terms of authentication)
- There is no way to filter tabs that are displayed, which is super useful when pentesting multiple interconnected apps (i.e. oauth provider + oauth client, or merchant site + separate MPI + ACS)
- Other unsorted
- Cyrillic text in responses - sometimes improperly displayed, and copying to clipboard results in garbage.
- Copying from request in repeater appends unnecessary newlines (might be linux-specific)
- Memory usage and loading times, inability to quicly switch between projects
- Not-so-usable hex editor (TODO specify).
- “Export macro as a bash script” =)