The following is a list of recommended books, articles, and other Burp Suite resources. Each resource is thoroughly analyzed before adding it to the list.
Hands-On Application Penetration Testing with Burp Suite - Carlos A. Lozano, Dhruv Shah, Riyaz Ahemed Walikar (2019)
A beginner-friendly book that teaches you web app pentesting mindset with Burp Suite’s help. This book is my recommendation for anyone who wants to learn Burp Suite.
In a nutshell, what makes this book stand out from other books on Burp Suite is:
- It uses examples and features from Burp Suite v1.7.30, a comparatively recent version. Most, if not, all samples present in the book work on current versions of Burp Suite (2020.x and 2021.x).
- The author(s) haven’t complicated the book by giving workarounds for features not present in the Community edition. The book is focused on Burp Suite Pro and tells you if the feature is not present in the Community edition.
- It has many examples using Burp extensions (like CSRF Scanner, EsPReSSO, etc.) to exploit specific vulnerabilities.
- It has a chapter on extending Burp’s functionality and setting up an environment to develop Java extensions. Such extensive information is something I haven’t found in other books so far.
Now let me describe the book in detail. It’s divided into 12 chapters. The first few chapters talk about some basics of Burp Suite and how to configure it on browsers, mobile devices, etc. Then the next few chapters talk about stages of web app pentest, Burp’s suite of tools, and which tool can be handy while checking for different vulnerability types.
The chapters on detecting and exploiting vulnerabilities are the fascinating part of the book. These chapters describe the vulnerability and tell you if Burp Scanner detects it; if not, how you can do that in a manual / semi-automated (using Intruder) / automated (using extensions) way.
Also, there is a complete chapter on setting up an environment to develop Burp extensions in Java. Finally, the last few chapters summarise the pentest methodology with real-life targets.
(Note: Requests and responses in examples might not render well on Kindle.)
Even though the book describes the vulnerabilities, it still uses some jargon. If you are a complete beginner, you might end up searching a few terms/techniques on the internet before completing the book.
Burp Suite Essentials - Akash Mahajan (2014)
A fantastic book for beginners. The book has well-structured chapters, uses simple language, and has many images. This book covers features from both Community and Professional versions. It’s terrible if someone describes the book without talking about the hacks packed with the book (like Java hacks to increase RAM usage, using FoxyProxy, more). Even though the book was published in 2014 and Burp Suite has introduced many new features since then, the core Burp Suites features described in the book haven’t changed much.
Even if you are already familiar with Burp Suite, you’ll find something new. The chapters Using Burp Tools as a Power User (both parts 1 and 2) describes all the commonly used Burp tools. The chapters like Setting scope and dealing with upstream proxies and Searching, Extracting, Pattern Matching and More are icing on the cake. If you haven’t read the book, give it a try, and I’m pretty sure you would learn something new.
Burp Suite Cookbook - Sunny Wear (2018)
Interesting cookbook with “recipes” on manually using Burp Suite for testing common web app vulnerabilities. The book starts with an obvious introduction to Burp Suite and other tools (Message editor, Repeater, etc.). The following chapters are collections of recipes grouped under common vulnerability types (Authentication, Authorization, Input Validation, etc.). The book uses vulnerable web apps from OWASP Broken Web Applications VM to demonstrate each vulnerability and how to test/exploit it using Burp Suite.
The initial few chapters look great for beginners; however, the book’s charm fades after few chapters. It is due to a lack of information in the intermediate chapters. These chapters are a collection of recipes. Each recipe has a pattern: introduction to the vulnerability, how to set up the vulnerable web app (if required), and finally, manual steps on how to exploit the vulnerability.
The book doesn’t cover the vulnerabilities in detail - just a paragraph or two. Additional effort is required to understand specific terms / advanced concepts mentioned in the book. A lot of the vulnerabilities mentioned in the book are covered in depth in Portswigger’s free Web Security Academy. Finally, the last few chapters bring back the charm by talking about a few Burp extensions and using macros.
A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities - Sagar Rahalkar (2020)
An interesting short book with the author’s opinion on most of the features in Burp Suite Professional. If the author asks me for my opinion on the book, I will give him two: either add more content to the book or change the book’s name (anything without the term Complete in it).
Don’t get me wrong, a few sections of the book (like browser plugins to enable Burp proxy when required, Burp Infiltrator, etc.) are pretty interesting. The only drawback is the content.
The book neither gives an in-depth knowledge of each feature nor ample examples. The book doesn’t cover technical details about vulnerabilities (even though it has a theoretical section on OWASP Top 10 vulns). It means you need to read this book and then understand how to use Burp’s Suite of tools to detect those vulnerabilities. The book has links to many OWASP projects, some details on Burp’s Suite of tools, and a final chapter that concludes with a (3 step) mindset on how to proceed with pentests in general.
The final chapter, which I expected to be the better part, doesn’t do it right—for example, the section where Burp proxy is set up on the mobile device. There are no steps to add Burp’s CA certificate to the mobile device and the rooting/jailbreaking process. The reader who follows the steps won’t successfully set up Burp proxy to intercept mobile devices' requests.
(I value my readers' time & money like I value mine. Looking at this book’s knowledge per cost factor, it’s not worth buying it. So I have intentionally not added links to buy this book. I would suggest purchasing the above books / learn from the free resources mentioned below.)
- Burp Training by Secure Ideas - https://www.youtube.com/playlist?list=PLqG-wtrX3aA_wYTrnDHoCBkKBoI4z9oLd
Blogs & Articles
- Awesome Burp Extensions - https://github.com/snoopysecurity/awesome-burp-extensions