Burp Proxy Settings

While it can override some settings, it does not override all settings within Burp. This extension can override the Proxy Intercept settings, but requests will default to the Proxy Intercept settings if they do not match the criteria to override these settings. May 03, 2015 I have set up Burp Suite with Firefox and have used all the correct settings, and it is connecting to the proxy on 127.0.0.1:8080. The Burp Suite software is able to see the pages I try to visit in the browser and can give me some basic information about it, however in my browser the page is just loading indefinitely and never displays the web. If you prefer, you can just use Burp's embedded browser, which is preconfigured to work with Burp Proxy already. To access the embedded browser, go to the 'Proxy' 'Intercept' tab, and click 'Open Browser'. Once you have confirmed that the proxy listener is up and running, you need to configure your browser to use it as its HTTP proxy server. These settings are used to specify destination webservers for which Burp will directly pass through TLS connections. No details about requests or responses made via these connections will be. This way of proxying would be neat (depending on proxying needing to be visible or not in project/user options' upstream proxy settings) if it actually works to forward to another proxy. My question is, if it works, will the response show up in processProxyMessage so that I can intercept using Burp API?

If you’ve done any web application pen testing or bug bounty hunting, you’re probably familiar with Burp Suite. If you haven’t used Burp Suite before, this blog post series is meant for you.

What is Burp Suite and why should you use it? Burp Suite is a suite of web application testing tools that help you intercept, modify and automate your interactions with a web application. If you do CTFs, this will make your life a lot easier. And if you want to get into web application, Burp Suite is a great tool to have.

This post covers installation, configuration, and the Target and Proxy tools.

Installation and Setup

Burp Suite (from now on, just “Burp”) has a free edition and a professional version. The pro option costs $400. You can request a 7 day trial of that here, or download the free Community Edition here.

Once you’ve downloaded and installed the program, you’ll need to configure your browser to direct the traffic to Burp Suite.

Burp functions by intercepting all traffic from a browser–allowing you to inspect it, modify it, etc.–and then forwarding the requests on. There are two options for proxying traffic to Burp.

Burp
  1. You can either configure proxy settings within your browser settings (not recommended as you have to manually turn this on or off each time).
  2. You can install a browser plug-in like FoxyProxy which lets you configure the proxy once, and then turn the proxy on/off with a single click.

I recommend downloading FoxyProxy, and then creating a profile for BurpSuite. You do this by clicking the FoxyProxy icon, and then clicking options.

Burp Proxy Config

Next, click Add and then fill out the form (I used IP address 127.0.0.1/localhost and port 8081).

Once you’ve saved that, you can click the FoxyProxy icon again and turn the proxy on.

Depending on which browser you use, you might want to make use of browser profiles so that settings, cookies, etc. are cleared for your web testing profile. Alternatively, you could use a different browser.

You also need to set up the Burp certificate so that HTTPS requests work properly (otherwise you will get certificate warnings). See this link for details on how to set that up.

You might also consider using a VPN so that your home IP address is not blacklisted by websites that make use of WAFs.

BurpSuite Proxy Settings

Once you’ve got your browser proxy and certificates set up, open up BurpSuite. If you have the free version, you will have to select “Temporary project.” Accept the default settings.

Settings

Then, you should see a bunch of tabs. Click the “Proxy” tab and then click “Options.”

You will need to click “Add” and add the IP address and port name that you configured in FoxyProxy.

Test everything out

With FoxyProxy enabled, and the same IP address and port configured in the Proxy Options tab of Burp Suite, navigate to a web page in the browser that is using FoxyProxy.

A good example site might be http://xss-game.appspot.com

The website won’t load, because Burp has intercepted the request.

If you go to Burp, you will see something like this:

Notice that the Proxy tab and Intercept tabs are both highlighted orange. This will happen when a new event has occurred in a given tab, or some kind of alert has been generated. We’ll see this again later when we send requests to other tools in Burp Suite.

You can look at the request and its headers in any of three tabs: Raw, Headers or Hex. To complete the request, click “Forward.” If you want to stop intercepting traffic, you can click “Intercept is on” and the text (and styling) will change to say “Intercept is off.”

By default, intercept is on when you open Burp.

Proxy

We’ve already seen some of the Proxy tab while configuring the Proxy (Options sub-tab) and viewing our first intercepted request (Intercept tab).

HTTP History

If you click the HTTP History tab, you will see a chronological list of requests that Burp made. This includes the original URL we navigated to, future pages we navigate to, and all of the resources that are requested alongside those pages. For example, this screenshot shows the requests from two pages that I navigated to:

You can click on each of these and details will be loaded into the bottom pane.

If you right-click any response, you get a whole menu of options. You can add a comment, send the request to other Burp tools (which we’ll cover in upcoming blog posts), add to scope, request in browser, and more.

The concept of scope is important, and applies across many tools within Burp. We’ll cover this more in the Target section.

Filtering

Lastly, you can filter the HTTP history list by clicking this bar:

This filter bar appears in many places throughout the application. I wish the UI were different so it was more obvious that you can interact with it, but definitely click on it in various tools to get a sense of what your filtering options are.

As you select/de-select items, the filter bar preview will update to say what filter(s) you’ve selected.

Proxy Options

There are many other options in the Proxy > Options tab. I won’t list all of them here, but you can configure:

  • What types of client requests to intercept
  • How responses should be modified (removing Javascript form validation, etc.)
  • Match and Replace, which allows you to use regexes to set HTTP headers. You could use this to automatically swap out your user-agent header or cookies, for example.

Target

Next, let’s click on the Target tab and then click Site Map (if it isn’t already selected).

This is similar to the HTTP history in that it shows all of the web pages and resources that you’ve requested. The SiteMap, however, shows all of these requests in a tree view that matches the structure of the website.

You can see that the lefthand pane has the XSS Game website, plus a few others ites, like Google fonts.

If we open up the tree, we can see level1, static, and other folders and files underneath. Each of these requests can be loaded in the righthand pane, with more details about the request and response in the lower pane. This might seem redundant, and it kind of is, but there are benefits to different data perspectives.

Burp Proxy Setup

Each of the items in the lefthand pane has an icon next to it:

  • The gear icon means that it’s dynamic, or that it’s sent data. In this case, I typed “hi” into the level 1 input box and clicked Send.
  • Directories are denoted by folder icons.
  • Individual pages are denoted by page icons. Sometimes, these have styling to them (like the JS files).

Again, we can click the filter bar and select filters for the data. These filters can include keywords, MIME types, file types, status codes, and more. If you set filters and want to remove them, click the gear icon and select “restore defaults.”

Scope

Lastly, let’s talk about scope. Scope applies to many different tools, and can be configured either in the Target > Scope tab and/or individually in different tools.

Scope is an important concept, especially if you are pen testing. If you use other tools (like Spider, which we’ll cover in upcoming posts) without a scope set, it will be time-consuming, and might also send requests to websites other than the target site. So let’s scope down our results by clicking on the “Scope” tab.

Click “Add” in the “Include in scope” section. Because I am visiting the XSS Game site, I want to only include that in my scope (and not include Google fonts, etc.)

So, I enter “xss-game” into the pop-up and click OK.

You will see a pop-up asking if you want to exclude all out-of-scope items. For now, I clicked “no”.

If you go back to the Site Map tab, you’ll see that all of the sites are still listed.

We need to apply our scope to the list. Click the filter bar and check “Show only in-scope items” and then click the filter bar again to hide it.

Now, you should only see XSS Game urls in the lefthand pane of the Site Map.

Burp Suite Recap

In this blog post, we covered installation and setup of BurpSuite and a proxy tool. We intercepted our first request, and reviewed filtering, options, and HTTP history in the Proxy section. Finally, we looked at the Site Map in the Target Tool, as well as how filtering, scope and icons work within this section.

Next up will be Spider, Intruder and Repeater!

Burp Proxy lies at the heart of Burp's user-driven workflow. It operates as a web proxy server between your browser and target applications, and lets you intercept, inspect, and modify the raw traffic passing in both directions. In this section, we'll take you through some of the core features of Burp Proxy so that you can familiarize yourself with how it works.

Note: Using Burp Proxy may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Proxy against non-production systems.

Burp Proxy works in conjunction with the browser that you are using to access the target application. You can either:

  • Use Burp's embedded browser, which requires no additional configuration. Go to the 'Proxy' > 'Intercept' tab and click 'Open Browser'. A new browser session will open in which all traffic is proxied through Burp automatically. You can even use this to test over HTTPS without the need to install Burp's CA certificate.
  • Use an external browser of your choice. For various reasons, you might not want to use Burp's embedded browser. In this case, you need to perform some additional steps to configure your browser to work with Burp, and install Burp's CA certificate in your browser.

Once you have confirmed that your browser is successfully proxying traffic through Burp, you can perform the following steps to help you understand how to use Burp Proxy:

In Burp, go to the 'Proxy' > 'Intercept' tab, and ensure that interception is on (if the button says 'Intercept is off' then click it to toggle the interception status).

In your browser, visit any URL. The browser will send a request but will then be stuck waiting for a response.

In Burp, go back to the 'Proxy' > 'Intercept' tab. You should see your browser's request displayed for you to view and edit. Use the Inspector tool to see the different ways of analyzing the message.

Click the 'Forward' button to send the request to the server. In most cases, your browser will make more than one request in order to display the page (for images, etc.). Look at each subsequent request and then forward it to the server. When there are no more requests to forward, your browser should have finished loading the URL you requested.

In your browser, click the 'Refresh' button to reload the current page.

In Burp, this time edit the request on the 'Proxy' > 'Intercept' tab. Photoshop elements 2019 reviews. Change the URL in the first line of the request so that a non-existent item is requested. Forward the request (and any subsequent ones) to the server, then look back in your browser. Although your browser requested the same URL as before, you should see a 'Not found' message. This is because you changed the outgoing request on the fly within Burp.

Burp Proxy Settings Yahoo

In Burp, go to the 'Proxy' > 'HTTP history' tab. This contains a table of all HTTP messages that have passed through the Proxy. Select an item in the table, and look at the HTTP messages in the message editor. If you select the item that you modified, you can choose to display either the original or edited request from the drop-down menu.

Click on a column header in the Proxy history. This sorts the contents of the table according to that column. Click the same header again to reverse-sort on that column, and again to clear the sorting and show items in the default order. Try this for different columns.

Within the history table, click on a cell in the leftmost column, and choose a color from the drop-down menu. This will highlight that row in the selected color.

In another row, double-click within the 'Comment' column and type a comment. You can use highlights and comments to annotate the history and identify interesting items.

Above the history table there is a filter bar. Click on the filter bar to show the options available. Try changing the filter settings in various ways, and see the effect on what is shown in the history table. When the Proxy history has become very large, you can use the filter to hide certain types of items, to help find items you are looking for.

Select an item in the history, and show the context menu (usually, by right-clicking your mouse). The options on the context menu are used to drive your testing workflow within Burp. Choose 'Send to Repeater', and go to the 'Repeater' tab.

In Burp Repeater, you will see the selected request has been copied into the Repeater tool for further testing. For more details on sending items between Burp tools, and the overall testing workflow, see Using Burp Suite.

Go to the 'Proxy' > 'Options' tab, and look at all the options that are available. These can be used to change the behavior of the Proxy listeners, define rules to determine what request and response messages are intercepted by the Proxy, perform automatic modification of messages, and control the Proxy's behavior in other ways. For more details, see Burp Proxy Options.

Use the links below for further help on starting to use Burp Proxy: