As a web proxy designed for penetration testing, specifically the modification of your web traffic, you’ll want to use Burp to intercept and modify your web traffic. Once you’ve got Burp installed, and your system configured to route your web traffic through the proxy, there are a number of ways to see and modify your traffic. Burp Suite Intercept Tab Before changing the password in DVWA make sure to switch proxy in FoxyProxy and keep intercept on. After hitting on the change tab you will see Burp Suite will Automatically pop up and request which is going to send to DVWA application is intercepted by it. WHAT IS BURP SUITE Burp Suite is a Java-based web penetration testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting Read more https://www.itjd.in/burpsuite-tutorial-pdf2020/.
The Intercept tab is used to display and modify HTTP and WebSocket messages that pass between your browser and web servers. The ability to monitor, intercept and modify all messages is a core part of Burp's user-driven workflow. In Burp Proxy's options, you can configure interception rules to determine exactly what HTTP requests and responses are stalled for interception (for example, in-scope items, items with specific file extensions, requests with parameters, etc.). You can also configure which WebSocket messages are intercepted.
When an intercepted message is being displayed, details of the destination server are shown at the top of the panel. For HTTP requests, you can manually edit the target server to which the request will be sent, by clicking on the server caption or the button next to it.
The panel also contains the following controls:
- Forward - When you have reviewed and (if required) edited the message, click 'Forward' to send the message on to the server or browser.
- Drop - Use this to abandon the message so that it is not forwarded.
- Interception is on/off - This button is used to toggle all interception on and off. If the button is showing 'Intercept is on', then messages will be intercepted or automatically forwarded according to the configured options for interception of HTTP and WebSocket messages. If the button is showing 'Intercept is off' then all messages will be automatically forwarded.
- Action - This shows a menu of available actions that can be performed on the currently displayed message. These are the same options that appear on the context menu of the intercepted message display.
- Comment field - This lets you add a comment to interesting items, to easily identify them later. Comments added in the intercept panel will appear in the relevant item in the Proxy history. Further, if you add a comment to an HTTP request, the comment will appear again if the corresponding response is also intercepted.
- Highlight - This lets you apply a colored highlight to interesting items. As with comments, highlights will appear in the Proxy history and on intercepted responses.
Note: You can also use hotkeys to forward or drop intercepted messages. By default, Ctrl+F is used to forward the current message. You can modify the default hotkeys in the hotkey options.
The main panel of the Intercept tab contains a message editor that shows the currently intercepted message, allowing you to analyze the message and perform numerous actions on it.
The editor context menu contains numerous useful items. In addition to the standard functions provided by the editor itself, the following actions are available for HTTP messages:
- Don't intercept requests/responses - These commands allow you to quickly add an interception rule to prevent future interception of messages that share a specific feature with the currently displayed message (based on the host, file extension, HTTP status code, etc.). If you are being bugged by uninteresting requests or responses of a particular type, you can use this option to automatically forward all such messages.
- Do intercept - Available for requests only, this allows you to require that the response to the currently displayed request should be intercepted.
If you’ve done any web application pen testing or bug bounty hunting, you’re probably familiar with Burp Suite. If you haven’t used Burp Suite before, this blog post series is meant for you.
What is Burp Suite and why should you use it? Burp Suite is a suite of web application testing tools that help you intercept, modify and automate your interactions with a web application. If you do CTFs, this will make your life a lot easier. And if you want to get into web application, Burp Suite is a great tool to have.
This post covers installation, configuration, and the Target and Proxy tools.
Installation and Setup
Burp Suite (from now on, just “Burp”) has a free edition and a professional version. The pro option costs $400. You can request a 7 day trial of that here, or download the free Community Edition here.
Once you’ve downloaded and installed the program, you’ll need to configure your browser to direct the traffic to Burp Suite.
Burp functions by intercepting all traffic from a browser–allowing you to inspect it, modify it, etc.–and then forwarding the requests on. There are two options for proxying traffic to Burp.
- You can either configure proxy settings within your browser settings (not recommended as you have to manually turn this on or off each time).
- You can install a browser plug-in like FoxyProxy which lets you configure the proxy once, and then turn the proxy on/off with a single click.
I recommend downloading FoxyProxy, and then creating a profile for BurpSuite. You do this by clicking the FoxyProxy icon, and then clicking options.
Next, click Add and then fill out the form (I used IP address 127.0.0.1/localhost and port 8081).
Once you’ve saved that, you can click the FoxyProxy icon again and turn the proxy on.
Depending on which browser you use, you might want to make use of browser profiles so that settings, cookies, etc. are cleared for your web testing profile. Alternatively, you could use a different browser.
You also need to set up the Burp certificate so that HTTPS requests work properly (otherwise you will get certificate warnings). See this link for details on how to set that up.
You might also consider using a VPN so that your home IP address is not blacklisted by websites that make use of WAFs.
BurpSuite Proxy Settings
Once you’ve got your browser proxy and certificates set up, open up BurpSuite. If you have the free version, you will have to select “Temporary project.” Accept the default settings.
Then, you should see a bunch of tabs. Click the “Proxy” tab and then click “Options.”
You will need to click “Add” and add the IP address and port name that you configured in FoxyProxy.
Test everything out
With FoxyProxy enabled, and the same IP address and port configured in the Proxy Options tab of Burp Suite, navigate to a web page in the browser that is using FoxyProxy.
A good example site might be http://xss-game.appspot.com
The website won’t load, because Burp has intercepted the request.
If you go to Burp, you will see something like this:
Notice that the Proxy tab and Intercept tabs are both highlighted orange. This will happen when a new event has occurred in a given tab, or some kind of alert has been generated. We’ll see this again later when we send requests to other tools in Burp Suite.
You can look at the request and its headers in any of three tabs: Raw, Headers or Hex. To complete the request, click “Forward.” If you want to stop intercepting traffic, you can click “Intercept is on” and the text (and styling) will change to say “Intercept is off.”
By default, intercept is on when you open Burp.
We’ve already seen some of the Proxy tab while configuring the Proxy (Options sub-tab) and viewing our first intercepted request (Intercept tab).
If you click the HTTP History tab, you will see a chronological list of requests that Burp made. This includes the original URL we navigated to, future pages we navigate to, and all of the resources that are requested alongside those pages. For example, this screenshot shows the requests from two pages that I navigated to:
You can click on each of these and details will be loaded into the bottom pane.
Here are the sounds that have been tagged with Dinner Bell free from SoundBible.com Please bookmark us Ctrl+D and come back soon for updates! All files are available in both Wav and MP3 formats. Sampling Plus 1.0. Perfect doorbell sound effect as requests by tamale, thanks for the sound request. Loud dinner bell sound. Get Dinner bell Sounds from Soundsnap, the Leading Sound Library for Unlimited SFX Downloads. Download Dinner Bell sounds. 233 stock sound clips starting at $2. Download and buy high quality Dinner Bell sound effects.
If you right-click any response, you get a whole menu of options. You can add a comment, send the request to other Burp tools (which we’ll cover in upcoming blog posts), add to scope, request in browser, and more.
The concept of scope is important, and applies across many tools within Burp. We’ll cover this more in the Target section.
Burp Suite Cannot Intercept Https
Lastly, you can filter the HTTP history list by clicking this bar:
This filter bar appears in many places throughout the application. I wish the UI were different so it was more obvious that you can interact with it, but definitely click on it in various tools to get a sense of what your filtering options are.
As you select/de-select items, the filter bar preview will update to say what filter(s) you’ve selected.
Burp Suite Intercept Not Working
There are many other options in the Proxy > Options tab. I won’t list all of them here, but you can configure:
- What types of client requests to intercept
- Match and Replace, which allows you to use regexes to set HTTP headers. You could use this to automatically swap out your user-agent header or cookies, for example.
Next, let’s click on the Target tab and then click Site Map (if it isn’t already selected).
This is similar to the HTTP history in that it shows all of the web pages and resources that you’ve requested. The SiteMap, however, shows all of these requests in a tree view that matches the structure of the website.
You can see that the lefthand pane has the XSS Game website, plus a few others ites, like Google fonts.
If we open up the tree, we can see level1, static, and other folders and files underneath. Each of these requests can be loaded in the righthand pane, with more details about the request and response in the lower pane. This might seem redundant, and it kind of is, but there are benefits to different data perspectives.
Each of the items in the lefthand pane has an icon next to it:
- The gear icon means that it’s dynamic, or that it’s sent data. In this case, I typed “hi” into the level 1 input box and clicked Send.
- Directories are denoted by folder icons.
- Individual pages are denoted by page icons. Sometimes, these have styling to them (like the JS files).
Again, we can click the filter bar and select filters for the data. These filters can include keywords, MIME types, file types, status codes, and more. If you set filters and want to remove them, click the gear icon and select “restore defaults.”
Lastly, let’s talk about scope. Scope applies to many different tools, and can be configured either in the Target > Scope tab and/or individually in different tools.
Scope is an important concept, especially if you are pen testing. If you use other tools (like Spider, which we’ll cover in upcoming posts) without a scope set, it will be time-consuming, and might also send requests to websites other than the target site. So let’s scope down our results by clicking on the “Scope” tab.
Click “Add” in the “Include in scope” section. Because I am visiting the XSS Game site, I want to only include that in my scope (and not include Google fonts, etc.)
So, I enter “xss-game” into the pop-up and click OK.
You will see a pop-up asking if you want to exclude all out-of-scope items. For now, I clicked “no”.
If you go back to the Site Map tab, you’ll see that all of the sites are still listed.
We need to apply our scope to the list. Click the filter bar and check “Show only in-scope items” and then click the filter bar again to hide it.
Now, you should only see XSS Game urls in the lefthand pane of the Site Map.
Burp Suite Recap
In this blog post, we covered installation and setup of BurpSuite and a proxy tool. We intercepted our first request, and reviewed filtering, options, and HTTP history in the Proxy section. Finally, we looked at the Site Map in the Target Tool, as well as how filtering, scope and icons work within this section.
Next up will be Spider, Intruder and Repeater!