The Proxy tool lies at the heart of Burp's user-driven workflow, and gives you a direct view into how your target application works 'under the hood'. It operates as a web proxy server, and sits as a man-in-the-middle between your browser and destination web servers. This lets you intercept, inspect, and modify the raw traffic passing in both directions.
If the application employs HTTPS, Burp breaks the TLS connection between your browser and the server, so that even encrypted data can be viewed and modified within Burp's tools. Adobe animate full.
Burp Suite Enterprise Edition The enterprise-enabled web vulnerability scanner. Burp Suite Professional The world's #1 web penetration testing toolkit. Burp Suite Community Edition The best manual tools to start web security testing. View all product editions. Burp Suite is a popular penetration testing and vulnerability finder tool that is using to check web application security. To discover hidden flaws, you can route traffic through a proxy like Burp Suite. Then, FoxyProxy helps you to turn it on and off manually.
Getting set up
Burp Proxy works in conjunction with the browser that you are using to access the target application. You can either:
- Use Burp's embedded browser, which requires no additional configuration. Go to the 'Proxy' > 'Intercept' tab and click 'Open Browser'. A new browser session will open in which all traffic is proxied through Burp automatically. You can even use this to test over HTTPS without the need to install Burp's CA certificate.
- Use an external browser of your choice. For various reasons, you might not want to use Burp's embedded browser. In this case, you need to perform some additional steps to configure your browser to work with Burp, and install Burp's CA certificate in your browser.
When you have things set up, visit any URL in your browser, then go to the 'Proxy' > 'Intercept' tab in Burp Suite. If everything is working, you should see an HTTP request displayed for you to view and modify. You will need to forward HTTP messages as they appear in order to continue browsing. You should also see entries appearing on the 'HTTP history' tab.
Intercepting requests and responses
The Intercept tab displays individual HTTP requests and responses that have been intercepted by Burp Proxy for review and modification. This feature is a key part of Burp's user-driven workflow:
- Manually reviewing intercepted messages is often key to understanding the application's attack surface in detail.
- Modifying request parameters often allows you to quickly identify common security vulnerabilities.
Intercepted requests and responses are displayed in an HTTP message editor, which contains numerous features designed to help you quickly analyze and manipulate the messages.
You may often want to turn off Burp's interception altogether, so that all HTTP messages are automatically forwarded without requiring user intervention. You can do this using the master interception toggle in the Intercept tab.
Using the Proxy history
Burp maintains a full history of all requests and responses that have passed through the Proxy. This enables you to review the browser-server conversation to understand how the application functions, or carry out key testing tasks. Sometimes you may want to completely disable interception in the Intercept tab, and freely browse a part of the application's functionality, before carefully reviewing the resulting requests and responses in the Proxy history.
Burp provides the following functions to help you analyze the Proxy history:
The history table can be sorted by clicking on any column header (clicking a header cycles through ascending sort, descending sort, and unsorted). This lets you quickly group similar items and identify any anomalous items.
You can use the display filter to hide items with various characteristics.
You can annotate items with highlights and comments, to describe their purpose or identify interesting items to come back to later.
You can open additional views of the history using the context menu, to apply different filters or help test access controls.
Burp Proxy testing workflow
A key part of Burp's user-driven workflow is the ability to send interesting items between Burp tools to carry out different tasks. You can do this using the context menus that you can access by right-clicking in various locations throughout Burp.
For example, having observed an interesting request in the proxy, you might want to quickly perform a vulnerability scan of just that request, using Burp Scanner.
You could send the request to Repeater to manually modify the request and reissue it over and over.
You could send the request to Intruder to perform various types of automated customized attacks.
You could send the request to Sequencer to analyze the quality of randomness in a token returned in the response.
You can perform all these actions and various others from the context menus that appear in both the Intercept tab and the Proxy history.
Key configuration options for Burp Proxy
For more specialized testing tasks, or when working with unusual applications, you may need to modify some of Burp Proxy's numerous options:
You might need to modify the Proxy listener, to bind to different interfaces, redirect requests to different hosts, handle server TLS certificates differently, or support invisible proxying for non-proxy-aware clients.
You can configure match / replace rules to automatically change the content of requests and responses.
Burp Scanner automates the task of scanning web sites for content and vulnerabilities. Depending on configuration, the Scanner can crawl the application to discover its content and functionality, and audit the application to discover vulnerabilities. By default, all scans will use Burp's embedded browser to ensure maximum coverage through browser-powered scanning. You can also provide sets of user credentials so that Burp Scanner can discover and audit content that is only accessible to authenticated users. Importing full login sequences even enables Burp Scanner to handle more complex login mechanisms, including single sign-on.
Scans can be launched in a variety of ways:
- Scan from specific URLs. This performs a scan by crawling the content within one or more provided URLs, and optionally auditing the crawled content. To do this, go to the Burp Dashboard, and click the 'New scan' button. This will open the scan launcher which lets you configure details of the scan.
- Scan selected items. This lets you perform an audit-only scan (no crawling) of specific HTTP requests. To do this, select one or more requests anywhere within Burp, and select 'Scan' from the context menu. This will open the scan launcher which lets you configure details of the scan.
- Live scanning. You can use live scans to automatically scan requests that are processed by other Burp tools, such as the Proxy or Repeater tools. You can configure precisely which requests are processed, and whether they should be scanned to identify content or audit for vulnerabilities. To do this, go to the Burp Dashboard, and click the 'New live task' button. This will open the live scan launcher which lets you configure details of the task.
- Instant scanning. You can also launch instant active or passive scans from the context menu. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.
You can launch multiple scans in parallel, and each scan has its own configuration options that determine exactly how the scan is carried out. There are two key areas of configuration:
- Crawl options. These options control behavior like maximum link depth, how the crawler optimizes for speed versus coverage, and limits on the extent of the crawl. You can also enable or disable some of Burp Scanner's miscellaneous features, such as browser-powered scanning and API scanning.
- Audit options. These options control behavior like the handling of insertion points and what detection methods are employed. These options are very important in controlling what type of audit activity will be performed, from a lightweight purely passive analysis through to a heavyweight invasive scan.
Monitoring scan activity
You can monitor the progress and results of a scan in various ways:
- The Burp Dashboard shows metrics about the progress of each task, and the issue activity log shows the issues that are reported by all scanning tasks.
- You can open the task details window for an individual scan, to view the issue activity log for only that scan, and a detailed view of the audit items for applicable tasks.
- The Target site map shows all of the content and issues that have been identified, organized by domain and URL.
Burp Suite Proxy Settings
You can generate reports of issues found via Burp Scanner in HTML format. You can also export issues in XML format suitable for importing into other tools.
Burp Suite Use Proxy
You can find addition information about specific topics on the following Support pages: