When building a mobile app, several situations call for engineers to monitor the app’s Application Programming Interface (API). One such situation is when engineers may want to test the app’s performance and vulnerabilities. Burp Suite is a software from PortSwigger that allows you to monitor an app’s API and to manipulate the requests that come in as well as the responses from the app.
Burp Suite software must run in the same network as the app. This, however, does not mean that anyone can use Burp Suite to hack any device within the network, because the device to be monitored must install the certificate provided by Burp Suite, and its proxy should be configured as accorded in the manual guide.
Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. Burp is highly functional and provides an intuitive and user-friendly interface. Its proxy function allows configuration of very fine-grained interception rules, and clear analysis of HTTP messages structure and contents. The penetration tester intercepts the request (with Burp Suite Proxy) for which the response includes the session ID. Then the request is sent to Burp Suite Sequencer. After that, the penetration tester needs to choose the field in the response for which randomness will be analyzed (session ID in this example). Burp Suite Sequencer is launched.
To use Burp for API monitoring, you will need a laptop with Burp Suite installed in it (you can download it here, preferably the community version) and a device (Android or iOS) where the app is installed. You need to ensure that both use the same internet network.
- Click on the “Target” tab then add a target URL for scanning. Burp gives you an option to even directly paste the URL. As can be seen below, Burp then asks you whether or not to log out-of-scope items. Answer “Yes” to maintain a smaller Burp save file; The target has now been added to scope.
- Burp Suite Community Edition is a feature-limited set of manual tools for exploring web security. Proxy your HTTPS traffic, edit and repeat requests, decode data, and more. Get the latest version here. Alternatively, try hacking like the pros do - with a free trial of Burp Suite Professional.
Configuring Burp Suite
For the configuration, open Burp Suite and click “Next” until the following interface appears:
Click on the “Proxy” tab, then navigate to “Options” tab. Head to the section called “Proxy Listeners” and then click the “Add” button. A box called “Add a New Proxy Listener” will pop up and show you a tab labelled “Binding”.
In the box next to “Bind to Port”, type in a port number that is currently unused. Furthermore, for the “Bind to Address” section, choose “Specific Address” and select according to the network you are using. When all is done, click OK.
After the pop-up box closes, while still in the “Options” tab, scroll down until you find a section called “Intercept Client Requests” followed by a table of request interception rules. This is where you can add HTTP and HTTPS protocols.
Gi Blood Work
Also read: Handling Multiple Datasources Using Repository Pattern
To add HTTP protocol, follow these steps:
- Click the “Add” button, and a box called “Add request interception rule” will pop up.
- For Boolean operator, choose “Or”
- For Match Type, choose “Protocol”
- For Match Relationship, choose “Is HTTP”
- Click OK
Follow the same steps to add HTTPS protocol, only this time selecting “Is HTTPS” for the Match Relationship.
Burp Security Testing
After you have added the two protocols, view the table under “Intercept Client Requests” again. Make sure that only these two protocols are ticked and the other rules are unticked.
Installing certificate in the Android/iOS device
To install Burp Suite certificate in your device, thereby allowing it to be remotely monitored by Burp Suite, firstly, you need to open the device’s browser and type in the IP address of the laptop where your Burp Suite software is installed, followed by the port you had selected when configuring Burp Suite. Follow this format: [ip]:[port] (example: 192.168.8.100:8888).
After you click “Go”, a pop-up box will appear asking you to confirm that you have allowed it to open “Setting”. Select “Allow” and you will be directed to the PortSwigger CA configuration profile. Select “Install” to obtain the certificate.
After this, you will need to set the proxy configuration to manual. To do this, while still in your device’s Settings, go to Wifi and click on the “i” (information) button next to the network you’re using. Under HTTP Proxy section, choose “Configure Proxy” and select “Manual”. Then, click “Save”.
If you’re using iOS, the following steps should be taken:
Forest sounds. Bordering the old village of Mirningshire lies Mirning Woods. The locals are often here foraging for wild foods. Fresh berries, magic shrooms and fungi bloom. Forest and Nature sounds for relaxation. Forest Sounds Here are the sounds that have been tagged with Forest free from SoundBible.com Please bookmark us Ctrl+D and come back soon for updates! All files are available in both Wav and MP3 formats. Noncommercial 3.0.
- Still in your device’s “Settings” window, click on “General”.
- Select “About”
- Click on “Certificate Trust Settings”
- Activate PortSwigger CA
Note: do not forget to turn it off after you have completed the API testing.
Monitoring API and manipulating Requests/Responses
After you have completed the installation of the certificate in your device, you can start the monitoring and manipulation processes. Go back to the Burp Suite software and select the “Proxy” tab, followed by the “Intercept” tab. Make sure that the Intercept button is activated. Once you open the application, you can start the interception process. The following picture demonstrates what happens when you manipulate a request from an application when searching for the keyword kereta dorong via the iPhone.
This is an effective method if you are testing an application whose server/response is 500x, 400x, and so on. On the contrary, it will be challenging should you need to collaborate with the backend team and request for the server to be shut down temporarily. You can experiment with this tutorial and adjust it according to your needs.
Burp Penetration Testing
Burp Suite Penetration Testing
This article was originally published in Medium by our mobile engineer, Ashari Juang. Check our website to know more what Juang and team can do for your business!