November 2, 2018
It can be difficult to find a guide on the basics for effectively using PortSwigger’s Web Security’s Java-based graphical tool, Burp. To that end, I’m going to review how you can simply view requests in Burp Suite and modify them. The Community Edition, which can be downloaded free of charge, is sufficient for this.
I’m working on the assumption that you have already set up the burp suite with a browser. If you haven’t yet configured it, follow this set of instructions.
Step 1: Let's dig in
First, launch Burp and the browser you’ll be using.
With Burp in view, you’ll see that there are quite a few tabs available. For this tutorial, we’ll be sticking to the first two, Target and Proxy.
Step 2: Adding the proxy to Burp
We need to make sure that Burp can talk to the proxy, which you want to match to the one you’ve set in your browser.
Click Proxy -> Options, then Add the same address and port that you set-up with your browser.
So for example, if your browser HTTP is using 127.0.0.1 (local host) and the port number is 2000, then in Bind to port, you would enter 2000 and leave the address pointing to 127.0.0.1, which is its default setting.
Once this is established, go ahead and visit a webpage. For the purpose of this tutorial, we’ll take a look at this website. It’s advisable to only use websites that you have permission to scan, especially if you’re unfamiliar with these tools. Here’s a list of 40 websites with which you can practice your skills.
Step 3: Don't forget the intercept button!
Hang on! Page isn’t loading? You will encounter this because there’s a feature in these security tools known as the Intercept tool. What this does essentially is catch the request that you make, which shows in the browser as the webpage continuously trying to load. Recalling that security tools, or proxies, go between the browser and the server, it catches the requests to and fro.
For now, let’s go to the Intercept tab. You’ll see a bunch of text, which is the request that you just made. We can tell it’s a GET request because it says this on the first line. If it was a POST request, it’d say POST, but all we did was GET the information by going to the webpage. You can see a few more tabs, each providing you with the same information in different forms. For now, let’s click the Intercept is on button. This will disable the intercept feature.
With Intercept off, you’ll notice that your webpage has now loaded, if not, just refresh it. Go ahead and navigate around the website, and try to submit a form.
There you have it! When you look at Burp now, you’ll now see that there are quite a few requests being shown in Proxy -> HTTP history. This is where you’ll see all of the requests Burp has caught. As you can see from the Method tab, there are a mix of GET and POST requests, the status of each one, the host name, URL, timestamp and more.
Clicking on any request will show you what it contains, as was the case when Burp intercepted the earlier request and Intercept was enabled. You’ll see both the request and response and in some cases, the rendered view of the response. Determine if you can identify which request was responsible for what.
Scanning a website for requests and responses is one of many things you can do with Burp. For example, you can right-click to send a request to the Intruder tab, which will allow you to use payloads on certain areas like SQLi (SQL injection), using a list of passwords etc. With the Repeater, you can repeat specific requests you’ve already made.
Step 4: Intercepting requests
Let’s briefly talk about intercepting and modifying requests.
As you recall from earlier steps, if a request has been intercepted, you’ll see it paused in Burp and your browser. What we can do here is edit the request that has been made. If you go to this URL and enter some text (which you will also need to give a rating), enable Intercept, then submit that form on the web page, and you’ll see that request in Burp. You can then edit the comment, the cookies, or anything else.
- Forward: Forwards the message to the browser or server.
- Drop: Completely drops the message and does not forward it.
- Action: Lists actions to take with the current message. This includes sending these to the other tabs, copying as a curl command etc.
Step 5: Keep practicing
That’s all there is to it! We’ve learned how to get Burp to catch some requests, as well as view and modify them. We’ve even learned about how these tools operate between the browser and the server. Tools like these are very powerful when used correctly, and there’s a lot more you can do with them, so keep practicing!
Enjoyed reading this blog? You will certainly like this blog about Liferay Tips & Tricks.