BOOK THIS SPACE FOR AD
ARTICLE ADWhen I first started my journey into penetration testing, Burp Suite was one of those tools I struggled with. I just couldn’t make sense of it. It wasn’t intuitive, and I felt overwhelmed by the steep learning curve.
I must have gone through ungodly amounts of YouTube videos and TryHackMe modules, when someone finally said, “Burp Suite Repeater is just like cURL and Burp Intruder is FFUF.”
Wait a minute. I know those tools!
I wish I knew who to credit for this little nugget of information, because that lightbulb moment was a game changer. From that point on, everything began to make sense.
This guide is my attempt to provide a high level overview that will help you learn Burp Suite the way I wish someone had taught me.
Part 1 of 2:
In Part 1, we will lay a solid foundation for understanding Burp Suite and getting started with it. The topics covered will include:
What is Burp Suite?Configuring FoxyProxy for Burp SuiteAdding Burp’s CA CertificateFirst Look Inside Burp (Site Mapping and Setting the Scope)Burp Suite Proxy: Endpoint Validation ExampleBurp Suite is a comprehensive tool used in web application security testing that allows users to identify and exploit vulnerabilities. Put simply, it’s a tool that helps people find weaknesses in websites.
Burp Suite has many functions: web scraping, penetration testing, and vulnerability scanning. But at its core, Burp Suite acts as a web proxy that sits between the user’s browser and the web application. It will intercept the user’s HTTP requests, giving you the ability to modify specific parts of a request.
This tutorial uses Burp Suite Community Edition which is built into Kali Linux. However, if you do not have it, or want to download Burp Suite Professional, you can watch a video tutorial and download it here.
By default, Burp Suite proxy listener is set to 127.0.0.1:8080. You can see this by starting up Burp Suite and going to:
Proxy > Proxy setting > Proxy listeners
We need a way for our web traffic to go through Burp Suite, so let’s install FoxyProxy. Simply search for it on Google and choose the download for your particular web browser. I am using Firefox.
FoxyProxy works with Burp Suite by directing your web browser’s traffic through the Burp Suite proxy, allowing you to intercept, analyze, and manipulate the data before it gets to the web application.
Once installed, click on the FoxyProxy icon in your browser extensions.
Click on Quick Add. If you can’t find a quick add button, go to:
Options > Proxies > Add
Quick Add (Options > Proxies > Add)Name it Burp or whatever title you choose. Add the proxy listener address (127.0.0.1 and port 8080) and then click Save.
To enable, you just click on the Burp proxy to start it up.
You will now be directing your web traffic to Burp Suite. Is FoxyProxy necessary? Not exactly. You can configure your proxy in your browser’s settings, but FoxyProxy makes it easier. It allows for switching between different proxy settings and simplifies the process of disabling the proxy.
We need to add Burp’s CA certificate to our settings so that our browser trusts Burp Suite to securely intercept and analyze encrypted web traffic.
With the proxy on, enter http://burp into your web browser. This should take you to the Welcome screen for the CA Certificate. This let’s you know that Burp Suite is actually working and communicating with the proxy. Click on CA Certificate to download.
Now go to your browser settings to add the certificate. Go to Privacy & Security. Scroll down and click View Certificates.
Click on Import. Navigate to the Downloads folder and grab the CA Certificate that you downloaded. There will be 2 check boxes for trusts. Go ahead and check both of those and accept it.
Once you hit OK, the certificate should be installed. To check, go to a website like Google and, in Burp Suite within the proxy tab, turn Intercept on. Refresh the webpage of your choice, and it should hang. You should see the webpage spinning and waiting. It’s waiting because we’re pushing all this traffic through the Burp Suite proxy. It’s all in Burp Suite, intercepted. We now have the ability to manipulate it (forward traffic, drop traffic, or modify traffic).
Now that FoxyProxy is downloaded and switched on, and Burp Suite’s certificate is added to our settings, all our web traffic is routed through Burp Suite.
Let’s take a look at what’s happening when we navigate to a website.
Every page that we visit while the Burp proxy is running will be displayed in the Site map. Burp begins site mapping or crawling the website. In the “Target” tab, you’ll see a tree structure on the left that represents the site’s various resources. Some text will appear in dark black, indicating links that have been accessed, while other text will be greyed out, signifying links identified by Burp Suite that haven’t yet been visited. This process of site mapping helps you visualize the structure and discover hidden resources.
Setting the Scope
As you can imagine, capturing and logging all the traffic can quickly become overwhelming, especially when you are trying to stay in scope for one specific target. Luckily, we can set the scope for the project, telling Burp to only log the traffic you are interested in.
Just take a look at all the sites and resources that come up when simply visiting tryhackme.com.
We can clean this up by right clicking on the tryhackme request and selecting Add to scope.
You can also edit your scope in the Target Scope tab.
Next, return to the Site map tab, click on the Site map filter towards the top, and we want to tell Burp to show only in-scope items.
Now we have cleaned it up, and the tree structure shows only our target scope: https://tryhackme.com
Even though we are only focusing on the target scope, the proxy is still intercepting everything. We can disable this by going to the proxy settings tab and selecting And URL Is in target scope.
When this option is enabled, the proxy will ignore any traffic that is not in scope.
Now that you understand how Burp Suite captures and logs traffic, let’s explore how to intercept a web request and modify its contents before sending it to the web application.
This exercise demonstrates how to test a web application’s endpoint validation. Proper input validation is crucial for security, and endpoints that accept numeric values should ensure that the input is indeed a positive integer within an acceptable range to prevent potential vulnerabilities.
This example involves altering the HTTP Request data to see how the application responds. Obviously, I cannot demonstrate a test on a real system, so I am utilizing a target web application from tryhackme.com.
STEP 1: Initial Setup
Disable Burp Intercept and navigate to the target at http://10.10.29.220/products.Click on “See More” links to view different products and observe the URL pattern (e.g., /products/3). The purpose is to identify and understand the web application structureSTEP 2: Capture a Request
Enable Burp Intercept again and refresh the product page in order to capture the request in the Proxy tab.STEP 3: Modify the Request
Our goal is to test whether or not the application is properly validating inputs, thereby protecting against potential vulnerabilities.We can test for proper input validation by seeing how it responds to an unexpected condition. The product number in the target URL must be a positive integer within a certain range (e.g., /products/1 to /products/99).What happens if we change the path to a negative number? How will the application respond? Proper error handling means that the endpoint should return a status code: 400 BAD REQUEST . A status code: 500 Internal Server Error typically means that an unhandled exception or error occurred on the server. This could be due to the application trying to process the negative value in a way that it wasn’t designed to handle, leading to a crash or unexpected behavior.The server should not return 500 Internal Server Error for invalid inputs. This indicates a problem with the server-side validation logic.STEP 4: Analyze the Response
The presence of a 500 Internal Server Error when providing invalid input can be a sign of a potential vulnerability. It may indicate that the application does not have adequate error handling and input validation, which could be exploited by an attacker to cause denial of service, information disclosure, or other unintended behavior.
Using Burp Proxy is an efficient method to quickly test input validation. However, testing various input variations (e.g., a positive number out of range or a character value) would require multiple requests and interceptions. Fortunately, Burp Repeater simplifies this process.
We have covered how to set up and configure Burp Suite with FoxyProxy, observed how traffic is logged and mapped, and learned how to intercept, modify, and forward requests in real time. For those engaged in penetration testing or bug bounty hunting, much of your time will be spent using Burp Repeater and Burp Intruder. Hopefully, you learned a lot from this guide. In Part 2, we’ll dive into Authentication and Authorization attacks with Burp Repeater and Burp Intruder.
Until then, happy hacking!