Burp Suite is an integrated platform for performing security testing of web applications. This is a very short introduction how to start with it…
A Few (Philosophical) Notes
The Burp Suite seems to be a great and versatile tool that may help beginners to start with security testing of web-based applications and may help professionals in “somehow” improving their working environment. Apparently, the opinion is rather subjective. Anyway, there are a few things, which should be taken into account regarding the Burp Suite:
- It is written in Java.
- It is a commercial software with a Free Edition option (terms and conditions apply).
- It is not an open-source.
From a “wannabe” hacker’s perspective (like me, lol), the most important thing to think about is the third point. Basically, it says that I would be using a SW, which:
- works in a unverifiable way (not saying that it is not working correctly; just saying that there is no way how to prove it, as correlation does not imply causation),
- and produces results in the same way; i.e., I have no guarantee that the SW will produce reasonable and valid results.
Obviously, unless I create my own hardware, bootstrapping software, operating system, and related software, I will never have the possibility to trust the computing environment I work with anyway.
What I have just tried to point out is that as a real hacker (if I were one), I would never trust anyone’s binary or its results. Eventually, I would never use such SW seriously. As a “hobby hacker”, however; I have to be content with third party open-source (and sometimes even closed-source) software.
Let’s Get Started
After installation (which naturally differs among operating systems), the SW can be finally started.
First thing to know is that it is an intercepting Proxy, which enables inspection and modification of traffic between a browser and a target application.
Second thing to know is that it contains a Repeater tool, which can be used for manipulating and resending individual requests, or starting one’s own requests.
Third thing to know is that there exist more than the previous features, but the discussed two are enough to start with some testing.
The Burp Suite has a great instructional video how to setup the proxy in Burp and within a browser. By default, Burp acts as a proxy and intercepts all traffic on
Opening and Interception of the First Page
After the first attempt to open a webpage in the configured browser, the Burp Proxy intercepts the HTTP request. The respective menu Proxy -> Intercept becomes orange and expects user action, which will most probably be
Forward. This action may repeat a few times until the page loads itself.
In Proxy -> HTTP history menu, there is the whole history of all HTTP elements that have been caputered so far. The
Request can be depicted in a “Raw”, “Params” (i.e. captured values), “Headers” (i.e. a table-based view of Raw) or in “Hex” variant. The same applies for its
Response which is improved with two more obvious options: “HTML” (i.e. source code of the response) and “Render” (i.e. a browser-like response preview).
Spoofing the First Values
In order to spoof any values, it is necessary to create a HTTP request. One of the ways is to reuse the already captured HTTP request which is in the Proxy -> HTTP history in section
Request and “Raw”. After selecting the whole request, it is possible to right-click and select “Send to Repeater” (Ctrl+R) option.
The request will appear “as is” under the
Repeater menu. The same options “Raw”, “Header” and “Hex” are available to preview and modify the request. For instance, it is possible to:
- Select a different page to connect to
GET /index.php HTTP/1.1to
GET /anotherpage.php HTTP/1.1.
- Spoof the “User-Agent:” value.
- Change the “Referer” value, i.e. URL from which is the request coming to the target web page.
…and many more.
When ready, it is possible to send the created request by clicking “Go“.
The right part of the pane contains the “Response” with already discussed options to display it.
That’s all for now 🙂