August 16, 2023

Burp Suite for penetration testing

The best time to establish protocols with your clients is when you onboard them.

Heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Burp Suite is an integrated platform and graphical tool for performing security testing of web applications, it supports the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp Proxy Listener

Burp’s proxy listener is a local HTTP proxy server that listens for incoming connections from your browser. It allows you to monitor and intercept all HTTP requests and responses sent and received by your browser. This lies at the heart of Burp’s user-driven workflow.

Configuring Burp to work with an external browser

By default, Burp creates a single listener on port 8080 of the loopback interface. The first time you start Burp, you need to check that this listener is active and running.

1) In Burp, go to the Proxy > Options tab.

In the Proxy listeners panel, you should see an entry for the interface 127.0.0.1:8080 with the Running checkbox selected, indicating that the listener is active and running. If so, everything is fine and you can move on to configuring your browser.

2) Configuring Firefox to work with Burp

To configure Firefox so that you can use it for testing with Burp, you need to perform the following configuration steps.

In Firefox, go to the Settings> network settings

In Default it will be No Proxy →Select the Manual proxy configuration

Enter your Burp Proxy listener address in the HTTP Proxy field (by default this is set to 127.0.0.1).

Next, enter your Burp Proxy listener port in the Port field (by default, 8080). Make sure the Use this proxy server for all protocols box is checked. and click on OK button.

3) Installing Burp's CA certificate in Firefox

Before attempting to install Burp’s CA certificate, make sure that you have successfully confirmed that the proxy listener is active and have configured your browser to work with Burp.

To install Burp’s CA certificate in Firefox, proceed as follows:

With Burp running, visit http://burpsuite in Firefox. You should be taken to a page that says "Welcome to Burp Suite Professional".

In the top-right corner of the page, click CA Certificate to download your unique Burp CA certificate. Take note of where you save this.

From the navigation bar on the left of the screen, open the Privacy and Security settings.

Scroll down to the Certificates section and click the View certificates button.

In the dialog that opens, go to the Authorities tab and click Import. Select the Burp CA certificate that you downloaded earlier and click Open.

When prompted to edit the trust settings, make sure the checkbox is checked. This certificate can identify websites is selected and click OK.

Close and restart Firefox. With Burp still running, try and browse to any HTTPS URL. If everything has worked, you should now be able to browse to the page without any security warnings.

4) Burp proxy's intercept feature

Burp Proxy’s intercept feature lets you intercept HTTP requests and responses sent between the browser and the target server.

The intercept feature lets you perform the following useful actions:

  • Intercept a request and modify it before forwarding it to the server.
  • Send interesting requests to Burp’s other tools, such as Repeater or Intruder, for further testing.
  • Drop a request to prevent it from reaching the server.\

Click on the intercept is off to get the requests.

Step 1 : Access the lab

Now, We will use Burp Proxy to intercept and modify a request to see how the server responds. Open Firefox browser, and use it to access the following URL:

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

Click Access the lab and log in to your PortSwigger account if prompted. This opens your own instance of a deliberately vulnerable shopping website.

Step 2: Log in to a user account

Click My account and log in using the following credentials: wiener:peter.

Step 3: Find something to buy

Click Home, then view the details for the Lightweight “l33t” leather jacket.

Step 4: Intercept the add to cart request

In Burp, go to the Proxy > Intercept tab.

Make sure that Intercept is on.

In the browser, add the leather jacket to your cart.

In Burp, notice that the resulting POST /cart request is intercepted.

Note: You may initially see a different request on the Proxy > Intercept tab if the browser is doing something else in the background. In this case, just click Forward until you see the POST /cart request as shown in the screenshot above.

Step 5: Modify the request

In the request body, change the value of the price parameter to 10.

Step 6: Send the modified request to the server

Click Forward to send the modified request to the server.

Switch interception off again. Subsequent requests will now pass through Burp Proxy uninterrupted, so you can browse the site as normal. Any HTTP requests the browser makes will still be captured on the Proxy > HTTP history tab.

In Firefox browser, click the basket icon in the upper-right corner to view your cart. Notice that the jacket has been added, but you have managed to change the price to just 10 cent and are able to complete the purchase.

You now know more about the Burp Proxy tool from the Burp Suite. We’ll see more intriguing tools in the next articles, including Burp Repeater, Intruder, Target, Scanner, and Collaborator.

CodeStax.Ai
Profile
August 16, 2023
-
6
min read
Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Share this article:

More articles