Burp Suite – owning the web traffic Part 1

What is it?

Burp suite is certainly one essential tool in your web application related toolbox.

It lets you intercept web traffice, alter, reply and compare it and much more.

So very useful and a bit complex at first. Lets look into it

Preperations

Since you will be using Burp Suite as a proxy you want a simple way to enable and disable a proxy in our browser.

FoxyProxy does exactly that. You can get it at https://getfoxyproxy.org/ 

When you install it and set it up you can configure a proxy at localhost at 8080. Thats the default for Burp Suite.

Then you can switch that proxy on and off with the click of a button.

One more thing you want to do:

Burp will act as a man-in-the-middle so you also need to make your browser “trust” burp.

During the Setup phase of burp it offers you to install a certificate in your browser that does that.

if your are using Firefox your certificate manager should have this item in it after you imported the certificate from the creators of the Burp Suite:

Getting started

When you fire up Burp Suite you will see something like this:

We are using the free version here – you can get a pro version that has some more features especially when it comes to automatically scanning for vulnerabilities.

The pro version is about 350€ wich is a steal for what it offers if you ask me. 

But for now we will deal with the features of the free version and cover the add on features of the pro version in a later article.

You see a number of tabs on the main screen of Brup:

  • Dashboard
  • Proxy
  • Intruder
  • Repeater
  • Sequenzer
  • Decoder
  • Comparer
  • Extender

Before we look into each one of them let’s take a step back and remeber what we want to do when investigating Web Apps:

Monitor and intercept traffic

We want to be able to look into the HTML and JavaScript code, the HTTP requests and cookies that are exchanged between server and client.

So when we send a request to a webserver we want to be able to halt the request and inspect it before we finally release it to the server.

Also we want to be able to look – in detail – into the response we get from the server.

Alter and replay requests

We also need to be able to take a request and alter a piece of information in that request and then send it to the server again.

This is useful in many ways – trying different logins und usernames is just the most obvious use case.

Inject code

If you ever heard of XSS for example; we  want to try to sneak code into a web request where the server would only expect content.

These are the main things we want to do – there are some other – support – use cases that Burp Suite also covers. 

So lets get started with something simple:

Intercepting traffic and setting the scope

Enable the proxy and then go to google.com.

Burp Suite will intercept the client request before it goes out to the server:

You see the proxy tab go orange telling you something is going on in that tab.

Burp show us here the request it intercepted before sending it to the server.

We have now the option to forward the request so it actually gets sent to the server or just drop it so the server will never see it.

Lets forward it.

You will probably have to forward a couple of times since the one request causes a couple of more requests. Or you can just switch off intercept for now.

When you now switch over to the target tab you see everything that has happened when we put google.com into our browser.

 

There are a couple of interesting things here.

We are in the sitemap sub-tab of the target tab. Burp Suite will automatically record all requests and responses here and group them by hostname on the left in a tree like fashion.

You can click on each request in the main area of the window and see the details of that request at the very bottom. As you can see you can also switch between Request and Response there.

So you can – in detail – follow through on what happened.

One useful thing you want to do is setting the scope.

Modern web apps make requests to all kinds of external services.

Loading a third party JavaScript library, reaching out to tracking platforms, etc.

You probably don’t want to have that in your site map.

When you right-click on a host on the left the context menu offers you to add this host to the scope.

If you do that it also offers you to not show anything out of scope in the sitemap.

Most of the time you want exactly that. 

When you now switch over to the scope sub-tab it looks like this:

We can click around in the web app in scope and see how the sitemap is populated with all the URLs we might want to look into.

The steps above will most of the time be common to all your Burp Suite projects. From this point on you go into the specifics.

Leave a Reply

Your email address will not be published. Required fields are marked *