Instant Burp Suite Starter [Instant] — Save 50%
Get up and running with Burp Suite using this hands-on practical guide book and ebook.
In this article by Luca Carettoni, author of Instant Burp Suite Starter, we will give you a sneak peek into using Burp Proxy, Burp Proxy is a crucial component of the entire Burp Suite. This tool allows you to intercept the web traffic between the browser (client) and the target application (server). Thanks to the setup described in the previous section, we are now able to look under the hood and discover how web applications work.
(For more resources related to this topic, see here.)
At the top of Burp Proxy, you will notice the following three tabs:
- intercept: HTTP requests and responses that are in transit can be inspected and modified from this window
- options: Proxy configurations and advanced preferences can be tuned from this window
- history: All intercepted traffic can be quickly analyzed from this window
If you are not familiar with the HTTP protocol or you want to refresh your knowledge, HTTP Made Really Easy, A Practical Guide to Writing Clients and Servers, found at http://www.jmarshall.com/easy/http/, represents a compact reference.
Step 1 – Intercepting web requests
After firing up Burp and configuring the browser, let's intercept our first HTTP request. During this exercise, we will intercept a simple request to the publisher's website:
- In the intercept tab, make sure that Burp Proxy is properly stopping all requests in transit by checking the intercept button. This should be marked as intercept is on.
- In the browser, type http://www.packtpub.com/ in the URL bar and press Enter.
Back in Burp Proxy, you should be able to see the HTTP request made by the browser. At this stage, the request is temporarily stopped in Burp Proxy waiting for the user to either forward or stop it.
For instance, press forward and return to the browser. You should see the home page of Packt Publishing as you would normally interact with the website.
- Again, type http://www.packtpub.com/ in the URL bar and press Enter.
- Let's press drop this time.
Back in the browser, the page will contain the warning Burp proxy error: message was dropped by user. We have dropped the request, thus Burp Proxy did not forward the request to the server. As a result, the browser received a temporary HTML page with the warning message generated by Burp, instead of the original HTML content.
- Let's try one more time. Type http://www.packtpub.com/ in the URL bar of the browser and press Enter.
Once the request is properly captured by Burp Proxy, the action button becomes active. Click on it to display the contextual menu. This is an important functionality as it allows you to import the current web request in any of the other Burp tools.
You can already imagine the potentialities of having a set of integrated tools that allow you to manipulate and analyze web requests so easily. For example, if we want to decode the request, we can simply click on send to decoder.
In Burp Proxy, we can also decide to automatically forward all requests without waiting for the user to either forward or drop the communication. By clicking on the intercept button, it is possible to switch from intercept is on to intercept is off. Nevertheless, the proxy will record all requests in transit.
Also, Burp Proxy allows you to automatically intercept all responses matching specific characteristics. Take a look at the numerous options available in the intercept server response section from within the Burp Proxy options tab. For example, it is possible to intercept the server's response only if the client's request was intercepted. This is extremely helpful while testing input validation vulnerabilities as we are generally interested in evaluating the server's responses for all tampered requests. Or else, you may only want to intercept and inspect responses having a specific return code (for example, 200 OK).
Step 2 – Inspecting web requests
Once a request is properly intercepted, it is possible to inspect the entire content, headers, and parameters, using one of the four Burp Proxy message analysis tabs:
- raw: This view allows you to display the web request in raw format within a simple text editor. This is a very handy visualization as it enables maximum flexibility for further changing the content.
- params: In this view, the focus is on user-supplied parameters (GET/POST parameters, cookies). This is particularly important in case of complex requests as it allows to consider all entry points for potential vulnerabilities. Whenever applicable, Burp Proxy will also automatically perform URL decoding. In addition, Burp Proxy will attempt to parse commonly used formats, including JSON.
- headers: Similarly, this view displays the HTTP header names and values in tabular form.
- hex: In case of binary content, it is useful to inspect the hexadecimal representation of the resource. This view allows to display a request as in a traditional hex editor.
The history tab enables you to analyze all web requests transited through the proxy:
- Click on the history tab. At the top, Burp Proxy shows all the requests in the bundle. At the bottom, it displays the content of the request and response corresponding to the specific selection. If you have previously modified the request, Burp Proxy history will also display the modified version.
Displaying HTTP requests and responses intercepted by Burp Proxy
- By double-clicking on one of the requests, Burp will automatically open a new window with the specific content. From this window, it is possible to browse all the captured communication using the previous and next buttons
- Back in the history tab, Burp Proxy displays several details for each item including the request method, URL, response's code, and length. Each request is uniquely identified by a number, visible in the left-hand side column.
- Click on the request identifier. Burp Proxy allows you to set a color for that specific item. This is extremely helpful to highlight important requests or responses. For example, during the initial application enumeration, you may notice an interesting request; you can mark it and get back later for further testing. Burp Proxy history is also useful when you have to evaluate a sequence of requests in order to reproduce a specific application behavior.
- Click on the display filter, at the top of the history list to hide irrelevant content. If you want to analyze all HTTP requests containing at least one parameter, select the show only parameterised checkbox. If you want to display requests having a specific response, just select the appropriate response code in the filter by status code selection. At this point, you may have already understood the potentialities of the tool to filter and reveal interesting traffic.
In addition, when using Burp Suite Professional, you can also use the filter by search term option. This feature is particularly important when you need to analyze hundreds of requests or responses as you can filter relevant traﬃc only by using regular expressions or simply matching particular strings. Using this feature, you may also be able to discover sensitive information (for example, credentials) embedded in the intercepted pages.
Step 3 – Tampering web requests
As part of a typical security assessment, you will need to modify HTTP requests and analyze the web application responses. For example, to identify SQL injection vulnerabilities, it is important to inject common attack vectors (for example, a single quote) in all user-supplied input, including HTTP headers, cookies, and GET/POST parameters.
If you want to refresh your knowledge on common web application vulnerabilities, the OWASP Top Ten Project article at https://www. owasp.org/index.php/Category:OWASP_Top_Ten_Project is a good starting point.
Tampering web requests with Burp is as easy as editing strings in a text editor:
- Intercept a request containing at least one HTTP parameter. For example, you can point your browser to http://www.packtpub.com/books/all?keys=ASP.
- Go to Burp Proxy | Intercept. At this point, you should see the corresponding HTTP request.
- From the raw view, you can simply edit any aspect of the web request in transit. For example, you can change the value of the the GET parameter's keys value from ASP to PHP. Edit the request to look like the following:
GET /books/all?keys=PHP HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0)
Accept-Encoding: gzip, deflate
- Click on forward and get back to the browser. This should result in a search query performed with the string PHP. You can verify it by simply checking the results in the HTML page.
Although we have used the raw view to change the previous HTTP request, it is actually possible to use any of the Burp Proxy view. For example, in the params view, it is possible to add a new parameter by following these steps:
- Clicking on new (right side), from the Burp Proxy params view.
- Selecting the proper parameter type (URL, body, or cookie). URL should be used for GET parameters, whereas body denotes POST parameters.
- Typing the name and the value of the newly created parameter.
After practicing with the basic features provided by Burp Proxy, you are almost ready to experiment with more advanced configurations.
Match and replace
Let's imagine that you are testing an application designed for mobile devices using a standard browser from your computer. In most cases, the web server examines the user-agent provided by the browser to identify the specific platform and respond with customized resources that better fit mobile phones and tablets. Under these circumstances, you will particularly find the match and replace function, provided by Burp Proxy, very useful. Let's configure Burp Proxy in order to tamper the user-agent HTTP header field:
- In the options tab of Burp Proxy, scroll down to the match and replace section.
- Under the match and replace table, a drop-down list and two text fields allow to create a customized rule. Select request header from the drop-down list since we want to create a match condition pertaining to HTTP requests.
- Type ^User-Agent.*$ in the first text field. This field represents the match within the HTTP request. Burp Proxy's match and replace feature allows you to use simple strings as well as complex regular expressions.
If you are not familiar with regular expressions, have a look at http://www.regular-expressions.info/quickstart. html.
- In the second text field, type Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/4h20+ (KHTML, like Gecko) Version/3.0 Mobile/1C25 Safari/419.3 or any other fake user-agent that you want to impersonate.
- Click add and verify that the new match has been added to the list; this button is shown here:
Burp Proxy match and replace list
- Intercept a request, leave it to pass through the proxy, and verify that it has been automatically modified by the tool.
Automatically modified HTTP header in Burp Proxy
Let's see in practice how you can activate this feature:
- In Burp Proxy, go to options, scroll down to the HTML modification section.
- Select the desired checkboxes to activate automatic HTML modification.
Resources for Article :
- Visual Studio 2010 Test Types [Article]
- Ordered and Generic Tests in Visual Studio 2010 [Article]
- Manual, Generic, and Ordered Tests using Visual Studio 2008 [Article]
About the Author :
Luca Carettoni is a security researcher with over 8 years’ experience in the application security field. His professional expertise includes black box testing, web application security, vulnerability research, and source code analysis. He is the Director of Information Security at Addepar, a company that is reinventing the infrastructure which powers global wealth management.
Prior to Addepar, Luca worked at Matasano Security as a senior security consultant, performing vulnerability research activities on a wide range of systems, from web applications to stand-alone software and mobile applications. He also worked at The Royal Bank of Scotland where he performed security audits against worldwide online banking systems. In the past few years, Luca has been an active participant in the security community and a member of the Open Web Application Security Project (OWASP). Luca holds a Master's Degree in Computer Engineering from the Politecnico di Milano University.