Quick start – Using Burp Proxy

Exclusive offer: get 50% off this eBook here
Instant Burp Suite Starter [Instant]

Instant Burp Suite Starter [Instant] — Save 50%

Get up and running with Burp Suite using this hands-on practical guide book and ebook.

£8.99    £4.50
by Luca Carettoni | September 2013 | Open Source Web Development

In this article by Luca Carettoni, author of Instant Burp Suite Starter, we will give you a sneak peek into using Burp Proxy, Burp Proxy is a crucial component of the entire Burp Suite. This tool allows you to intercept the web traffic between the browser (client) and the target application (server). Thanks to the setup described in the previous section, we are now able to look under the hood and discover how web applications work.

(For more resources related to this topic, see here.)

At the top of Burp Proxy, you will notice the following three tabs:

  • intercept: HTTP requests and responses that are in transit can be inspected and modified from this window
  • options: Proxy configurations and advanced preferences can be tuned from this window
  • history: All intercepted traffic can be quickly analyzed from this window

If you are not familiar with the HTTP protocol or you want to refresh your knowledge, HTTP Made Really Easy, A Practical Guide to Writing Clients and Servers, found at http://www.jmarshall.com/easy/http/, represents a compact reference.

Step 1 – Intercepting web requests

After firing up Burp and configuring the browser, let's intercept our first HTTP request. During this exercise, we will intercept a simple request to the publisher's website:

  1. In the intercept tab, make sure that Burp Proxy is properly stopping all requests in transit by checking the intercept button. This should be marked as intercept is on.
  2. In the browser, type http://www.packtpub.com/ in the URL bar and press Enter.

    Back in Burp Proxy, you should be able to see the HTTP request made by the browser. At this stage, the request is temporarily stopped in Burp Proxy waiting for the user to either forward or stop it.

    For instance, press forward and return to the browser. You should see the home page of Packt Publishing as you would normally interact with the website.

  3. Again, type http://www.packtpub.com/ in the URL bar and press Enter.
  4. Let's press drop this time.

    Back in the browser, the page will contain the warning Burp proxy error: message was dropped by user. We have dropped the request, thus Burp Proxy did not forward the request to the server. As a result, the browser received a temporary HTML page with the warning message generated by Burp, instead of the original HTML content.

  5. Let's try one more time. Type http://www.packtpub.com/ in the URL bar of the browser and press Enter.

    Once the request is properly captured by Burp Proxy, the action button becomes active. Click on it to display the contextual menu. This is an important functionality as it allows you to import the current web request in any of the other Burp tools.

You can already imagine the potentialities of having a set of integrated tools that allow you to manipulate and analyze web requests so easily. For example, if we want to decode the request, we can simply click on send to decoder.

Burp Proxy

In Burp Proxy, we can also decide to automatically forward all requests without waiting for the user to either forward or drop the communication. By clicking on the intercept button, it is possible to switch from intercept is on to intercept is off. Nevertheless, the proxy will record all requests in transit.

Also, Burp Proxy allows you to automatically intercept all responses matching specific characteristics. Take a look at the numerous options available in the intercept server response section from within the Burp Proxy options tab. For example, it is possible to intercept the server's response only if the client's request was intercepted. This is extremely helpful while testing input validation vulnerabilities as we are generally interested in evaluating the server's responses for all tampered requests. Or else, you may only want to intercept and inspect responses having a specific return code (for example, 200 OK).

Step 2 – Inspecting web requests

Once a request is properly intercepted, it is possible to inspect the entire content, headers, and parameters, using one of the four Burp Proxy message analysis tabs:

  • raw: This view allows you to display the web request in raw format within a simple text editor. This is a very handy visualization as it enables maximum flexibility for further changing the content.
  • params: In this view, the focus is on user-supplied parameters (GET/POST parameters, cookies). This is particularly important in case of complex requests as it allows to consider all entry points for potential vulnerabilities. Whenever applicable, Burp Proxy will also automatically perform URL decoding. In addition, Burp Proxy will attempt to parse commonly used formats, including JSON.
  • headers: Similarly, this view displays the HTTP header names and values in tabular form.
  • hex: In case of binary content, it is useful to inspect the hexadecimal representation of the resource. This view allows to display a request as in a traditional hex editor.

The history tab enables you to analyze all web requests transited through the proxy:

  1. Click on the history tab. At the top, Burp Proxy shows all the requests in the bundle. At the bottom, it displays the content of the request and response corresponding to the specific selection. If you have previously modified the request, Burp Proxy history will also display the modified version.

    Displaying HTTP requests and responses intercepted by Burp Proxy

  2. By double-clicking on one of the requests, Burp will automatically open a new window with the specific content. From this window, it is possible to browse all the captured communication using the previous and next buttons
  3. Back in the history tab, Burp Proxy displays several details for each item including the request method, URL, response's code, and length. Each request is uniquely identified by a number, visible in the left-hand side column.
  4. Click on the request identifier. Burp Proxy allows you to set a color for that specific item. This is extremely helpful to highlight important requests or responses. For example, during the initial application enumeration, you may notice an interesting request; you can mark it and get back later for further testing. Burp Proxy history is also useful when you have to evaluate a sequence of requests in order to reproduce a specific application behavior.
  5. Click on the display filter, at the top of the history list to hide irrelevant content. If you want to analyze all HTTP requests containing at least one parameter, select the show only parameterised checkbox. If you want to display requests having a specific response, just select the appropriate response code in the filter by status code selection. At this point, you may have already understood the potentialities of the tool to filter and reveal interesting traffic.

    In addition, when using Burp Suite Professional, you can also use the filter by search term option. This feature is particularly important when you need to analyze hundreds of requests or responses as you can filter relevant traffic only by using regular expressions or simply matching particular strings. Using this feature, you may also be able to discover sensitive information (for example, credentials) embedded in the intercepted pages.

Step 3 – Tampering web requests

As part of a typical security assessment, you will need to modify HTTP requests and analyze the web application responses. For example, to identify SQL injection vulnerabilities, it is important to inject common attack vectors (for example, a single quote) in all user-supplied input, including HTTP headers, cookies, and GET/POST parameters.

If you want to refresh your knowledge on common web application vulnerabilities, the OWASP Top Ten Project article at https://www. owasp.org/index.php/Category:OWASP_Top_Ten_Project is a good starting point.

Tampering web requests with Burp is as easy as editing strings in a text editor:

  1. Intercept a request containing at least one HTTP parameter. For example, you can point your browser to http://www.packtpub.com/books/all?keys=ASP.
  2. Go to Burp Proxy | Intercept. At this point, you should see the corresponding HTTP request.
  3. From the raw view, you can simply edit any aspect of the web request in transit. For example, you can change the value of the the GET parameter's keys value from ASP to PHP. Edit the request to look like the following:

    GET /books/all?keys=PHP HTTP/1.1
    Host: www.packtpub.com
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0)
    Gecko/20100101 Firefox/15.0.1
    Accept: text/html,application/xhtml+xml,application/
    xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip, deflate
    Proxy-Connection: keep-alive

  4. Click on forward and get back to the browser. This should result in a search query performed with the string PHP. You can verify it by simply checking the results in the HTML page.

Although we have used the raw view to change the previous HTTP request, it is actually possible to use any of the Burp Proxy view. For example, in the params view, it is possible to add a new parameter by following these steps:

  1. Clicking on new (right side), from the Burp Proxy params view.
  2. Selecting the proper parameter type (URL, body, or cookie). URL should be used for GET parameters, whereas body denotes POST parameters.
  3. Typing the name and the value of the newly created parameter.

Advanced features

After practicing with the basic features provided by Burp Proxy, you are almost ready to experiment with more advanced configurations.

Match and replace

Let's imagine that you are testing an application designed for mobile devices using a standard browser from your computer. In most cases, the web server examines the user-agent provided by the browser to identify the specific platform and respond with customized resources that better fit mobile phones and tablets. Under these circumstances, you will particularly find the match and replace function, provided by Burp Proxy, very useful. Let's configure Burp Proxy in order to tamper the user-agent HTTP header field:

  1. In the options tab of Burp Proxy, scroll down to the match and replace section.
  2. Under the match and replace table, a drop-down list and two text fields allow to create a customized rule. Select request header from the drop-down list since we want to create a match condition pertaining to HTTP requests.
  3. Type ^User-Agent.*$ in the first text field. This field represents the match within the HTTP request. Burp Proxy's match and replace feature allows you to use simple strings as well as complex regular expressions.

    If you are not familiar with regular expressions, have a look at http://www.regular-expressions.info/quickstart. html.

  4. In the second text field, type Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/4h20+ (KHTML, like Gecko) Version/3.0 Mobile/1C25 Safari/419.3 or any other fake user-agent that you want to impersonate.
  5. Click add and verify that the new match has been added to the list; this button is shown here:

    Burp Proxy match and replace list

  6. Intercept a request, leave it to pass through the proxy, and verify that it has been automatically modified by the tool.

    Automatically modified HTTP header in Burp Proxy

HTML modification

Another interesting feature of Burp Proxy is the automatic HTML modification, that can be activated and configured in the appropriate section within Burp Proxy | options. By using this function, you can automatically remove JavaScript or modify HTML forms of all received HTTP responses.

Some applications deploy client-side validation in the form of disabled HTML form fields or JavaScript code. If you want to verify the presence of server-side controls that enforce specific data formats, you would need to tamper the request with invalid data. In these situations, you can either manually tamper the request in the proxy or enable HTML modification to remove any client-side validation and use the browser in order to submit invalid data. This function can be also used to display hidden form fields.

Let's see in practice how you can activate this feature:

  1. In Burp Proxy, go to options, scroll down to the HTML modification section.
  2. Numerous options are available in this section: unhide hidden form fields to display hidden HTML form fields, enable disabled form fields to submit all input forms present inside the HTML page, remove input field length limits to allow extra-long strings in the text fields, remove JavaScript form validation to make Burp Proxy all onsubmit handler JavaScript functions from HTML forms, remove all JavaScript to completely remove all JS scripts and remove object tags to remove embedded objects within the HTML document.
  3. Select the desired checkboxes to activate automatic HTML modification.

Summary

Using this feature, you will be able to understand whether the web application enforces server- side validation. For instance, some insecure applications use client-side validation only (for example, via JavaScript functions). You can activate the automatic HTML modification feature by selecting the remove JavaScript form validation checkbox in order to perform input validation testing directly from your browser.

Resources for Article :


Further resources on this subject:


 

Instant Burp Suite Starter [Instant] Get up and running with Burp Suite using this hands-on practical guide book and ebook.
Published: January 2013
eBook Price: £8.99
See more
Select your format and quantity:

About the Author :


Luca Carettoni

Luca Carettoni is a security researcher with over 8 years’ experience in the application security field. His professional expertise includes black box testing, web application security, vulnerability research, and source code analysis. He is the Director of Information Security at Addepar, a company that is reinventing the infrastructure which powers global wealth management.

Prior to Addepar, Luca worked at Matasano Security as a senior security consultant, performing vulnerability research activities on a wide range of systems, from web applications to stand-alone software and mobile applications. He also worked at The Royal Bank of Scotland where he performed security audits against worldwide online banking systems. In the past few years, Luca has been an active participant in the security community and a member of the Open Web Application Security Project (OWASP). Luca holds a Master's Degree in Computer Engineering from the Politecnico di Milano University.

Books From Packt


Web Penetration Testing with Kali Linux
Web Penetration Testing with Kali Linux

Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

Arquillian Testing Guide
Arquillian Testing Guide

 BackTrack 5 Wireless Penetration Testing Beginner’s Guide
BackTrack 5 Wireless Penetration Testing Beginner’s Guide

Performance Testing with JMeter 2.9
Performance Testing with JMeter 2.9

Selenium 2 Testing Tools: Beginner’s Guide
Selenium 2 Testing Tools: Beginner’s Guide

Android Application Testing Guide
Android Application Testing Guide

Web Services Testing with soapUI
Web Services Testing with soapUI


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software