Table of Contents
Getting started with Burp Suite Proxy
This tutorial covers step by step instructions to configure Burp Suite in Kali Linux. Additionally we will also intercept client-side request using Burp Suite.
Manual Testing is largely dependent on two factors: the skills of the tester and the tool used for testing. A tool like Burp Suite significantly aids in fulfilling the needs of manual testing from a tooling perspective. It provides a powerful and flexible platform where the tester can efficiently find and exploit potential vulnerabilities
Burp Suite has undoubtedly become a tool of choice for web application security testing. Also it has evolved in a way that it can now be used to find vulnerabilities in API’s and Mobile Apps as well.
Burp Proxy intercepts and modifies GET and POST requests from the browser (client-side) and Web Server (Server Side). We will use a proxy called Burp Proxy, which is part of a popular penetration testing tool kit.
This article assume that you have following environment and tools already installed
I have brought up two virtual machines required to setup a proper hacking lab. One of these VMs have Kali Linux installed while the other one is with Metasploitable. We will use the metasploitable web address to demonstrate the usage of burp suite prozy to intercept the network traffic.
Kali Linux has IP Address: 192.168.0.188
Metasploitable has IP Address: 192.168.0.160
Steps to Intercept Client-Side Request using Burp Suite Proxy
Step 1: Open Burp suite
Burp suite is installed by default with Kali Linux so you need not install it manually. Search for burpsuite as shown below and open the toolbar:
You can find Burp here on the left, in the dark or under the applications menu. Once you start it, you will ask if you want to run a temporary project or run from an existing one. Initiate the Temporary project.
If you're using the custom image, you'll see it will load by default with this configuration file. We're going to keep it the same. Click on Start Burp, and you're going to get the default window of Burp
As you can see, this is an extensive tool kit that can use to do several things, but what we're interested in, in this tutorial is the burp suite proxy part of it to intercept the network traffic. Here you can see that the interceptor is on, meaning all the requests sent to this Proxy will be intercepted and, therefore, will be able to analyze them and modify them if we want to.
Now we're going to click on Open Browser to open the built-in browser that comes with burb, and you'll notice that this is simply a standard Web browser that you can use to load any website.
But when the interceptor is on, you'll see that it will intercept any request that this browser sends by burp before being forwarded to the actual destination.
Step 2: Export Certificate from Burp Suite Proxy
Open the Options bar and click Import/Export CA Certificates,
Select Certificate in DER format under Export and click on Next
Select a path to save the certificate and give a name to the certificate. I will use cert and save it in the Desktop.
Click on Close once the certificate is successfully exported.
Step 3: Import Certificates to Firefox Browser
Open Firefox Browser and Select the MENU icon and select Preferences Select Privacy and Security. Next click on Security and scroll down to manage Certificates and choose View Certificates.
Import PortSwinger Certificate which we had exported in the previous step. Once successfully imported, search for the certificate and once found you can click OK to close the toolbar.
Step 4: Configure Foxyproxy addon for firefox browser
Download Firefox proxy extension https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/. Next click on Add to add the addon to the firefox browser:
Next configure the proxy inside the add-on. Select the add-on and click on Options as shown below:
Click on Add to add a new proxy and fill out the details as shown below:
Step 5: Configure Network Settings of Firefox Browser
Next let's configure proxy in the firefox browser. From the Settings Options, Select General Settings. Scroll Down to Network Settings and Double click settings.
Set the proxy configuration to manual proxy configuration. Set the Host address to Burps Proxy address.
Step 6: Launch DVWA website from Metasploitable
We had set up a Metasploitable machine earlier. Power on that VM (if not done already), and now we will access the Metsploitable GUI using the IP of that VM i.e. 192.168.0.160 on our Kali Linux VM using Firefox browser.
First, we're going to turn off the interceptor, and now this browser will work as a regular Web browser.
Open Metasploitable web server GUI by typing the IP address of the machine. So let's go to our target, which is
192.168.0.160. Select DVWA site, which redirects you to the login page.
Select DVWA which will take you to the DVWA board. The default login credential is admin: password.
Once you have logged in, And now, if I turn on the interceptor on Burp Suite proxy and click on any link on this DVWA page, for example, let's click on the File inclusion, you'll notice that the website will continue loading, but nothing will load. The reason for this is that Burp intercepted the request.
On the Burp Suite proxy section under Intercept you can see the browser request getting displayed. So here you can view and edit the request.
Step 7: Intercepting GET and POST requests
What happens when I click on a link in here, and we can see that the website is, first of all, trying to send a post request to this particular path, and we can see the content of this request.
So we can see the headers. We can see that this is going into Google. We can see the contents of it.
And if we click on Forward, we will forward this to its destination, and then we see the following request sent.
So we can see we have another GET request. This time, the request goes to this particular domain, which is the path it's being sent to.
Again, if we click on Forward, Burp will forward this, and now we have another request. This time it's a GET request, and this one is sent to our target domain.
So it's the same domain as we have here. And this time, it's asking for this particular path. It's given a parameter called page, and the value sent is included.
You can also see the rest of the values that are sent. And all of this is simply a text box.
So you can modify any part here. Click on forward, and Burp will send this request with the modifications that we made here.
Step 8: Modifying GET and POST requests
So anyway, I'm keeping this the same, and the next thing that I want to show you is the inspector in here on the right. If I click on that to expand it, you can see that all of the values sent here are categorized here in excellent categories.
So if we click on the Query parameter, we can see the page parameter. We can see it here, and its value is included.
And if we double click on this again, we'll get text boxes where we can modify any of these parameters and values as we wish.
Click on Apply changes and forwarded.
Whatever modifications we make to this request will be forwarded to the Web server. Burp suite proxy allows us to, first of all, bypass client-side checks and security implementations.
And it also allows us to see what is being sent us post requests and other types of parameters sent to the Web server without being displayed here in the URL box.
We should test all of these parameters for all vulnerabilities, and it expands our attack surface.
So anyway, as you can see, this page still has imploded while I click because I clicked on file inclusion, and I still haven't got that because I haven't forwarded this request yet.
So, again, we're going to click on forward and keep clicking on forward to forward everything.
And once we do that, as you can see, we finally got the page we requested, which is file inclusion.
So the whole idea and the whole point of using this Proxy is to intercept all of the requests that the page will send to the Web server to see these requests, modify them and hopefully use them to discover vulnerabilities.
Step 9: File Inclusion Vulnerability
Lt's try to upload a file and intercept it using Burp Suite proxy. We will click on Upload on the DVWA page and select an image to upload. Browse and select your image.
Next turn on the interceptor on the Burp Suite proxy section and click on upload. You'll see that we're going to get stuck because the request is being intercepted in here with burb. We can see this time it is a post request.
Therefore, we don't see anything here in the URL bar, and we can see that this is being sent to this path here i.e.
POST /dvwa/vulnerabilities/upload/ HTTP/1.1, DVWA vulnerability's upload.
And if we scroll down, we can see the file name right here.
We can see the content type, and we can see the actual content of the image. A display of the actual binary content of the image itself is shown.
So again, you can modify this binary content. You can change the content type and picture name. And we can also see the post parameters that are being sent in here under the body parameters.
As mentioned, nothing is displayed in the URL because a post request is sent. Nothing is said to request. But clicking on the budget parameters here, we're going to see the maximum file size allowed, the content of the image and another parameter called uploading.
We can also see the requested cookies here, and we can see the request headers. All of it can be modified by double click on it and then forward the request.
So, again, if we click on forward and forward, the rest of the requests, you will see that the picture will get uploaded successfully, and there are no more requests sent to the Web server.
Burp works hand in hand with another browser to intercept Network traffic. The following setup can be implemented;
- Burp's embedded browser. Select the Proxy/ Intercept option and click Open Browser. The browser session is opened, and with this setup, there is no need to install the Burp CA certificate.
- Use an external browser. This option requires you to install Port Swinger Certificates as shown above to tunnel all traffic through Burp.