Burp Suite is most commonly used tool by pen testers. We will explain step by step procedure of configuration with browser and how we can use it.
How to Proxy with Burp
• Proxy -> Intercept
How to Proxy with Burp
• Proxy -> Options
Setting Up Your Browser – Local Burp
This information is available to gain knowledge. Please don’t run any tool on public applications, It can be dangerous. Application can take a legal actions against you. Hacknowledge is not responsible for any damage or any legal action.
Points to be covered
- Intercept & Scope Configuration
- Application Walkthrough
1. Intercept and scope configuration
We can configure Burp Suite easily. Navigate to the “Proxy” tab under the “Options” sub-tab. The second and third headings display the configurable options for intercepting requests and responses. Uncheck the defaults and check “URL Is in target scope”. Next turn intercept off as it is not needed for the initial application walkthrough. From the “Intercept” sub-tab ensure that the toggle button reads “Intercept is off”
In Application Walkthrough we need to crawl the site as much as possible. You need to cover all the links of the application and analyze the response coming from the server. Analyze when you are clicking any of the link than what response it should give and what you are receiving from server. Try to change the response code. Ex: if server is giving “302 redirect” change it to “200 Ok” and see the response. This is only an example the might be many more you need to find out.
This option is used when you are already out of time or you need to cover as much as attack vectors than this is a really good option. Using Intruder you can provide a list of attack vectors and can send multiple request in very sort span of time. Example: If you want to try multiple username and password combinations on a login page than you can use it, you need to set Payload for it. Values between “$ $” we can directly from an external list or an internal list as shown in Image 2.
We can set the payload for the request and start the intruder. It will send request to the application with all the available combinations.
Spider is mainly used to crawl the application automatically. When request intercept to Burp Suite you can send it to Spider. Burp Suite will send number of request to the application and collect the information for the publically available pages. This feature is mainly used to get information of all the public available pages.
After the Spider is finished, go to the Site-map and you can see all the crawled pages by Spider.
Repeater is very useful feature of Burp Suite, Using this there is no need to go and check the response on the browser. We can right click on the intercepted request and send it to repeater. In Repeater we can directly modify the values of the request and can click on “Go”, At right hand side it will show the output
You can also visit official site of Burp Suite for Video tutorial.
Burp Suite Video tutorials https://portswigger.net/burp/tutorials/