New to Burp Suite ??? Here is the basic tutorial.

Hi friends, today I will be posting very basic tutorial on burp suite.

Today we are going to learn how to use and set and Burp proxy, oh sorry Burp Suite :D Many of you have heard about Burp Suite but don't know how to use it, don't worry I will show you how to use in one by one tutorials.

What is Burp Suite ???

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. 
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. For more information visit their official website: http://portswigger.net/

These days in information security field Burp is the king of all the HTTP proxies.

First of all download free version of Burp suite from here (or you can buy) : http://portswigger.net/burp/download.html

Once you download the Burp suite then open it. It will be showing a window as shown below.



Now to intercept the HTTP request of the web application we need to set proxy in browser. Note that proxy settings in each browsers are different, here I am using Firefox. If you are using any other browser then setting might be different.

Open the Firefox browser and go to Menu then click on "Tools > Options" as shown in below screen shot.



It will open a new window, now click on "Advanced > Network > Settings" as shown in below screen shot.



Again it will open a new window, don't worry this is the final window :D
Here "No proxy" button selected by default, now select another button which is "Manual proxy configuration". In "HTTP Proxy" text box enter your localhost IP address which is 127.0.0.1 by default (You can use 192.168.x.x or 10.10.x.x range local IP of your system ). In "Port" enter 8080, here you can use any port you want to use but you will have to set accordingly in Burp proxy too. However screen shot is given below.



So we are done with proxy setting in browser, now it's time for Burp Suite. Go to Burp suite and click on "Options" as shown below. There you can see below "Proxy Listeners" that proxy is running on 127.0.0.1 on 8080 port which is default setting in Burp suite, you don't need to do any setting. If you want to use another port like 8090 the you need to change port in browser as we saw above the here in Burp click on "Edit" and you can change the port. As of now we are going to use default setting so no need to do much efforts.



Now click on "Intercept" tab then turn intercept on which is by default off.



Now go to browser where we have set proxy earlier, let's intercept the HTTP request of any live web application. Let's take http://www.girishkumar.net/, type http://www.girishkumar.net/ in browser URL bar and press enter and go Burp suite and you see intercepted HTTP request as shown in below screen shot.

We can see host, our User-Agent, Cookie etc values in HTTP request which is going to the server.

Click on forward button to forward current request and let another request come. 



Once you click on Forward button it will send another request if there is any, depending on application. Below we can see another intercepted request. Now turn off the intercept by clicking "Intercept is on" button.



Go to browser and see that our site is opened.



Note one thing that you don't need to keep intercept on all the time, you can just turn it off and can see all the HTTP requests by navigating "HTTP history" tab as shown below. By clicking on each request you can also see the response on another tab.



How to use Burp suite the applications which are running on HTTPS ???

If you want to intercept the HTTP traffic of the applications which are running on HTTPS the you will have to add Burp suite certificate to the browser as a trusted certificate.

Visit https://www.google.co.in/ and it will show an error as shown below, but don't worry and just click on "I Understand the Risks".



Now click on "Add Exception" as below.



Then click on "Confirm Security Exception" and you are done.



Now press enter and you will see the HTTPS traffic in Burp suite.



 Also in HTTP history.



So this was the very basic tutorial about Burp Suite that how to configure it and use it. In next tutorials I will show you how to use another functionality of Burp suite.

If you found this tutorial informative then don't forget to share.

Thanks :)

Post a Comment

2 Comments

  1. There is no option of add exception .. so now how can we find the certificate?

    ReplyDelete
  2. Do you have any sites, where I can practice this on?

    ReplyDelete