Intro to Burp Suite — Intercept
This article is going to an intro, into the power and capabilities of Burp Suite, for web application security.
What is Burp Suite?
Burp Suite is a tool, that can act as a proxy, between the user as well as the web application/server.
As most of you may be knowing, when a user logs into a website, a HTTP request is sent out to the web server, and the web server processes the request and sends out a response. Burp Suite comes in between the web browser and the web server. This article might help bring further clarity.
There is much more that Burp can do, like perform brute force attacks, acting as a repeater for web requests, etc. In this tutorial, we would only be exploring the “Intercept” functionality of Burp. Feel free to explore other features as well.
Installing Burp Suite
Burp Suite comes pre-installed on Kali Linux. For other Linux distros, or even for Windows, the tool may have to be manually installed. Please refer to PortSwigger’s website for details on how to install Burp.
Website: https://portswigger.net/burp/communitydownload
We would be using the Community Edition for this tutorial. There is a pro edition as well, which is typically used on actual penetration testing engagements and bug bounties. However, this tutorial is only focused on giving on overview of Burp.
Pre-requisites for this article:
- Linux Distro (we will be using Kali Linux here)
- Docker (For installing OWASP Juice Shop)
- OWASP Juice Shop (This is a vulnerable web application provided by OWASP foundation).
Reference Link: https://github.com/bkimminich/juice-shop
We will be running this web application, using - FoxyProxy (For Burp Suite intercepts). This is a browser extension that must be added to your web browser.
Reference Links:
https://chrome.google.com/webstore/detail/foxyproxy-standard/gcknhkkoolaabfmlnjonogaaifnjlfnp?hl=en
Firefox: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
Fire up Burp!
To start Burp on Kali Linux (which comes pre-installed), navigate to
Select “Temporary Project”, and click on “Next”
Select “Use Burp Defaults”, and click on “Start Burp”. Minimize Burp Suite for now, and we will come back to it later.
Make sure that FoxyProxy is disabled. This will configure the browser settings to it’s default, so that requests don’t go through a proxy.
Let’s start up the web application. Start up a terminal and run the below command:
sudo docker run — rm -p 3000:3000 bkimminich/juice-shop
Fire up your web browser, and navigate to http://localhost:3000
Navigate back to FoxyProxy. Remember we selected the “Turn Off” button? Now turn it back on.
Make sure that the button below says — “Intercept is on”. If not, click on the button, to enable Intercept.
Now onto the fun stuff. Navigate to the web browser (where OWASP juice shop is running) and refresh the page. The request should be captured in Burp.
The request is captured. Now, anyone can make changes to this request and send it across to the web application. Let’s make a change now.
You might also notice, that the web application is frozen. This is because, the request was intercepted by Burp Suite. This request can either be sent across by default, or modified and sent across.
Modify the request to a POST instead of a GET.
Hit “Forward” button, to send the request on its way to the web server. You might encounter multiple requests coming back in, but just keep clicking on “Forward”.
As each request is sent to the web server, the web application loads up in chunks. Once all the requests are sent, the web application is fully loaded.
Now any request you make to the web application would be intercepted by Burp. To avoid this, turn “Foxy Proxy” back off, as mentioned previously.
What can one do with this tool?
A hacker could intercept the request and modify it to behave in a way the application was never intended to be used. The application may give out information that it should ideally not give out, and this information could benefit the attacker (such as API responses, SQL error messages, etc.).
This could cause SQL injection attacks, Cross-Site scripting attacks, etc. These attacks are very dangerous, and there are multiple articles and videos online that go over them in detail.
Hope you learnt something out of this article.
