Extended Brain Storage

# Security: Burp Suite - A Brief Introduction

Posted on March 23, 2016

Burp Suite is an integrated platform for performing security testing of web applications. This is a very short introduction how to start with it…

### A Couple of (Philosophical) Notes

The Burp Suite seems to be a great and versatile tool that may help beginners to start with security testing of web-based applications and may help professionals in “somehow” improving their working environment. Apparently, the opinion is ​rather subjective.

Anyway, there are a few things, which should be taken into account regarding the Burp Suite:

• It is written in Java.
• It is a commercial software with a Free Edition option (terms and conditions apply).
• It is not an open-source.

From a “wannabe” hacker’s perspective (like me, LOL), the most important thing to think about is the third point. Basically, it says that I would be using a SW, which:

1. works in a unverifiable way (not saying that it is not working correctly; just saying that there is no way how to prove it, as correlation does not imply causation),
2. and produces results in the same way; i.e., I have no guarantee that the SW will produce reasonable and valid results.

Obviously, unless I create my own hardware, bootstrapping software, operating system, and related software, I will never have the possibility to trust the computing environment I work with anyway.

What I have just tried to point out is that as a real hacker (if I were one), I would never trust anyone’s binary or its results. Eventually, I would never use such SW seriously. As a “hobby hacker”, however; I have to be content with third party open-source (and sometimes even closed-source) software.

### Let’s Get Started

After installation (which naturally differs among operating systems), the SW can be finally started.

First thing to know is that it is an intercepting Proxy, which enables inspection and modification of traffic between a browser and a target application.

Second thing to know is that it contains a Repeater tool, which can be used for manipulating and resending individual requests, or starting one’s own requests.

Third thing to know is that there exist more than the previous features, but the discussed two are enough to start with some testing.

### Elementary Setup

The Burp Suite has a great instructional video how to setup the proxy in Burp and within a browser. By default, Burp acts as a proxy and intercepts all traffic on 127.0.0.1:8080.

### Opening and Interception of the First Page

After the first attempt to open a webpage in the configured browser, the Burp Proxy intercepts HTTP requests. The respective menu Proxy -> Intercept becomes orange and expects user action, which will most probably be Forward. This action may need to be repeated a few times until the page loads itself.

In Proxy -> HTTP history menu, there is the whole history of all HTTP elements that have been captured so far. The HTTP Request can be depicted in a Raw, Params (i.e. captured values), Headers (i.e. a table-based view of Raw) or in Hex variant. The same applies for its HTTP Response which is improved with two more obvious options: HTML (i.e. source code of the response) and Render (i.e. a browser-like response preview).

### Spoofing the First Values

In order to spoof any values, it is necessary to create a HTTP request. One of the ways is to reuse the already captured HTTP request which is in the Proxy -> HTTP history in section Request and Raw. After selecting the whole request, it is possible to right-click and select “Send to Repeater” (Ctrl+R) option.

The request will appear “as is” under the Repeater menu. The same options Raw, Header and Hex are available to preview and modify the request. For instance, it is possible to:

• Select a different page to connect to GET /index.php HTTP/1.1 to GET /anotherpage.php HTTP/1.1.
• Spoof the User-Agent: value.
• Change the Referer value, i.e. URL from which is the request coming to the target web page.

… and many more.

When ready, it is possible to send the created request by clicking the Go button.

The right part of the pane contains the HTTP Response with already discussed options to display it.