Burp Suite (referred to as Burp) is a graphical tool for testing Web application security.
In this set of tutorials we will go through how to set up Burp to intercept traffic on your web browser. For the purpose of this tutorial I will be using the free version.
- Download and Install Burp
- Configure the browser to intercept all our traffic for inspection
- Configure the TLS (self-signed) certificate for HTTPS intercepting
Download Burp from here (make sure you have Java installed too).
One you have Burp installed open the application. You should be presented with the following interface:
If you want to save a project, do so. Otherwise click Next. Which will bring you to:
Then click Start Burp. You should now see:
Now we have Burp installed we need to get it to intercept our traffic. I will be doing this with Firefox. Other browsers will work, just have to find the correct browser setting.
On Firefox, open the preferences (about:preferences#general) and scroll to the bottom where you can see Network Settings then click on Settings. You will see the following:
Select Manual proxy configuration and copy the same config as me. You should simply have to type in 127.0.0.1 in the HTTP proxy, select the checkbox with "Use this proxy for all protocols" and type in Port 8080. Once this is complete, click ok.
To stop your browser from tunneling everything through to your machine first, open up your firefox network settings again and click "No proxy"
What you are doing now is proxying all of your web traffic through your local machine that is being intercepted by anything that is listening. Which in this case, will be Burp Suite. You will find if you open Burp Suite, click Proxy and then option, there will be a proxy listener with these details:
Make sure your checkbox for running is ticked.
Hooorrraaaayyy, we now have Burp Suite intercepting any traffic we generate through the browser... on HTTP. If you navigate to a HTTP website such as http://neverssl.com Burp will pick it all up:
Burp will hold the proxied request until you either stop intercepting or click the forward button. You may also see lots of other request Burp picks up. This is all traffic your browser is generating. However, if we visit a HTTPS site such as: https://google.com we will get a horrible TLS error:
Lots of sites have TLS (HTTPS) to encrypt the data from the client to their server. As we are a man (or in this case a proxy) in the middle (MITM), the browser will think there is something wrong and will throw an error as seen above.
To get around this, we have Burp sign our traffic with its certificate and tell out browser to make Burps TLS singing a Certificate Authority (basically just telling the browser that anything signed by Burp is all good).
First of, we need to get Burps certificate. To do, in your browser go to: http://burp/ and click CA Certificate.
Select Save File and download it. Once downloaded, go to your browser preferences (about:preferences) and search "Cert", you should see the following:
Click View Certificates, then Authorities then Import. From here, go to where you downloaded Burps file (and select it). Select the both trust checkboxes (this is important otherwise it will not work) and then click ok. Like so:
Then click ok to navigate out of the Certificate Manager. You have now successfully installed Burps CA certificate allowing you to navigate to HTTPS sites.
Try and re-open https://google.com - Your TLS error will have gone away and you can intercept it with Burp!
Now that we've set up Burp - lets look at an example of what it would be like to intercept your request. If Burp is open, go to Proxy > Intercept and click the Intercept Button.
Intercepting the request means that the request will first go to Burp and then go to the browser. Doing this helps us better understand how things work under the hood. If i try to log in to TryHackMe and Intercept the request, this is what you get:
You can see the raw request containing the HTTP headers and parameters. We can actually go to the Params tab to edit the parameters:
You can double click on the Type, Name or Value field and change the values. You can also add and remove parameters using the buttons on the left.
While you don't have to do this every time, you can go under Actions > Do Intercept > Response to the request. This actually intercepts the response from the server and ensures it goes through Burp before it goes to the browser. Once you've finished editing a response/request, click the forward button to pass the request onto the browser.
To view all the requests/responses you've made, you can go to Proxy > HTTP History
This is a good way of keeping track on what requests you've made and how you've edited the request/responses.