Introduction to BurpSuite, Part I

This post will cover BurpSuite, the most popular VAPT (Vulnerability Assessment and Penetration Testing) tool for web applications.

You can use this tool to intercept web requests and responses, including HTTPS, and modify them in real-time to find vulnerabilities in web apps.

We’ll install it onto our Kali box and cover the basics. By the end of this lesson, you’ll have a foundation for exploiting real vulnerabilities.

Before we start, I strongly recommend you familiarize yourself with HTML and HTML forms (if you haven’t already.) Treehouse has an excellent course on this. If you’re not a member there, though, I recommend this free CodeAcademy course.

INSTALLING BURPSUITE

In Kali, open a terminal and run these 2 commands:

sudo apt update
sudo apt install burpsuite

image.png

It’s that simple. Run the command “burpsuite” in the terminal to start it:

image.png

You will see a terms and conditions page. Click “I Accept.”

Next up is the window below. Since we’ll be using the free version of BurpSuite and not the Professional edition, this page doesn’t concern us. Just click “next.”

image.png

You’ll be asked to load from a configuration file. The Burp defaults are OK for this project. Make sure that’s selected and click “Start Burp.”

image.png

Now you’re in the learn tab.

image.png

In the top left corner, click “Dashboard.”

The Dashboard

image.png

Notice how the page is split into 4 panes- Tasks, Event log, Issue activity, and Advisory. I’ll break down each:

TASKS

  • This section is for managing tasks. You can see which tasks are running, paused, finished, and so on.

EVENT LOG

  • This contains events from all live tasks and scans. Each item in the event log contains these details:
    • Time– the time of the event
    • Type– critical, error, info, or debug.
    • Source– the task number or tool that triggered the event.
    • Message– a summary of the event.

ISSUE ACTIVITY

  • This shows the vulnerabilities found by BurpSuite’s automated scanner. It’s available only on the Professional edition.

ADVISORY

  • This pane provides a detailed breakdown of a vulnerability. We haven’t selected any vulnerabilities from the Issue activity tab yet, so it looks blank.

Click any issue in the “Issue Activity” pane to see information populate in the Advisory pane.

image.png

You’ll see the details of the issue and remediation tactics. I strongly encourage you to explore some of these issues. It’s an excellent resource for learning.

Let’s move on to the “Proxy” tab (two tabs to the right of “Dashboard”)

Proxy

Proxy Servers are devices that act as a middle man between a device and a remote server.

BurpSuite’s Proxy is a web proxy server. This is a core service of Burp. It allows you to intercept, inspect, and modify traffic that passes in both directions.

Once we intercept a response, we can tamper with it and forward it to the server.

Click the Proxy tab. Make sure the Intercept is on. Then click “Open browser.”

image.png

In the browser, enter “example.com” as the URL. In the proxy tab, you’ll see the captured request.

image.png

The proxy section has 4 sections: Intercept, HTTP history, WebSockets history, and Proxy Settings.

Let’s start with the Intercept tab. There are four sections:

image.png

Look at section 1. It has these buttons:

image.png

You can use the first 3 buttons to Forward, Drop, or Intercept a request.

The Action button sends a request or response to other sections of BurpSuite (more on this later.)

Open browser simply opens the browser.

Pivot to section 2. This pane shows the request or response in 3 formats: Raw, Pretty, or Hex.

The third section- “Inspector” – gives more information about the request or response. You can see the associated cookies, parameters, and headers.

Section 4 is simply a search function. You can search a keyword to see if it’s in your request/response.

That’s it for the Intercept tab. Let’s move on to the HTTP History tab. This shows our browsing history:

image.png

If you click “WebSocket history,” you’ll see all WebSockets sent between Burp’s browser and your target applications.

The last tab is “Proxy settings.” Click it.

image.png

This gives us the configuration options for the proxy. We can set multiple proxy listeners, import/export CA certificates, set rules about what to intercept and drop, and much more.

Before we move forward, I’ll cover how to connect BurpSuite to a different browser:

We’ll use a plugin called Foxy Proxy. Install it on your browser.

Click the plugin and select “Options”

image.png

Click Add

image.png

Add the name, proxy IP, and port as shown below. Click save.

image.png

Now click on the plugin icon and click BurpSuite.

image.png

Enter this URL:

http://burp

Click the “CA Certificate” button to download the CA certificate.

image.png

Go to the browser settings.  Search “cert” and click “view cert.”

image.png

Click Import. Find the CA Certificate file in your downloads and select it.

image.png

Click the boxes and click OK.

image.png

Now you can intercept requests or responses from your other browser.

Nice work! So far, we’ve covered:

  • Installing BurpSuite
  • Creating a project on BurpSuite
  • The Dashboard and its 4 sections (Tasks, Event Log, Issue Activity, & Advisory)
  • The Proxy and its 4 tabs (Intercept, HTTP history, WebSockets history, and Options)
  • How to connect BurpSuite’s Proxy to a different browser

Let’s cover the last section for today: the Repeater.

image.png

Repeater

The BurpSuite Repeater is a tool that helps you modify and send HTTP or Websocket requests repeatedly.

You can use it for many purposes, like:

  • Sending a request with adjusted values to test for input-based vulnerabilities.
  • Sending multiple HTTP requests in a sequence to test for vulnerabilities in multi-step processes, or vulnerabilities that arise from manipulating the connection state.

The repeater has 6 sections:

image.png
  1. Repeater allows you to work on multiple messages simultaneously, each in its own tab. The tabs are in this section.
  2. You can use this section to send a request, cancel a hanging one, or scroll through the request history.
  3. The three buttons simply change the layout of the request/response
  4. This shows the body of the request and response.
  5. This shows the target for a request.
  6. The Inspector shows additional information about the request/response of the target.

Before closing, let’s see the Repeater in action.

Head to this URL and click “Access the lab.” You’ll have to create an account with PortSwigger, the company that created and maintains BurpSuite.

When you access the lab, turn the Intercept off in BurpSuite. Then click any product on the site.

image.png

Go to the Proxy tab, then click “HTTP history.” Find the URL for the product, click the request, and send it to the repeater by pressing ‘ctrl + shift + R’.

image.png

You should see something similar to the image below after pressing ctrl, shift, and “r” simultaneously:

image.png

Then click the “send” button.

Click the “Render” tab under response. You’ll see a rendering of the page you clicked on. Like this:

image.png

Now look at the request section. Line 1 should be a GET request. Change the product ID to 2.

Once you’ve changed the product ID, send the request (click the orange “send” button.) The response will change in the render.

image.png

Keep changing the ID and sending the request. This way, you can modify the request and check the response without intercepting it repeatedly.

  • You might be thinking: “why don’t I want to intercept repeatedly?” This is because the number of interceptions can become overwhelming, especially if you are working with a lot of traffic.

That’s it for now. In summary, you learned:

  • Installing BurpSuite
  • Creating a temporary project on BurpSuite
  • The Dashboard and its 4 sections (Tasks, Event Log, Issue Activity, & Advisory)
  • The Proxy and its 4 tabs (Intercept, HTTP history, WebSockets history, and Options)
  • How to connect BurpSuite’s Proxy to a different browser
  • How to use the Repeater to modify and re-send a request

Thanks for reading!