Teach your developers to Burp!

If you are a developer or QA, I hope you find this post useful. It should assist you in performing functional test as well as discovering bugs that may lead to security issues in your application by observing the HTTP requests and responses.

What is Burp Proxy?

Burp proxy is a program that captures HTTP requests between the browser and web server. It allows the user to modify the requests.

What is a HTTP Request?

A HTTP request is sent from the user’s browser to the web application server to request for information.

In the sample request/response below, a HTTP GET request is made to a web server listening at localhost:3000, requesting for the resource /index.

A simple HTTP GET Request looks like this:

GET /index HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

The corresponding HTTP Response looks like this:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E0D04F563434693A5BD16ED7BC4FEA6F; Path=/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2331
Date: Tue, 26 Jun 2018 02:56:51 GMT
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Home</title>
<link href="webjars/bootstrap/3.3.6/css/bootstrap.min.css"
	rel="stylesheet">
</head>
<body>
...

Installation

  1. Go to https://portswigger.net/burp/communitydownload
  2. Download and install the corresponding executable for your platform. If you are using the JAR file, please make sure that you have JRE installed in your environment.

Getting Started

  1. Launch Burp Suite. If you are on the Free version, the option to save and load from an existing project is disabled. Click next (Temporary project), use Burp Defaults and Start Burp.

  2. Go to Proxy tab --> Options. Under Proxy Listeners, make sure that the proxy is currently listening and note its (default: 8080). If you have another application listening on the same port, you can click on Edit and modify the Burp's proxy port to another port. Please note the new port number for the next step.
    burp1

  3. Configure your browser (I prefer Firefox as it does not use System Proxy. Noisy!) to work with Burp by editing its proxy to point to Burp. Burp operates as a man-in-the-middle between your browser and target web applications by intercepting its traffic. Make sure that the "Use this proxy server for all protocols" is checked. This is to tell Burp to also process HTTPS requests.
    burp2

  4. Burp breaks the SSL connection between your browser and the server, and you need to install Burp's SSL certificate to remove warnings in your browse.
    Go to http://burp on your "proxied" browser to download Burp's certificate.
    burp3
    On your browser settings (Firefox), go to Privacy & Security. Click on View Certificates and import the certificate downloaded earlier from http://burp. Click OK.
    burp4

With the setup completed, Burp can now intercept HTTPS traffic.

But, how does it work?

proxydiagram

Overview of basic controls

Proxy Tab

  • HTTP History
    This would be your dashboard for most time as you can watch all the requests being made to the server that you can further click on to perform other actions.
    history
    Yup. That is how many requests are made to the server when you access / of https://lazada.sg. There are already so many things you can test!

  • Intercept
    Allows you to intercept and modify requests leaving from your browser.
    Make sure button says "Intercept is on” to be able to intercept. After inspecting and/or modifying the request, you can click on Forward to allow the request to continue to the server, or Drop to literally drop the request.
    intercept
    Tips: Useful when you want to bypass client-side check by first issuing valid input and then modifying it here before sending it to the server

Client-side bypass demo

This is a simple demo on how Burp Suite can be used to bypass a client side check that prevents a request to be submitted if it is not an email address. In most cases, JavaScript functions are used to perform checks. In this, we are assuming the application to be using Bootstrap client-side form control.
clientcheck1-1

Now, remember the Intercept feature? Turn it on and let's try again by first supplying a valid email address (e.g. test@test.com) and then modifying it to a non-email format value. Click Forward!
clientcheck2

Observe that the application accepted the request and created a new record with non-email value.
clientcheck3
That should help you to get started and playing around with Burp Suite to inspect traffic of your application. We will cover other functions in the future posts!

Teach your developers to Burp!
Share this