BurpSuite is a Swiss army knife of security tools that acts as a proxy between a web browser and web applications. It sits in the middle to provide services like encryption, antivirus scanning, and traffic inspection. Users can download the free or paid version from its website. To use it, users start the BurpSuite Java application, configure their browser to use BurpSuite as a proxy, then browse the web normally. BurpSuite intercepts and logs all traffic in its history tab for analysis of requests, responses, and headers. Users can right-click items to pass them to BurpSuite's repeater, spider, scanner, and other tools for further testing.
BurpSuite is a Swiss army knife of security tools that acts as a proxy between a web browser and web applications. It sits in the middle to provide services like encryption, antivirus scanning, and traffic inspection. Users can download the free or paid version from its website. To use it, users start the BurpSuite Java application, configure their browser to use BurpSuite as a proxy, then browse the web normally. BurpSuite intercepts and logs all traffic in its history tab for analysis of requests, responses, and headers. Users can right-click items to pass them to BurpSuite's repeater, spider, scanner, and other tools for further testing.
BurpSuite is a Swiss army knife of security tools that acts as a proxy between a web browser and web applications. It sits in the middle to provide services like encryption, antivirus scanning, and traffic inspection. Users can download the free or paid version from its website. To use it, users start the BurpSuite Java application, configure their browser to use BurpSuite as a proxy, then browse the web normally. BurpSuite intercepts and logs all traffic in its history tab for analysis of requests, responses, and headers. Users can right-click items to pass them to BurpSuite's repeater, spider, scanner, and other tools for further testing.
BurpSuite is a Swiss army knife of security tools that acts as a proxy between a web browser and web applications. It sits in the middle to provide services like encryption, antivirus scanning, and traffic inspection. Users can download the free or paid version from its website. To use it, users start the BurpSuite Java application, configure their browser to use BurpSuite as a proxy, then browse the web normally. BurpSuite intercepts and logs all traffic in its history tab for analysis of requests, responses, and headers. Users can right-click items to pass them to BurpSuite's repeater, spider, scanner, and other tools for further testing.
Glancing Blow The Tab Functionality Proxy – Where It Starts • A proxy is a piece of software (it could be hardware) • It sits between one thing and another and behaves as the middleman • Example – You are at your browser communicating with a web app – You decide you want a proxy sitting between your browser and the app – So, you start a proxy server running and then you tell your browser to send requests to the proxy – The proxy receives requests from the browser and forwards them to the web app – When responses come back, the proxy routes them to you Proxy – Where It Starts
Your Browser The Proxy The Web App
Server
Matching Da Web Ports
You This has to be
agreed upon Proxy – Why Would You Do This? • Because the proxy provides a service you want – Encryption of traffic – Anti-virus scanning Yikes – Keeping track of sites visited – Stopping you from reaching some sites
– Giving you control over what goes on
– Allowing you to see what is going on in the exchange – Providing services to make your job easier • The proxy can make your life much simpler Getting Burp Suite • There are two versions – Professional, about $300/year – Not so professional, free, and missing some cool stuff • Download it from http://portswigger.net • It's Java App, so you just download the jar file • Put it somewhere convenient – /home/opt/BurpSuite or C:/opt/BurpSuite or whatever • To start it, use – java –Xmx1024m –jar <path to the jar file> – The amount of memory can be lower or larger, but 256m is about the min How to Proxy with Burp • Start up Burp Suite How to Proxy with Burp • Proxy -> Intercept
You might want to start with Intercept off, so click on it
How to Proxy with Burp • Proxy -> Options
If running isn't checked,
check it. This is where your proxy listens. 8080 can be changed. Usually it listens on the system where it is running. Setting Up Your Browser – Local Burp • Firefox – Tools -> Options (Win) or Edit -> Preferences (Lin) – Advanced -> Connection -> Settings – Check Manual Proxy Settings
– Use this proxy server …
– Change the port if desired
Setting Up Your Browser – Local Burp • IE – Tools -> Internet Options -> Connections -> LAN Settings – Configure Proxy Settings – Check Manual Proxy Settings
– Use this proxy server …
– Check this if you want
– Change the port if desired
Setting Up Your Browser – Local Burp • Advanced tab, but the default is typically correct Testing Your Setup • Chromium and Safari left to the reader • You are now set up.
• To test it, click on the Proxy -> History tab
• Then go to some URL in your browser The Setup Simple form and response Information in the History Tab • First, there is a huge amount of information just in the History tab
Anything useful here?
Request Headers Response
Anything useful here?
Response Headers Submit Request Params Popup Menu Options • Right-click • This how you can pass a particular URL to one of the Burp Suite tool. – Repeater – Spider – Active Scan – Passive Scan – Intruder A Live Example Homework 3 • http://www.hackthissite.org • Go there and register • The passwords are a pain • Start with the basic mission and move on up • You should be able to get to through at least 3 of the Realistic Missions • We are going to talk about some of this next time Homework 4 • The topic is BurpSuite
