Skip to content

BURP

Burp in a nutshell

Burp is a tool for web application security testing. It comes in three versions, one of them (“Community”) is free. It is installed on the local desktop and consists of an HTTP proxy with a graphical interface for analyzing and modifying traffic.

Browsing through Burp

You can use the browser embedded in Burp (Proxy→Intercept→Open browser) or use an external browser. If using an external browser, then some manual configuration steps are needed on the device where Burp is installed:

  1. Web navigation has to pass through Burp proxy.
  2. A self-signed certificate for Burp has to be installed in the certificate store of the device where Burp has been installed in order to enable Burp to act as a certification authority. Upon connecting to an HTTPS website, the browser will connect to Burp, that Burp will generate a public-private keypair and a certificate for the public key just generated.

Basic usage

While browsing, Burp records all the HTTP traffic.

Whenever you see an HTTP request in any section of the Burp interface, you can send that HTTP request to the web site again, by right clicking on the mouse. You can also select groups of requests and, in some sections of the interface, edit the HTTP request before sending it again.

Burp constructs a map of the web site based on the recorded HTTP traffic (Target→Site map). Black items are those that have been actually requested while gray items are those that have been inferred from the observed traffic, e.g., links not yet clicked. The professional versions have functionalities for automatic spidering, i.e., for automatically visiting the entire web site and constructing the corresponding site map.

When faced with an unknown application, the common workflow consists of:

  1. Interacting with the application in order to collect HTTP traffic and populate the site map.
  2. Analyze the traffic in search of potentially critical issues that deserve further analysis and investigation.

Many videos and tutorials on Burp can be found on YouTube. They all assume some basic knowledge of web application security. A video that I think is quite good as an introductory resource is Testing for IDOR Vulnerabilities with Burpsuite.

Key functionalities

  • Proxy→Intercept can be toggled on or off. When off, you can browse normally. When on, each request is stopped by Burp and sent to the web site only upon clicking the Forward button, possible after modifying the request content.
  • Proxy→HTTP history keeps track of all the traffic passed through Burp, even while Intercept is off.

  • Proxy→Options allows specifying rules for defining:

  • Which requests or responses are stalled for viewing and editing (e.g. stall only requests that contain parameters).

  • Which of a set of predefined modifications are to be applied to responses automatically (e.g., replace HTTPS links with HTTP links).

  • Match-Replace rules for modifying requests or responses automatically (e.g., modify the value of User-Agent headers in requests; strip the Strict-Transport-Security headers from responses).

  • Inspector allows analyzing messages and items found in messages, e.g., for decoding content as well as for editing and applying the relevant encoding automatically.

  • Repeater allows modifying and sending selected HTTP requests repeatedly. An HTTP request is used as a template; modifications can be described by specifying a portion of the template to be modified at each iteration and the set of values to be used for that portion (e.g., a range of numerical integers, a set of predefined words and alike).

My introductory slides

You can find them here