login

Burp Suite, the leading toolkit for web application security testing

Getting Started With Burp Proxy

Burp Proxy lies at the heart of Burp's user-driven workflow. It operates as a web proxy server between your browser and target applications, and lets you intercept, inspect and modify the raw traffic passing in both directions.

Note: Using Burp Proxy may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Proxy against non-production systems.

To start getting to know Burp Proxy, carry out the following steps:

  1. First, ensure that Burp is installed and running, and that you have configured your browser to work with Burp.
  2. In Burp, go to the Proxy Intercept tab, and ensure that interception is on (if the button says "Intercept is off" then click it to toggle the interception status).
  3. In your browser, visit any URL. The browser will sit waiting until the request completes.
  4. In Burp, go to the Proxy Intercept tab. You should see your browser's request displayed for you to view and edit. Click through each of the message editor tabs (Raw, Headers, etc.) to see the different ways of analyzing the message.
  5. Click the "Forward" button to send the request to the server. In most cases, your browser will make more than one request in order to display the page (for images, etc.). Look at each subsequent request and then forward it to the server. When there are no more requests to forward, your browser should have finished loading the URL you requested.
  6. In your browser, click the Refresh button to reload the current page.
  7. In Burp, this time edit the request in the Proxy Intercept tab. Change the URL in the first line of the request so that a nonexistent item is requested. Forward the request (and any subsequent ones) to the server. Then look back in your browser. Although your browser requested the same URL as before, you should see a "Not found" message, because you changed the actual outgoing request on the fly, within Burp.
  8. In Burp, go to the Proxy History tab. This contains a table of all HTTP messages that have passed through the Proxy. Select an item in the table, and look at the HTTP messages in the request and response tabs. If you select the item that you modified, you will see separate tabs for the original and modified requests.
  9. Click on a column header in the Proxy history. This sorts the contents of the table according to that column. Click the same header again to reverse-sort on that column, and again to clear the sorting and show items in the default order. Try this for different columns.
  10. Within the history table, click on a cell in the leftmost column, and choose a color from the drop-down menu. This will highlight that row in the selected color. In another row, double-click within the Comment column and type a comment. You can use highlights and comments to annotate the history and identify interesting items.
  11. Above the history table there is a filter bar. Click on the filter bar to show the options available. Try changing the filter settings in various ways, and see the effect on what is shown in the history table. When the Proxy history has become very large, you can use the filter to hide certain types of items, to help find items you are looking for.
  12. Select an item in the history, and show the context menu (usually, by right-clicking your mouse). The options on the context menu are used to drive your testing workflow within Burp. Choose "Send to Repeater", and go to the Repeater tab. You will see the selected request has been copied into the Repeater tool, for further testing. For more details on sending items between Burp tools, and the overall testing workflow, see Using Burp Suite.
  13. Go to the Proxy Options tab, and look at all the options that are available. These can be used to change the behavior of the Proxy listeners, define rules to determine what request and response messages are intercepted by the Proxy, perform automatic modification of messages, and control the Proxy's behavior in other ways. For more details, see Burp Proxy Options.

Use the links below for further help on starting to use Burp Proxy:

 

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Wednesday, June 11, 2014

v1.6.01

This release contains various enhancements to existing functionality, including improvements to the Spider's link-discovery engine, which now achieves a WIVET score of 50%. There is more work to do in this area, and improved crawling of JavaScript-driven navigation is in the pipeline.

Various bugs have also been fixed.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.