login

Burp Suite, the leading toolkit for web application security testing

Using Burp Proxy

The Proxy tool lies at the heart of Burp's user-driven workflow, and gives you a direct view into how your target application works "under the hood". It operates as a web proxy server, and sits as a man-in-the-middle between your browser and destination web servers. This lets you intercept, inspect and modify the raw traffic passing in both directions.

If the application employs HTTPS, Burp breaks the SSL connection between your browser and the server, so that even encrypted data can be viewed and modified within the Proxy.

Getting Set Up

Setting up Burp and your browser to work with each other involves the following elements. If you need more help on these items, please see the help on Getting started with Burp Suite.

When you have things set up, visit any URL in your browser, and go to the Intercept tab in Burp Proxy. If everything is working, you should see an HTTP request displayed for you to view and modify. You should also see entries appearing in the Proxy history tab. You will need to forward HTTP messages as they appear in the Intercept tab, in order to continue browsing.

Intercepting Requests and Responses

The Intercept tab displays individual HTTP requests and responses that have been intercepted by Burp Proxy for review and modification. This feature is a key part of Burp's user-driven workflow:

Intercepted requests and responses are displayed in an HTTP message editor, which contains numerous features designed to help you quickly analyze and manipulate the messages.

By default, Burp Proxy intercepts only request messages, and does not intercept requests for URLs with common file extensions that are often not directly interesting when testing (images, CSS, and static JavaScript). You can change this default behavior in the interception options. For example, you can configure Burp to only intercept in-scope requests containing parameters, or to intercept all responses containing HTML. Furthermore, you may often want to turn off Burp's interception altogether, so that all HTTP messages are automatically forwarded without requiring user intervention. You can do this using the master interception toggle, in the Intercept tab.

Using the Proxy History

Burp maintains a full history of all requests and responses that have passed through the Proxy. This enables you to review the browser-server conversation to understand how the application functions, or carry out key testing tasks. Sometimes you may want to completely disable interception in the Intercept tab, and freely browse a part of the application's functionality, before carefully reviewing the resulting requests and responses in the Proxy history.

Burp provides the following functions to help you analyze the Proxy history:

Driving Your Testing Workflow

A key part of Burp's user-driven workflow is the ability to send interesting items between Burp tools to carry out different tasks. For example, having observed an interesting request in the Proxy, you might:

You can perform all these actions and various other using the context menus that appear in both the Intercept tab and the Proxy history.

Key Configuration Options

For more specialized testing tasks, or when working with unusual applications, you may need to modify some of Burp Proxy's numerous options:

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Wednesday, June 11, 2014

v1.6.01

This release contains various enhancements to existing functionality, including improvements to the Spider's link-discovery engine, which now achieves a WIVET score of 50%. There is more work to do in this area, and improved crawling of JavaScript-driven navigation is in the pipeline.

Various bugs have also been fixed.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.