2. Intercept HTTP traffic with Burp Proxy
Last updated: September 9, 2021
Read time: 4 Minutes
In this tutorial, you'll use a live, deliberately vulnerable website to learn how to intercept and modify HTTP requests with Burp Proxy.
Intercepting a request
Burp Proxy lets you intercept HTTP requests and responses sent between your browser and the target server. This enables you to study how the website behaves when you perform different actions.
Step 1: Launch Burp's embedded browser
Go to the Proxy > Intercept tab and click Open Browser. This launches Burp's embedded Chromium browser, which is preconfigured to work with Burp right out of the box.
Position the windows so that you can see both Burp and the browser.
Step 2: Intercept a request
In Burp, notice that the Intercept is on button is selected.
Using the embedded browser, try to visit
https://portswigger.net and observe that the site doesn't load. Burp Proxy has intercepted the HTTP request that was issued by the browser before
it could reach the server. You can see this intercepted request on the Proxy > Intercept tab.
The request is held here so that you can study it, and even modify it, before forwarding it to the target server.
Step 3: Forward the request
Click the Forward button several times to send the intercepted request, and any subsequent ones, until the page loads in the browser.
Step 4: Switch off interception
Due to the number of requests browsers typically send, you often won't want to intercept every single one of them. Click the Intercept is on button so that it now says Intercept is off.
Go back to the embedded browser and confirm that you can now interact with the site as normal.
Step 5: View the HTTP history
In Burp, go to the Proxy > HTTP history tab. Here, you can see the history of all HTTP traffic that has passed through Burp Proxy, even while interception was switched off.
Click on any entry in the history to view the raw HTTP request, along with the corresponding response from the server.
This lets you explore the website as normal and study the interactions between your browser and the server afterwards, which is more convenient in many cases.
Modifying requests in Burp Proxy
In this section, you'll learn how to modify an intercepted request in Burp Proxy. This enables you to manipulate the request in ways that the website isn't expecting to see how it responds. Using one of our deliberately vulnerable websites, known as "labs", you'll see how this can help you identify and exploit real vulnerabilities.
Web Security Academy
To follow along, you'll need an account on
portswigger.net. If you don't have one already, registration is free and it grants you full access to the Web Security Academy.
Step 1: Access the vulnerable website in the embedded browser
In Burp, go to the Proxy > Intercept tab and make sure interception is switched off.
Launch the embedded browser and use it to access the following URL, logging in if prompted:
When the page loads, click Access the lab to launch your own instance of a fake shopping website. This may take a few seconds to load.
Step 2: Log in to your shopping account
On the shopping website, click My account and log in using the following credentials:
Notice that you have just $100 of store credit.
Step 3: Find something to buy
Click Home to go back to the home page. Select the option to view the product details for the Lightweight "l33t" leather jacket.
Step 4: Study the add to cart function
In Burp, go to the Proxy > Intercept tab and switch interception back on. In the browser, add the leather jacket to your cart to intercept the resulting
POST /cart request.
You may initially see a different request on the Proxy > Intercept tab if your browser is doing something else in the background. In this case, just click
Forward until you see the
POST /cart request as shown in the screenshot above.
Study the intercepted request and notice that there is a parameter in the body called
price, which matches the price of the item in cents.
Step 5: Modify the request
Change the value of the
price parameter to 1 and click Forward to send the modified request to the server.
Switch interception off again so that any subsequent requests can pass through Burp Proxy uninterrupted.
Step 6: Exploit the vulnerability
In the embedded browser, click the basket icon in the upper-right corner to view your cart. Notice that the jacket has been added for just one cent.
There is no way to modify the price via the web interface. You were only able to make this change thanks to Burp Proxy.
Click the Place order button to purchase the jacket for an extremely reasonable price.
Congratulations, you've also just solved your first Web Security Academy lab! You've also learned how to intercept, review, and manipulate HTTP traffic using Burp Proxy.
Next step - Reissuing requests with Burp RepeaterCONTINUE