Modifying HTTP requests with Burp Proxy
Last updated: May 17, 2022
Read time: 3 Minutes
In this tutorial, you'll learn how to modify an intercepted request in Burp Proxy. This enables you to manipulate the request in ways that the website isn't expecting in order to see how it responds. Using one of our deliberately vulnerable websites, known as "labs", you'll see how this can help you identify and exploit real vulnerabilities.
Web Security Academy
To follow along, you'll need an account on
portswigger.net. If you don't have one already, registration is free and it grants you full access to the Web Security Academy.
Step 1: Access the vulnerable website in Burp's browser
In Burp, go to the Proxy > Intercept tab and make sure interception is switched off.
Launch Burp's browser and use it to visit the following URL:
When the page loads, click Access the lab. If prompted, log in to your portswigger.net account. After a few seconds, you will see your own instance of a fake shopping website.
Step 2: Log in to your shopping account
On the shopping website, click My account and log in using the following credentials:
Notice that you have just $100 of store credit.
Step 3: Find something to buy
Click Home to go back to the home page. Select the option to view the product details for the Lightweight "l33t" leather jacket.
Step 4: Study the add to cart function
In Burp, go to the Proxy > Intercept tab and switch interception on. In the browser, add the leather jacket to your cart to intercept the resulting
POST /cart request.
You may initially see a different request on the Proxy > Intercept tab if the browser is doing something else in the background. In this case, just click
Forward until you see the
POST /cart request as shown in the screenshot above.
Study the intercepted request and notice that there is a parameter in the body called
price, which matches the price of the item in cents.
Step 5: Modify the request
Change the value of the
price parameter to 1 and click Forward to send the modified request to the server.
Switch interception off again so that any subsequent requests can pass through Burp Proxy uninterrupted.
Step 6: Exploit the vulnerability
In Burp's browser, click the basket icon in the upper-right corner to view your cart. Notice that the jacket has been added for just one cent.
There is no way to modify the price via the web interface. You were only able to make this change thanks to Burp Proxy.
Click the Place order button to purchase the jacket for an extremely reasonable price.
Congratulations, you've also just solved your first Web Security Academy lab! You've also learned how to intercept, review, and manipulate HTTP traffic using Burp Proxy.
Next step - Reissuing requests with Burp RepeaterCONTINUE