Getting started with Burp Proxy
Last updated: September 9, 2021
Read time: 4 Minutes
Burp Proxy lies at the heart of Burp's user-driven workflow. It operates as a web proxy server between your browser and target applications, and lets you intercept, inspect, and modify the raw traffic passing in both directions. In this section, we'll take you through some of the core features of Burp Proxy so that you can familiarize yourself with how it works.
Note: Using Burp Proxy may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Proxy against non-production systems.
Burp Proxy works in conjunction with the browser that you are using to access the target application. You can either:
- Use Burp's embedded browser, which requires no additional configuration. Go to the "Proxy" > "Intercept" tab and click "Open Browser". A new browser session will open in which all traffic is proxied through Burp automatically. You can even use this to test over HTTPS without the need to install Burp's CA certificate.
- Use an external browser of your choice. For various reasons, you might not want to use Burp's embedded browser. In this case, you need to perform some additional steps to configure your browser to work with Burp, and install Burp's CA certificate in your browser.
Once you have confirmed that your browser is successfully proxying traffic through Burp, you can perform the following steps to help you understand how to use Burp Proxy:
In Burp, go to the "Proxy" > "Intercept" tab, and ensure that interception is on (if the button says "Intercept is off" then click it to toggle the interception status).
In your browser, visit any URL. The browser will send a request but will then be stuck waiting for a response.
In Burp, go back to the "Proxy" > "Intercept" tab. You should see your browser's request displayed for you to view and edit. Use the Inspector tool to see the different ways of analyzing the message.
Click the "Forward" button to send the request to the server. In most cases, your browser will make more than one request in order to display the page (for images, etc.). Look at each subsequent request and then forward it to the server. When there are no more requests to forward, your browser should have finished loading the URL you requested.
In your browser, click the "Refresh" button to reload the current page.
In Burp, this time edit the request on the "Proxy" > "Intercept" tab. Change the URL in the first line of the request so that a non-existent item is requested. Forward the request (and any subsequent ones) to the server, then look back in your browser. Although your browser requested the same URL as before, you should see a "Not found" message. This is because you changed the outgoing request on the fly within Burp.
In Burp, go to the "Proxy" > "HTTP history" tab. This contains a table of all HTTP messages that have passed through the Proxy. Select an item in the table, and look at the HTTP messages in the message editor. If you select the item that you modified, you can choose to display either the original or edited request from the drop-down menu.
Click on a column header in the Proxy history. This sorts the contents of the table according to that column. Click the same header again to reverse-sort on that column, and again to clear the sorting and show items in the default order. Try this for different columns.
Within the history table, click on a cell in the leftmost column, and choose a color from the drop-down menu. This will highlight that row in the selected color.
In another row, double-click within the "Comment" column and type a comment. You can use highlights and comments to annotate the history and identify interesting items.
Above the history table there is a filter bar. Click on the filter bar to show the options available. Try changing the filter settings in various ways, and see the effect on what is shown in the history table. When the Proxy history has become very large, you can use the filter to hide certain types of items, to help find items you are looking for.
Select an item in the history, and show the context menu (usually, by right-clicking your mouse). The options on the context menu are used to drive your testing workflow within Burp. Choose "Send to Repeater", and go to the "Repeater" tab.
In Burp Repeater, you will see the selected request has been copied into the Repeater tool for further testing. For more details on sending items between Burp tools, and the overall testing workflow, see Using Burp Suite.
Go to the "Proxy" > "Options" tab, and look at all the options that are available. These can be used to change the behavior of the Proxy listeners, define rules to determine what request and response messages are intercepted by the Proxy, perform automatic modification of messages, and control the Proxy's behavior in other ways. For more details, see Burp Proxy Options.