PROFESSIONALCOMMUNITY

Getting started with Burp Proxy's intercept feature

  • Last updated: August 25, 2022

  • Read time: 3 Minutes

Burp Proxy's intercept feature lets you intercept HTTP requests and responses sent between the browser and the target server. This enables you to study how the website behaves when you perform different actions.

The intercept feature lets you perform the following useful actions:

  • Intercept a request and modify it before forwarding it to the server.
  • Send interesting requests to Burp's other tools, such as Repeater or Intruder, for further testing.
  • Drop a request to prevent it from reaching the server.

You can find the intercept feature on the Proxy > Intercept tab.

We recommend following the tutorial below to learn how to use Burp Proxy's intercept feature.

For more detailed information, please see the full documentation.

Tutorial

In this tutorial, you'll use Burp Proxy to intercept and modify a request to see how the server responds.

Step 1: Access the lab

Open Burp's browser, and use it to access the following URL:

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

Click Access the lab and log in to your PortSwigger account if prompted. This opens your own instance of a deliberately vulnerable shopping website.

Vulnerable shopping website

Step 2: Log in to a user account

Click My account and log in using the following credentials: wiener:peter.

Step 3: Find something to buy

Click Home, then view the details for the Lightweight "l33t" leather jacket.

Step 4: Intercept the add to cart request

In Burp, go to the Proxy > Intercept tab.

Make sure that Intercept is on.

Intercept button

In the browser, add the leather jacket to your cart.

In Burp, notice that the resulting POST /cart request is intercepted.

Intercepting a request

Note

You may initially see a different request on the Proxy > Intercept tab if the browser is doing something else in the background. In this case, just click Forward until you see the POST /cart request as shown in the screenshot above.

Step 5: Modify the request

In the request body, change the value of the price parameter to 1.

Modifying a request

Step 6: Send the modified request to the server

Click Forward to send the modified request to the server.

Switch interception off again. Subsequent requests will now pass through Burp Proxy uninterrupted, so you can browse the site as normal. Any HTTP requests the browser makes will still be captured on the Proxy > HTTP history tab.

In Burp's browser, click the basket icon in the upper-right corner to view your cart. Notice that the jacket has been added, but you have managed to change the price to just one cent and are able to complete the purchase.

Note

There is no way to modify the price via the web interface. You were only able to make this change thanks to Burp Proxy.

Learn more about Burp Proxy's intercept feature

You have now learned how to intercept, review, and manipulate HTTP traffic using Burp Proxy's intercept feature. To learn more, refer to the links below:

Note

If you want to test different inputs in the same request, you can send the request to Burp Repeater. This lets you edit and resend the same request as many times as you like, without having to intercept it each time. For more information, refer to Getting started with Burp Repeater.

You can also practice using Proxy intercept and other Burp Suite features with the deliberately vulnerable "lab" websites on our Web Security Academy.

Was this article helpful?