Using Burp Proxy
Last updated: August 25, 2022
Read time: 4 Minutes
The Proxy tool lies at the heart of Burp's user-driven workflow, and gives you a direct view into how your target application works "under the hood". It operates as a web proxy server, and sits as a man-in-the-middle between Burp's browser and destination web servers. This lets you intercept, inspect, and modify the raw traffic passing in both directions.
If the application employs HTTPS, Burp breaks the TLS connection between the browser and the server, so that even encrypted data can be viewed and modified within Burp's tools.
Getting set up
Burp Proxy works in conjunction with Burp's browser to access the target application. To launch Burp's browser, go to the Proxy > Intercept tab and click Open Browser. A new browser session will open in which all traffic is proxied through Burp automatically. You can even use this to test using HTTPS.
When you have things set up, visit any URL in Burp's browser, then go to the Proxy > Intercept tab in Burp Suite. If everything is working, you should see an HTTP request displayed for you to view and modify. You will need to forward HTTP messages as they appear in order to continue browsing. You should also see entries appearing on the HTTP history tab.
Intercepting requests and responses
The Intercept tab displays individual HTTP requests and responses that have been intercepted by Burp Proxy for review and modification. This feature is a key part of Burp's user-driven workflow:
- Manually reviewing intercepted messages is often key to understanding the application's attack surface in detail.
- Modifying request parameters often allows you to quickly identify common security vulnerabilities.
By default, Burp's interception is switched off, so that all HTTP messages are automatically forwarded without requiring user intervention. To enable it, you need to use the master interception toggle in the Intercept tab.
Intercepted requests and responses are displayed in an HTTP message editor, which contains numerous features designed to help you quickly analyze and manipulate the messages.
You may often want to turn off Burp's interception altogether, so that all HTTP messages are automatically forwarded without requiring user intervention. You can do this using the master interception toggle in the Intercept tab.
Using the Proxy history
Burp maintains a full history of all requests and responses that have passed through the Proxy. This enables you to review the browser-server conversation to understand how the application functions, or carry out key testing tasks. Sometimes you may want to completely disable interception in the Intercept tab, and freely browse a part of the application's functionality, before carefully reviewing the resulting requests and responses in the Proxy history.
Burp provides the following functions to help you analyze the Proxy history:
The history table can be sorted by clicking on any column header (clicking a header cycles through ascending sort, descending sort, and unsorted). This lets you quickly group similar items and identify any anomalous items.
You can use the display filter to hide items with various characteristics.
You can annotate items with highlights and comments, to describe their purpose or identify interesting items to come back to later.
Burp Proxy testing workflow
A key part of Burp's user-driven workflow is the ability to send interesting items between Burp tools to carry out different tasks. You can do this using the context menus that you can access by right-clicking in various locations throughout Burp.
You could send the request to Repeater to manually modify the request and reissue it over and over.
You could send the request to Intruder to perform various types of automated customized attacks.
You could send the request to Sequencer to analyze the quality of randomness in a token returned in the response.
Key configuration options for Burp Proxy
For more specialized testing tasks, or when working with unusual applications, you may need to modify some of Burp Proxy's numerous options:
You might need to modify the Proxy listener, to bind to different interfaces, redirect requests to different hosts, handle server TLS certificates differently, or support invisible proxying for non-proxy-aware clients.
You can configure match / replace rules to automatically change the content of requests and responses.
Was this article helpful?
An error occurred, please try again.