The Proxy tool lies at the heart of Burp's user-driven workflow, and gives you a direct view into how your target application works "under the hood". It operates as a web proxy server, and sits as a man-in-the-middle between your browser and destination web servers. This lets you intercept, inspect and modify the raw traffic passing in both directions.
If the application employs HTTPS, Burp breaks the SSL connection between your browser and the server, so that even encrypted data can be viewed and modified within the Proxy.
Setting up Burp and your browser to work with each other involves the following elements. If you need more help on these items, please see the help on Getting started with Burp Suite.
When you have things set up, visit any URL in your browser, and go to the Intercept tab in Burp Proxy. If everything is working, you should see an HTTP request displayed for you to view and modify. You should also see entries appearing in the Proxy history tab. You will need to forward HTTP messages as they appear in the Intercept tab, in order to continue browsing.
The Intercept tab displays individual HTTP requests and responses that have been intercepted by Burp Proxy for review and modification. This feature is a key part of Burp's user-driven workflow:
Intercepted requests and responses are displayed in an HTTP message editor, which contains numerous features designed to help you quickly analyze and manipulate the messages.
Burp maintains a full history of all requests and responses that have passed through the Proxy. This enables you to review the browser-server conversation to understand how the application functions, or carry out key testing tasks. Sometimes you may want to completely disable interception in the Intercept tab, and freely browse a part of the application's functionality, before carefully reviewing the resulting requests and responses in the Proxy history.
Burp provides the following functions to help you analyze the Proxy history:
A key part of Burp's user-driven workflow is the ability to send interesting items between Burp tools to carry out different tasks. For example, having observed an interesting request in the Proxy, you might:
For more specialized testing tasks, or when working with unusual applications, you may need to modify some of Burp Proxy's numerous options:
Get help and join the community discussions at the Burp Suite Support Center.
This release gives the Scanner the capability to report all instances where user input is returned in application responses, both reflected and stored. The information gathered is primarily of use to manual security testers. Some applications contain numerous instances of input retrieval, since it is very common for the entire URL to be reflected within responses. For these reasons, the new Scanner checks are off by default, but can be turned on in the Scanner options.