Burp Proxy lies at the heart of Burp's user-driven workflow. It operates as a web proxy server between your browser and target applications, and lets you intercept, inspect and modify the raw traffic passing in both directions.
Before You Start
- Ensure that Burp is installed and running
- If you want to use an external browser, rather than Burp's embedded browser, you need to configure your browser to work with Burp, check your browser proxy configuration, and Install Burp's CA certificate
Note: Using Burp Proxy may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Proxy against non-production systems.
In Burp, go to the "Proxy Intercept" tab, and ensure that interception is on (if the button says "Intercept is off" then click it to toggle the interception status).
In your browser, visit any URL. The browser will sit waiting until the request completes.
In Burp, go to the "Proxy Intercept" tab. You should see your browser's request displayed for you to view and edit. Click through each of the message editor tabs ("Raw", "Headers", etc.) to see the different ways of analysing the message.
Click the "Forward" button to send the request to the server. In some cases, your browser will make more than one request in order to display the page (for images, etc.). Look at each subsequent request and then forward it to the server. When there are no more requests to forward, your browser should have finished loading the URL you requested.
In your browser, click the "Refresh" button to reload the current page.
In Burp, this time edit the request in the "Proxy Intercept" tab. Change the URL in the first line of the request so that a non-existent item is requested.
Forward the request (and any subsequent ones) to the server. Then look back in your browser. Although your browser requested the same URL as before, you should see a "Not found" message, because you changed the actual outgoing request on the fly, within Burp.
In Burp Proxy, go to the HTTP History tab. This contains a table of all HTTP messages that have passed through the Proxy. Select an item in the table, and look at the HTTP messages in the request and response tabs. If you select the item that you modified, you will see separate tabs for the original and edited requests.
Click on a column header in the History table. This sorts the contents of the table according to that column. Click the same header again to reverse-sort on that column, and again to clear the sorting and show items in the default order. Try this for different columns.
Within the history table, click on a cell in the leftmost column, and choose a color from the drop-down menu. This will highlight that row in the selected color. .
In another row, right click, select add comment from the context menu and type a comment. You can use highlights and comments to annotate the history and identify interesting items
Above the history table there is a filter bar. Click on the filter bar to show the options available. Try changing the filter settings in various ways, and see the effect on what is shown in the history table. When the Proxy history has become very large, you can use the filter to hide certain types of items, to help find items you are looking for.
Select an item in the history, and show the context menu (usually, by right-clicking your mouse). The options on the context menu are used to drive your testing workflow within Burp. Choose "Send to Repeater", and go to the Repeater tab.
You will see the selected request has been copied into the Repeater tool, for further testing. For more details on sending items between Burp tools, and the overall testing workflow, see Using Burp Suite.
Go to the Proxy "Options" tab, and look at all the options that are available. These can be used to change the behavior of the Proxy listeners, define rules to determine what request and response messages are intercepted by the Proxy, perform automatic modification of messages, and control the Proxy's behavior in other ways. For more details, see Burp Proxy options.