Using Burp Proxy

The Proxy tool lies at the heart of Burp's user-driven workflow, and gives you a direct view into how your target application works "under the hood". It operates as a web proxy server, and sits as a man-in-the-middle between your browser and destination web servers. This lets you intercept, inspect and modify the raw traffic passing in both directions.

 

Intercepting Requests and Responses

Proxy_UsingBurpProxy_1

The Intercept tab dispays individual HTTP requests and responses that have been intercepted by Burp Proxy for review and modification. This feature is a key part of Burp's user-driven workflow.

Manually reviewing intercepted messages is often key to understanding the application's attack surface in detail.

Modifying request parameters often allows you to quickly identify common security vulnerabilities.

Intercepted requests and responses are displayed in an HTTP message editor, which contains numerous features designed to help you quickly analyze and manipulate the messages.

 
Proxy_UsingBurpProxy_2

By default, Burp Proxy intercepts only request messages, and does not intercept requests for URLs with common file extensions that are often not directly interesting when testing (images, CSS, and static JavaScript). You can change this default behavior in the interception options. For example, you can configure Burp to only intercept in-scope requests containing parameters, or to intercept all responses containing HTML.

 
Proxy_UsingBurpProxy_3

Furthermore, you may often want to turn off Burp's interception altogether, so that all HTTP messages are automatically forwarded without requiring user intervention. You can do this using the master interception toggle, in the Intercept tab.

 

Using the Proxy History

Proxy_UsingBurpProxy_4

Burp maintains a full history of all requests and responses that have passed through the Proxy. This enables you to review the browser-server conversation to understand how the application functions, or carry out key testing tasks.

 
Proxy_UsingBurpProxy_5

The history table can be sorted by clicking on any column header (clicking a header cycles through ascending sort, descending sort, and unsorted). This lets you quickly group similar items and identify any anomalous items.

 
Proxy_UsingBurpProxy_6

You can use the display filter to hide items with various characteristics.

 
Proxy_GettingStartedWithBurpProxy_8

You can annotate items with highlights and comments, to describe their purpose or identify interesting items to come back to later.

 
Proxy_UsingBurpProxy_7

You can open additional views of the history using the context menu, to apply different filters or help test access controls.

 

Driving Your Testing Workflow

Proxy_UsingBurpProxy_8

A key part of Burp's user-driven workflow is the ability to send interesting items between Burp tools to carry out different tasks. You can do this using the context menus that appear in various locations throughout Burp.

 
Proxy_UsingBurpProxy_9

For example, having observed an interesting request in the Proxy, you might quickly perform a vulnerability scan of just that request, using Burp Scanner.

 
Proxy_UsingBurpProxy_10

You could send the request to Repeater to manually modify the request and reissue it over and over.

 
Proxy_UsingBurpProxy_11

You could send the request to Intruder to perform various types of automated customized attacks.

 
Proxy_UsingBurpProxy_12

You could send the request to Sequencer to analyze the quality of randomness in a token returned in the response

 

Key Configuration Options

For more specialized testing tasks, or when working with unusual applications, you may need to modify some of Burp Proxy's numerous options.

Proxy_UsingBurpProxy_13

You might need to modify the Proxy listener, to bind to different interfaces, redirect requests to different hosts, handle server TLS certificates differently, or support invisible proxying for non-proxy-aware clients.

 
Proxy_UsingBurpProxy_14

You can configure the Proxy to automatically modify HTTP responses in various systematic ways; for example, to unhide hidden form fields, remove JavaScript form validation, etc.

 

 
Proxy_UsingBurpProxy_15

You can configure match / replace rules to automatically change the content of requests and responses.