Burp Suite Complete Guide (Part 2- Proxy Module)
We are Done with Configuring Burp Suite with Firefox Browser now its time to use it.
Burp Suite has a number of modules inbuilt in it which acts as a different set of tools itself so we will be going to see each one of them separately with practical examples and detailed but useful descriptions and settings options in them.
After intercepting browser request Proxy Module pops up automatically which is the one we will see in this post.
As you can see in the picture you can get a clear idea of Host, user agent, referrer, cookies, and lots of other things here well described.
As you can see it's difficult to understand and BIT of a headache we leave it to understand by systems and machines.
A big advantage of this HTTP history is it gives pretty good information about the request that is host, GET or POST request, URL, Parameters, and so on...
We can also add filters and find the request we want.
Websocket History gives us a little bit of different information such as Direction, TLS, and listening ports.
Proxy listeners create a local HTTP proxy server that helps to connect with browser and different HTTP clients. When configured it will listen and intercept all the requests traveling from browser to web and also responses from client to server.
By default this proxy listener is set to 127.0.0.1:8080 and the browser also needed to configure on this proxy.
All browsers can be listened and intercepted using this one proxy only if we want to test an unusual application or need to work with non-browser based applications then we can use different proxy listeners as per use.
This control setting allows requests and responses coming in the intercept tab and we can also apply several settings to filter requests and responses.
Several rules can be used by activated or deactivated by using checkboxes. these rules are even added removed or modified by our use.
We can filter requests and responses by using many parameters such as URL, IP addresses, MIME type, port number, HTML and CSS types, various parameters, cookies, HTTP methods, status codes, Lenth and so on..this rules can also be adjusted to work within the scope.
you can use boolean logic such as AND and OR to process in order or to combine requests.
Automatically fix missing or superfluous new lines at end of requests - if any edited request doesn't have blank line following the header then burp will add this.
If edited request which contains URL encoded parameters in any new line character then burp will remove that line.
this option is sometimes useful vell editing a large amount of requests in intercept and avoids issuing invalid requests to the server.
Automatically update Content-Length - this functionality controls the content length of the header message when it has been modified by the user.
useful when HTTP body has been modified.
This setting checkboxes can control which WebSocket messages are blocked for editing and viewing in the intercept tab.
you can configure outgoing messages which are client to the server or incoming messages which are server to the client you want to intercept.
You can use this option to automatically modification or rewrite HTML in the Application response.
client-side controls can be removed using the following options
Burp Suite has a number of modules inbuilt in it which acts as a different set of tools itself so we will be going to see each one of them separately with practical examples and detailed but useful descriptions and settings options in them.
After intercepting browser request Proxy Module pops up automatically which is the one we will see in this post.
Burp Suite Proxy Module Tutorial
Going to use DVWA for getting some requests and we will find out how to analyze those requests and filter out important things we need to find also some settings and configurations with a proxy module.
Now Head over to it directly.
So we will Understand Proxy module requests with CSRF (Cross-Site Request Forgery) Vulnerability. which is directly associated with crafting requests to gain victim credentials.
Burp Suite Intercept Tab
Before changing the password in DVWA make sure to switch proxy in FoxyProxy and keep intercept on.
After hitting on the change tab you will see Burp Suite will Automatically pop up and request which is going to send to DVWA application is intercepted by it.
Which looks like this, It is a classic GET request sent to web Application which reveals us many things how web application interacting with the browser, like
User-Agent, Cookie, Encoding, and Referer, etc. are the things we can use or craft and make our forged requests.
Head over to the CSRF tutorial to know more about crafting requests.
Burp Suite Forward Tab
After analyzing or crafting requests we can forward it to web application by using Forward tab (Web-Application stuck till the request are forwarded and then respond according to the request after pressing forward)
Burp Suite Drop Tab
Some Times you need to only analyze requests but not send it to a web application ( pentesting web with limited requests) for example it comes very handily when you have only 3 requests to send to a web application and after wrong entries it will block requests after that.
After Pressing Drop this page will show up
This says the request is dropped by the user and after pressing back you will come up with the same page you received request.
Burp Suite Action Tab
Another very important tab in Burp Suite which allows it to interact with other modules within such as Intruder, Repeater, Comparator, and Decoder.
Change Request Method - With interaction tools it gives us one-click functionality to change request method, It changes GET request into POST request in one click saving lots of time and hassle.
Change Body Encoding - works well when you need to change body encoding of request just click on Change Body encoding and it does it for you.
Copy URL - Lot of you are thinking after modifying and crafting requests how to get URL of that request then Click on Copy URL and it will copy it for you.
Copy as curl command - Many Time requests need additional to run with curl then click on a copy as curl command and it is ready to paste in terminal as curl command and it will execute directly from curl. (important sometimes )
Action tab Also gives a copy to file and paste from file feature which is useful and very handy to use. also save item can save requests so we can use it next time with intercepting again.
Don't intercept this request - If you want to don't intercept request some host, IP, File Extensions, or Directory then click on don't intercept this request and select which of then you don't want to intercept. if you getting uninteresting requests or unwanted things then use this filter rules.
Do Intercept response allows us to intercept the response of requests that is currently displaying requests response intercepted and used for pen-testing.
URL encoding While Typing can automatically encode the URL of requests while editing requests.
Proxy Module Intercept requests
Raw Requests -
Param Requests -
This is the request of this page.
Here we can clearly see Username and Password Parameters where we can use inputs or send it to other modules to work with.
We can also see a cookie parameter which is also very useful in terms of hacking such as session hijacking.
Here we can clearly see Username and Password Parameters where we can use inputs or send it to other modules to work with.
We can also see a cookie parameter which is also very useful in terms of hacking such as session hijacking.
Headers (Request Headers) -
As you can see in the picture you can get a clear idea of Host, user agent, referrer, cookies, and lots of other things here well described.
Hex Requests -
As you can see it's difficult to understand and BIT of a headache we leave it to understand by systems and machines.
HTTP History Tab (Proxy) -
A big advantage of this HTTP history is it gives pretty good information about the request that is host, GET or POST request, URL, Parameters, and so on...
We can also add filters and find the request we want.
Websocket History gives us a little bit of different information such as Direction, TLS, and listening ports.
Burp Suite Proxy Options
Proxy Listeners
Proxy listeners create a local HTTP proxy server that helps to connect with browser and different HTTP clients. When configured it will listen and intercept all the requests traveling from browser to web and also responses from client to server.
By default this proxy listener is set to 127.0.0.1:8080 and the browser also needed to configure on this proxy.
All browsers can be listened and intercepted using this one proxy only if we want to test an unusual application or need to work with non-browser based applications then we can use different proxy listeners as per use.
Intercept client response
This control setting allows requests and responses coming in the intercept tab and we can also apply several settings to filter requests and responses.
Several rules can be used by activated or deactivated by using checkboxes. these rules are even added removed or modified by our use.
We can filter requests and responses by using many parameters such as URL, IP addresses, MIME type, port number, HTML and CSS types, various parameters, cookies, HTTP methods, status codes, Lenth and so on..this rules can also be adjusted to work within the scope.
you can use boolean logic such as AND and OR to process in order or to combine requests.
Automatically fix missing or superfluous new lines at end of requests - if any edited request doesn't have blank line following the header then burp will add this.
If edited request which contains URL encoded parameters in any new line character then burp will remove that line.
this option is sometimes useful vell editing a large amount of requests in intercept and avoids issuing invalid requests to the server.
Automatically update Content-Length - this functionality controls the content length of the header message when it has been modified by the user.
useful when HTTP body has been modified.
Intercepting WebSocket messages
This setting checkboxes can control which WebSocket messages are blocked for editing and viewing in the intercept tab.
you can configure outgoing messages which are client to the server or incoming messages which are server to the client you want to intercept.
Responce Modification -
You can use this option to automatically modification or rewrite HTML in the Application response.
client-side controls can be removed using the following options
- Unhide hidden form field ( for easy identification we have sub-option that prominently highlight unhidden field on-screen
- Enable Disabled form field
- Remove input field length limits
- remove JavaScript form validation
This is options which can be useful for client-side logic for testing purpose
- Remove all JavaScript
- Remove <object> tags
These are some options used to deliver sslstrip like attacks to the victim user whose traffic is unwittingly listened by burp suite. using this options with force TLS in outgoing requests to effectively strip TLS from the user's connection.
- Convert HTTPS link to HTTP
- Remove the secure flag from cookies
Match and Replace
Another very important option of burp suite which allows us to change or replace parts of passing through the proxy for each HTTP requests. rules for match and replace can be executed in turn and application replacement are made
Rules can be defined separately for the first line of request, body, header, or requests and responses, each rule can be specified with literal match string or regex pattern and string to replace with it.
There are many rules default available to assist with tasks,
they are disabled by default.
If you having a problem with regex here is a cheat sheet to make your day easier.
There are many rules default available to assist with tasks,
they are disabled by default.
If you having a problem with regex here is a cheat sheet to make your day easier.
Match and replace can be very useful when fuzz testing user agents and other parameters.
This setting can be useful when application using different HTTP and HTTPS connections or passing through problematic TLS connection then this setting will pass through TLS connection directly and requests and responses from the connection made available to intercept.
If option checkbox automatically adds entries on client TLS negotiation is enabled then burp will add a relevant server in TLS pass through the list when the client fails to TLS negotiation. ( fail to recognize burp CA certificates)
This setting is to control certain behavior of the proxy module,
let's see them one by one.
TLS pass through
This setting can be useful when application using different HTTP and HTTPS connections or passing through problematic TLS connection then this setting will pass through TLS connection directly and requests and responses from the connection made available to intercept.
If option checkbox automatically adds entries on client TLS negotiation is enabled then burp will add a relevant server in TLS pass through the list when the client fails to TLS negotiation. ( fail to recognize burp CA certificates)
Miscellaneous
This setting is to control certain behavior of the proxy module,
let's see them one by one.
Use HTTP/1.0 in request to server
Useful when some legacy server strictly requires HTTP version 1.0 to function correctly.
Leave it unchecked in other instances.
Use HTTP/1.0 in response to client
Current browsers support both versions of HTTPS i.e. 1.0 and 1.1 and version 1.0 has some reduced functionality over 1.1 but 1.0 can be useful when control of browser behavior is needed such as when performing HTTP pipelining.
Keep it unchecked except when using such things.
Set response header connection:close
This option can be useful when need to prevent HTTP pipelining in some situations.
Keep it unchecked otherwise.
Set "Connection:Close" on incoming requests
This option may help in sometime in HTTP pipeline prevention in some cases.
Strip Proxy-* headers in incoming requests
Sometimes browsers sent information to proxy servers that are intended to be used. some attacks like buffer overflow can cause site to include sensitive data or requests to the browser within the header. burp proxy strips the header for getting that information.
keep this option checked so burp will not leave headers unmodified.
Remove unsupported encoding from Accept-Encoding headers in incoming requests
If you working with a server that supports only unsupported encoding then uncheck this option.
- Strip Sec-WebSocket-Extensions headers in incoming requests
Sometimes Browsers offer many extensions to WebSocket connections for compression of content etc.
Some encoding in this extension can cause problems to burp when processing those responses, so by default burp remove this headers to reduce the chances of that extension being used.
If testing needs to mandate certain extensions then uncheck this option.
- Unpack GZIP / deflate in requests -
Many applications compress these message body in requests. this option can automatically unpack compressed bodies and make them available but some times application can be break if they see compression has been removed by a burp.
check it only when the application seems to accept it.
Unpack GZIP / deflate in response
Most websites over there use GZIP to compress content in response. using this option can help you to unpack compressed responses bodies.
you can also prevent servers from compressing response by removing Accept-Encoding header from requests in the match and replace feature.
- Disable web interface at http://burp
This option can be used when you want to use your listener to accept connections that are unprotected interface and prevent others from gaining access to Burps in-browser interface.
Suppress Burp error messages in the browser
when some errors happen in burp then burp sends some error messages to the browser. but sometimes we need to run burp suite in stealth mode in attack such as man in the middle than where a victim can know our presence by these errors so we can suppress these messages and disguises our involvement with a burp.
Don't send items to proxy history or live tasks
when you want to do some specific task like authenticating upstream server or performing any match and replace operation then you don't want to incur the memory and storage overhead with their logging details you can use this option this will prevent burp suit from logging any requests and tasks such as live auditing and passive crawling.
Don't send items to Proxy history or live tasks if out of scope