In an effort to share techniques and knowledge learned over our time in the application security field, we’ll be doing a series of blog posts on introducing people to Burp Suite. This first post will be an overview of how to get started with Burp and a browser for testing. We’ll continue this series with other topics related to getting started in application security and testing web applications with Burp. Enjoy!
Everyone has their favorite security tools, but when it comes to mobile and web applications I’ve always found myself looking BurpSuite square in the eye. It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I’m just going to go through the installation to paint a good picture of how to get it up quickly.
BurpSuite is freely available with everything you need to get started and when you’re ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I’ll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we’ll get into that a little later.
Requirements and assumptions:
Mozilla Firefox 3.1 or Later
Knowledge of Firefox Add-ons and installation
The Java Runtime Environment installed
Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.
Install the FoxyProxy Standard add-on for Firefox from
Navigate to the directory you’ve downloaded BurpSuite to and double click the burpsuite_free_vx.x.jar file, in this example the file should be burpsuite_free_v1.5.jar
If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait. Soon you’ll see the loading splash screen followed by the program
BurpSuite is a proxy, which means that you’ll be forwarding all of the web traffic from your browser through BurpSuite so that you can see each HTTP Request and Response and manipulate it to your heart’s content. First, let’s configure this thing.
Click on the Proxy tab located on the top row, and then click the options tab just below in the second row.
You’ll notice all of the proxy settings available here, but there’s a few we want to focus on to get started. First, Look at the Proxy Listener section and make sure that the checkbox under the “Running” column is selected and that the interface reads 127.0.0.1:8080
Next, make sure that the checkboxes for “Intercept requests based on the following rules” and “Intercept Responses based on the following rules” are checked in the following sections.
This will ensure that you capture both HTTP Requests you send and the Responses from the server.
Now, let’s head into firefox and configure FoxyProxy to route traffic through Burp for analysis. Open up Firefox, and note the FoxyProxy icon next to the address bar.
Left click on the icon to open the configuration screen.
Your default screen will look something like this
We will want to add a new proxy by clicking the “Add New Proxy” button. This will open up a window and pop you right on the Proxy Details screen with the Radio button “Manual Proxy Configuration” Selected. This is exactly what we want. All we have to do here is fill in the same settings we placed in Burpsuite. IP address equal to “127.0.0.1” and Port equal to “8080”
Next head over to the “General Tab” at the top and fill in the details. It’s best to call it something you recognize, like “BurpSuite”
Go ahead and click OK and now we can start using our proxy.
Once you save you may see a notice that you haven’t enabled any whitelisted URL patterns. This is one of the features in FoxyProxy that will allow you to use multiple proxy services based on specific URL patterns. We won’t get into that in this guide, so for now just ignore the message for the time being and click “Yes”.
You’ll now see your newly added Proxy on the list. Make sure the enabled column is checked and click close
Now, remember that icon from earlier next to the address bar? If you right click, you’ll be able to select “Use proxy BurpSuite for all URLs”. Make sure Burp is running and visit any website you like. We’ll go to Google for now, so just type http://www.google.com into the address bar and click Go. If it appears that Firefox is taking forever to connect, it’s likely because burp is capturing the request, if not, you may have to enable intercepting in Burp, so let’s go over that now.
Go to BurpSuite and select “Proxy” on the top row of tabs, and “Intercept” in the second row of tabs, both highlighted orange here.
You will notice that my request to Google has been captured by BurpSuite. If you don’t see this you want to make sure that the “Intercept is On” button appears as circled in orange. If it’s set to “Intercept is off” your traffic is likely going through Burp but you’re not watching each request.
Moving forward, you can click the “Forward” button and look at each request and response as it comes through. You will see a blank white screen if there are no more requests or responses to pass.
If we head back to the browser you may see this message if you’re using Google over HTTPS.
You can add an exception everytime this happens when you’re using a proxy, but that can get a little annoying. We can also set Firefox to trust the burp certificate so that we don’t get this error.
The Professional version of burp allows us to get the certificate pretty easily, but in the free version we have to do a little work.
Since we’re already on a page using HTTPS we can click “Add Exception…”. If you navigated away from the page, simply visit any https enabled website and go from there.
Next you’ll see the add exception screen which will allow us to view the certificate. Go ahead and click the View… button.
Here, you’ll see that you have a certificate your browser is warning you about. Since we know that the Portswigger CA is us, we can go ahead and install this into Firefox, but in order to do this we’ll need to export the certificate and note the location. Some important things to note here:
Make sure you select “PortSwigger CA” under the details of the certificate viewer before clicking export.
Make sure you save as the X.509 .crt, .pem file tye.
Click Save, and note the location.
We have to make sure this certificate is installed in Firefox. Accomplishing this is as easy as going into the options of Firefox and selecting “View Certificates” under “Advanced” in the Firefox Options pane.
On the next screen we just want to select import.
Select the certificate you exported earlier from the noted location and click OK. You will be prompted to select the type of trust for the certificate. You’ll want to select “Trust this CA to identify websites”
If done correctly you should be able to find the “Portswigger CA” Certificate name under the “Authorities” tab.
Now, you should be able to navigate to any SSL site in burp without being prompted to trust the certificate.
The next tweak we want to make is to disable Google Safebrowsing. Safebrowsing is obviously enabled for a reason but it can cause unwanted traffic during tests so we will disable it.
- Firefox button > Options > Options (or Tools > Options) > Security
And unchecking both “Block Reported attack sites” and “Block reported web forgeries”.
I certainly hope this guide has been helpful in getting you up and running easily with BurpSuite. We’ll be posting some additional tidbits in the near future on using Burp effectively.