Burp Suite Configuration Chrome

2/15/2022by admin
  • As a proxy Burp Suite is designed to intercept your web traffic. This is a key part of being able to use Burp to manipulate your web traffic as you’re using it to test a website. It’s not just a click-and-play tool though, you need to configure Burp and your device to work together.
  • Now Burp Suite is configured to route traffic through your outbound SSH tunnel. Configure your browser’s proxy settings to use Burp Suite. Navigate to www.whatismyip.com and ensure your IP address is coming from your testing environment.
  • Configure Burp Suite to use the forwarded local port as a SOCKS proxy; Use the ProxySwitch browser extension to send only selected sites towards Burp Suite and through the VPN On Windows, using PuTTY, you can use the following configuration to forward local port 31337 to your jump host on port 2222.

If you’ve done any web application pen testing or bug bounty hunting, you’re probably familiar with Burp Suite. If you haven’t used Burp Suite before, this blog post series is meant for you.

What is Burp Suite and why should you use it? Burp Suite is a suite of web application testing tools that help you intercept, modify and automate your interactions with a web application. If you do CTFs, this will make your life a lot easier. And if you want to get into web application, Burp Suite is a great tool to have.

This post covers installation, configuration, and the Target and Proxy tools.

Installation and Setup

Burp Suite (from now on, just “Burp”) has a free edition and a professional version. The pro option costs $400. You can request a 7 day trial of that here, or download the free Community Edition here.

To force Chrome to trust Burp’s certificate, move to the Trusted Root Certification Authorities tab and click Import. Click through the prompts and point it to your newly downloaded certificate. Once you have received a success message, restart both Burp and your browser.

Once you’ve downloaded and installed the program, you’ll need to configure your browser to direct the traffic to Burp Suite.

Burp functions by intercepting all traffic from a browser–allowing you to inspect it, modify it, etc.–and then forwarding the requests on. There are two options for proxying traffic to Burp.

  1. You can either configure proxy settings within your browser settings (not recommended as you have to manually turn this on or off each time).
  2. You can install a browser plug-in like FoxyProxy which lets you configure the proxy once, and then turn the proxy on/off with a single click.

I recommend downloading FoxyProxy, and then creating a profile for BurpSuite. You do this by clicking the FoxyProxy icon, and then clicking options.

Next, click Add and then fill out the form (I used IP address 127.0.0.1/localhost and port 8081).

Once you’ve saved that, you can click the FoxyProxy icon again and turn the proxy on.

Depending on which browser you use, you might want to make use of browser profiles so that settings, cookies, etc. are cleared for your web testing profile. Alternatively, you could use a different browser.

You also need to set up the Burp certificate so that HTTPS requests work properly (otherwise you will get certificate warnings). See this link for details on how to set that up.

You might also consider using a VPN so that your home IP address is not blacklisted by websites that make use of WAFs.

BurpSuite Proxy Settings

Once you’ve got your browser proxy and certificates set up, open up BurpSuite. If you have the free version, you will have to select “Temporary project.” Accept the default settings.

Then, you should see a bunch of tabs. Click the “Proxy” tab and then click “Options.”

You will need to click “Add” and add the IP address and port name that you configured in FoxyProxy.

Test everything out

With FoxyProxy enabled, and the same IP address and port configured in the Proxy Options tab of Burp Suite, navigate to a web page in the browser that is using FoxyProxy.

A good example site might be http://xss-game.appspot.com

The website won’t load, because Burp has intercepted the request.

If you go to Burp, you will see something like this:

Notice that the Proxy tab and Intercept tabs are both highlighted orange. This will happen when a new event has occurred in a given tab, or some kind of alert has been generated. We’ll see this again later when we send requests to other tools in Burp Suite.

You can look at the request and its headers in any of three tabs: Raw, Headers or Hex. To complete the request, click “Forward.” If you want to stop intercepting traffic, you can click “Intercept is on” and the text (and styling) will change to say “Intercept is off.”

By default, intercept is on when you open Burp.

Proxy

We’ve already seen some of the Proxy tab while configuring the Proxy (Options sub-tab) and viewing our first intercepted request (Intercept tab).

HTTP History

If you click the HTTP History tab, you will see a chronological list of requests that Burp made. This includes the original URL we navigated to, future pages we navigate to, and all of the resources that are requested alongside those pages. For example, this screenshot shows the requests from two pages that I navigated to:

You can click on each of these and details will be loaded into the bottom pane.

If you right-click any response, you get a whole menu of options. You can add a comment, send the request to other Burp tools (which we’ll cover in upcoming blog posts), add to scope, request in browser, and more.

The concept of scope is important, and applies across many tools within Burp. We’ll cover this more in the Target section.

Filtering

Lastly, you can filter the HTTP history list by clicking this bar:

This filter bar appears in many places throughout the application. I wish the UI were different so it was more obvious that you can interact with it, but definitely click on it in various tools to get a sense of what your filtering options are.

As you select/de-select items, the filter bar preview will update to say what filter(s) you’ve selected.

Proxy Options

There are many other options in the Proxy > Options tab. I won’t list all of them here, but you can configure:

  • What types of client requests to intercept
  • How responses should be modified (removing Javascript form validation, etc.)
  • Match and Replace, which allows you to use regexes to set HTTP headers. You could use this to automatically swap out your user-agent header or cookies, for example.

Target

Next, let’s click on the Target tab and then click Site Map (if it isn’t already selected).

This is similar to the HTTP history in that it shows all of the web pages and resources that you’ve requested. The SiteMap, however, shows all of these requests in a tree view that matches the structure of the website.

You can see that the lefthand pane has the XSS Game website, plus a few others ites, like Google fonts.

If we open up the tree, we can see level1, static, and other folders and files underneath. Each of these requests can be loaded in the righthand pane, with more details about the request and response in the lower pane. This might seem redundant, and it kind of is, but there are benefits to different data perspectives.

Each of the items in the lefthand pane has an icon next to it:

Configuration
  • The gear icon means that it’s dynamic, or that it’s sent data. In this case, I typed “hi” into the level 1 input box and clicked Send.
  • Directories are denoted by folder icons.
  • Individual pages are denoted by page icons. Sometimes, these have styling to them (like the JS files).

Again, we can click the filter bar and select filters for the data. These filters can include keywords, MIME types, file types, status codes, and more. If you set filters and want to remove them, click the gear icon and select “restore defaults.”

Scope

Lastly, let’s talk about scope. Scope applies to many different tools, and can be configured either in the Target > Scope tab and/or individually in different tools.

Scope is an important concept, especially if you are pen testing. If you use other tools (like Spider, which we’ll cover in upcoming posts) without a scope set, it will be time-consuming, and might also send requests to websites other than the target site. So let’s scope down our results by clicking on the “Scope” tab.

Click “Add” in the “Include in scope” section. Because I am visiting the XSS Game site, I want to only include that in my scope (and not include Google fonts, etc.)

So, I enter “xss-game” into the pop-up and click OK.

You will see a pop-up asking if you want to exclude all out-of-scope items. For now, I clicked “no”.

If you go back to the Site Map tab, you’ll see that all of the sites are still listed.

Burp suite chrome settings

We need to apply our scope to the list. Click the filter bar and check “Show only in-scope items” and then click the filter bar again to hide it.

Now, you should only see XSS Game urls in the lefthand pane of the Site Map.

Burp Suite Recap

In this blog post, we covered installation and setup of BurpSuite and a proxy tool. We intercepted our first request, and reviewed filtering, options, and HTTP history in the Proxy section. Finally, we looked at the Site Map in the Target Tool, as well as how filtering, scope and icons work within this section.

Next up will be Spider, Intruder and Repeater!

In this post I will discuss the different features of burp suite, how to use them and how they are useful. I will also discuss how to set it up with different browsers and some advanced tips for the pro version. Also note that some of the tabs are only available in the pro version. This won't be a full on guide to everything as that is likely to be spread over a few posts.

What is Burp Suite?

Burp Suite (burp) is a web application testing tool designed by Portswigger. Currently it is the industry standard for web application penetration testing. It is also widely used by many individuals who partake in bug bounty hunting. This post discusses a few key features of the suite and some interesting tips along the way.

Setting Up

Before we go anywhere you're going to need to setup your environment. In order to do this you'll need two things; a Testing Browser & of course burp suite - this can be the free version or the pro version. I'll explain how to setup burp suite with both Firefox & Chrome, however these are not the only two browsers available.

Firefox

My personal preference as a testing browser is FireFox Developer Edition with the foxyproxy plugin for setting proxy settings. Firefox Dev edition has several benefits over normal firefox however it works just the same. The main reason for using it vs normal vanilla firefox is that there are extra dev tools built in plus there is a cool dark theme which is always nice.

  • Step 1: Download the software you need; browser, plugins & burp suite, all of which are linked above.

  • Step 2: Open burp and setup the browser proxy settings.

    • Open Firefox and install foxyproxy if you haven't already, next left click on the fox icon next to the address bar, this will bring up the foxyproxy config window.
  • Select 'Add new proxy', in host/IP address enter 127.0.0.1 and port as 8080 then select OK to save. These values are the default listener settings for Burp Suite.

  • Now that we have firefox configured, move over to burp and either select to create a temporary project or a project with a name and file location(note this is only available in the pro version of burp). Generally if you're delivering a job it is useful to have a project file which will store all of your traffic.

  • Within Burp navigate to the proxy tab>options> Proxy Listeners and insure that there is one running on 127.0.0.1:8080.

  • Step 3: To test we have a listener set up, navigate to Firefox, right click on foxy proxy and select the proxy we setup earlier. Then, browse to a web site or IP. If the listener is configured correctly it should show a request within the proxy tab in burp. You have the option to forward or drop the request. Now that this is setup you can turn intercept off and all traffic will still flow through burp however intercept will allow you to 'play' with requests.

Google Chrome

The setup for chrome on windows is much the same as Firefox, as it can be configured to use foxy proxy. Specifically setting up chrome with foxy proxy is the same as it is on Firefox. Install the extension from the chrome web store and you should be good to go.

Burp Suite Configuration Chrome

Project Files

Only available in the pro version

Project files very useful as I mentioned earlier, they store all of the traffic sent in a session including both in scope and out of scope hosts which can be useful to view later.

Essentially think of a project file like a temporary save location for information stored in your burp session that can be loaded at a later date. They work along side being able to save your session to disk which is accessible from the burp menu in top left hand corner of the screen burp > save state.

Target Tab

The target tab is one of the most useful tools within burp as it holds the site map for target sites that you are testing. Within the target tab there are two sub tabs, the Scope tab and Site map. Specifically the main information for an application that you are testing is held within the site-map tab.

Scope

It can be configured so that only targets that are within scope are displayed. To do this first you'll need to configure the sites within scope. Navigate to Target > Scope then Include in scope. This option will allow you to either paste a URL from the address bar or add manually using the add button. Additionally you can load a list of targets from a text file using the Load button, this can be very useful for adding in several hosts at a time.

Top tip for open scoped engagements, if a scope states that *.domain.com is within scope you can add this to burp's scope using: ^*.domain.com$. This will add all potential sub-domains into scope, what this also means is should you identify other hosts while browsing the main target they will automatically be added to scope and displayed in the site-map.

Tuning Site-map

Besides displaying all of the hosts browsed to in a burp session the site map tab can be tuned to only view the hosts you have set that are within scope. This can be achieved by clicking on the bar just below Site map and selecting Show only in-scope items. This will allow you to only view targets you've set as in scope. The image below demonstrates where this option can be found.

This menu area also allows you to tweak what is displayed, it can be useful to view only requests that have generated types of errors.

Spider

Suite

The spider tab can be used for discovering content on a site however I don't use if very often as it does generate masses of traffic. Additionally it can cause issues with the target applications if not tuned correctly.

To use it correctly, I suggest you disable the auto-form submission and auto login 'features' to insure minimal traffic generation. Doing so will prevent burp from attempting to flood the target site with form submissions of Peter Weiner/Winter.

Scanner

Only available in the pro version

The scanner tab is very useful as it picks up on 'low hanging fruit' vulnerabilities within an application. However like all of the other tools within the suite it can be tuned to work better. By default the options for it are pretty good but with tuning it can be great!

Pairing Intruder with Scanner

Only available in the pro version

To tune the scanner there is a little known trick that will allow you to pinpoint scanning. This can be achieved by trapping a request that has parameters you want to scan then, right clicking on it and sending it to intruder. Once the request is in intruder manually select the areas in which you want to scan then select Actively scan insertion points. This will send the scanner off against only the points in which you've selected instead of randomly scanning points in the app/target.

This can be very useful for pinpointing vulnerabilities in applications that would otherwise be missed potentially.

Repeater

The repeater tool is arguably the most useful and powerful section within the burp suite tool set. It allows requests to be passed to it and modified then resent to the server. During a test I will spend a lot of time in here playing with requests and modifying different parameters to see their responses.

Burp Suite Configuration Chrome Download

Specifically it has two main uses, the first of which allows free manipulation of requests. Allowing you to target specific parameters and functions within an application. The second while not a feature or possibly not the intended use, it can be used as a clipboard/archive or interesting requests for you to go back to look at. Imagine you're looking at an application which shows signs of processing certain characters differently, you can right click and send this to repeater to look at later. Having the request in repeater will allow you to manipulate it at a later time.

Intruder

The intruder tool has many many functions, however in this post I am only going to discuss a few of these. Mainly it can be used for fuzzing, error checking & brute-forcing.

In order to utilise intruder, select an interesting request either from the proxy intercept or another you've previously saved in repeater. Right click and select send to intruder. When the request is within intruder select the positions tab to select your inputs, this will look similar to the image below.

The payload positions are up to you to set, however burp will auto-select what it thinks are parameters, you can clear this using the clear button, then select your own ones by selecting the parameter then choosing add §. There are four attack types available to use in intruder, the subsections below explain what each does.

Sniper

The sniper attack takes one wordlist as an input and iterates over over each parameter, one at a time. If you have multiple insertion points, it will enumerate the first parameter with all the payloads from the wordlist supplied and move on to the next and so on. It is best used when you're wanting to fuzz either single or multiple parameters with the same wordlist.

Battering Ram

Like the sniper attack, the battering ram uses a single wordlist however it will iterate over multiple parameters with the same payload for all the parameters. This can be useful when you're looking at how different parameters react to certain payloads.

Pitchfork

The pitchfork attack type runs through multiple parameters at the same time using different payloads for each parameter. This takes a single or multiple wordlists but will iterate through the words in the list split across selected parameters. An example of this is shown:

Cluster Bomb

The cluster bomb attack type will take multiple wordlists and is useful when you have multiple parameters. It will run through over multiple parameters by using all the possible combinations of payloads from the multiple wordlists. So if you have multiple parameters, it will enumerate over one of the parameters with all the payloads from its respective wordlist, while the other parameters have the first payload from their respective wordlists loaded.

This can be very useful for when you are brute-forcing logins or other parameters/forms requiring two or more inputs.

Brute Forcing Basic Authentication

A scenario where intruder can be very useful is when it comes to brute-forcing a HTTP basic authentication login mechanism. In order to do this, first you must issue a base request with any values as the username and password, send this to intruder. I've included an example below.

Notice the bottom header Authorization: Basic YWRtaW46YWRtaW4= this is the login value of admin:admin in base64. In order to attack this we're going to use some of burp's more advanced intruder settings.

Mainly the custom iterator function, which allows you to split payloads up by a certain character or set of characters of your choosing. In this example I'll be demonstrating a brute-force using a wordlist, which in other words is a dictionary attack as opposed to a pure brute-force attack.

Using a custom iterator allows you to generate your own custom payload string consisting from several substrings. For each substring you can specify what the separator is which is basically a suffix. The Intruder calls these substrings “positions”.

Setting up the attack, the first thing to do is select the base64 string in the Authorization: Basic header and change the attack type to sniper. Next go to the Payload tab and select the Custom iterator option from Payload type menu.

Next select position 1 from the Position menu and load your usernames list in this . Put a colon(:) in the Separator for position 1 text box.

Then change the position to 2 then in position 2, load the values you want to use for password guessing, just as you did for position 1.
After you’ve set your two positions you need to tell the Intruder to encode the payload string using Base64 encoding. To do this go to Payload processing section and click Add button. Select Payload encoding option and then Base64.
By default burp intruder will URL encode select characters, I recommend that you remove the = symbol as it is used by base64 for padding and this can introduce issues later on.

When this is done simply select start attack, burp will now run through the usernames and passwords you've provided.

Decoder

Burp Suite Forum

As with all of the tools within burp suite, each has a useful function. The decoder tool is all in the name, it decodes a select type of character sets and encoding types:

  • Plain Text
  • URL Encoding
  • HTML
  • Base64
  • ASCII Hex
  • Hex
  • Octal
  • Binary
  • Gzip

Each of which can also be encoded into using the decoder tool. This is particularly useful for when you encounter parameters and data within requests which is encoded. By default burp will attempt to auto detect the encoding however you can manually select which type of encoding to decode as too. Decoder can also be used to take checksums of strings, using a variety of hashing functions, these are located in the hash drop-down menu.

Sequencer

The sequencer tool has many functions but its main use is for checking the entropy of tokens and cookies. It is accessible by sending requests to it that can then be replayed in the 100s or 1000s to check the randomness of created values. This can be very useful for testing the randomness of cookie or CSRF token generation, mainly a use when testing authentication and authorization but can also be used for testing UUID and GUID values too.

Comparer

Comparer is essentially a diff tool to allow you to check the differences between two or more requests either based upon the words or bytes. This is useful when an application reacts differently to certain characters or words being used, it can be useful to identify more information about injection type vulnerabilities. To use it simple right click on a request and select send to comparer, then select a second request and do the same. Then navigate to the comparer tab and your requests should be there now. Simply select bytes or words, this will show a comparison of the requests you've sent and highlight the differences.

Extender

Finally the extender tab is where add-ons/plugins for burp are located. Housed within this tab is where extensions can be installed and added. Additionally all information surrounding various environment files such as Jython and Jruby can be set within this tab. This allows for usage of other 3rd party extensions build by developers that have been approved by Portswigger. Also located within this tab is information surrounding all of the APIs that Burp suite uses, allowing you to write your own extension. For more information on creating an extension check out Portswigger's site here.

Burp Suite Configuration Chrome Extension

Inbuilt Documentation

If you want to learn more information about certain aspects of burp suite that you're unsure of. The application does have a very comprehensive inbuilt help function. This is located in the help tab in the top menu bar.

Burp Suite Configuration Chrome

Did you enjoy this? Check out the other #ltr101 posts here or consider buying my book.

Comments are closed.