Open in app

Sign in

Write

Sign in

[02]Burp Suite Tutorial: Listening for HTTP traffic, Setting Target Site Map and understand Message Editor

Koay Yong Cett
6 min readDec 6, 2020
Photo by Scott Webb on Unsplash

Burp is usually described as an intercepting proxy:

  • This means that Burp sits between the user’s web browser and application’s web server.
  • It intercepts or captures all the traffic flowing between them → This type of behavior is commonly referred to as a Proxy Service.
  • Penetration testers use intercepting proxies to capture traffic flowing between web browser and a web application for the purpose of analysis and manipulation:
  • For instance, a tester can pause/stop any HTTP request, thus allowing parameter tampering prior to sending the request to the web server.
  • It allows tester to intercept both the HTTP requests and HTTP responses. This enable the tester to observe the behavior of web application under different conditions. Sometimes, the behaviors are not what the original developer expected.

In order to see Burp suite in action, we need to configure our Firefox browser’s (any browser in your own preferences) Network Settings to point to our running instance of Burp. This allows Burp to capture all traffic that is flowing in between your browser and the target web application.

Getting Ready

We will configure the Firefox browser to allow Burp to listen to all HTTP traffic flowing between the browser and OWASP BWM VM. This allow the proxy service within Burp to capture traffic for testing purpose.

How to do it [Listening for HTTP traffic]

Steps to go through to listen to all HTTP traffic using Burp:

  1. Open the Firefox browser and go to Options:

2. In General tab, scroll down to Network Proxy section and click Settings.

3. In Connection Settings, select Manual Proxy configuration and type in the IP address 127.0.0.1 with port 8080. In addition, select the Use this proxy server for for FTP and HTTPS checkbox:

4. Make sure the No proxy for the textbox is blank and click OK:

5. With the OWASP BWA VM running in the background and using the Firefox to browse the URL specific to your machine (that is IP address shown in OWASP BWA VM), click reload to see if the traffic captured in Burp:

6. If you don’t happen to see any traffic in your browser, check whether Proxy Intercept is holding up the request. If the button labeled Intercept is on or is depressed which shown in the following screenshot:

Click on the Proxy|Intercept button to disable the interception.

7. If everything is working properly, you will see the traffic on your Target|Site Map tab and maybe your IP address will be different than mine. It may also contains more items in the Site map. → Congratulations! This means that now the Burp is listening to all your browser traffic.

How it works:

The burp proxy service is listening on 127.0.0.1 port 8080. Either of these settings can be changed to listen on alternative IP address of port number. For learning purpose, we will be using the default settings.

Burp is also a ethical hacking tools!!!

Getting to know the tools:

  • Setting the Target Site Map
  • Understanding Message Editor
  • Repeating with Repeater
  • Decoding with Decoder
  • Intruding with Intruder

Introduction:

Overviews of most commonly used tools within Burp Suite. Some hands-on recipes using OWASP Multillidae II to get acquainted with Proxy, Repeater, Decoder and Intruder.

Setting the Target Site Map:

Since that we have traffic flowing between your browser, Burp and OWASP BWA virtual machine, let’s start to set the scope of or test. For the scope, we will be using the OWASP Mutillidae II that is available in the OWASP BWA VM as our target application.

From our initial proxy setup between the browser, Burp and the web server, we should now have some URLs, folders, and files shown in Target|Site map tab. Well, you may find the amount of information is too much and a lot to deal with, however setting the scope for our project will definitely help us focus on our target better.

How to do it [Set Target Site Map]:

Follow the following steps to set the Target Site Map:

  1. Search for the folder mutillidae and right lick on Add to scope. If not found, then try clicking the link in the main page of OWASP website:

2. Upon adding the folder mutillidae your scope, you maybe presented with a Proxy history logging dialog box as below. You may choose to avoid collecting messages out of your scope by clicking Yes. Or you can also choose to have the Proxy HTTP History table continue collecting any messages passing through Burp,even those messages that fall outside of our scope by clicking on No. However for our testing purposes, we will select Yes:

3. Navigate over the Target|Scope tab, you should now be able to see the full URL for OWASP mutillidae, shown in the Include in scope:

How it works:

The Message Editor displays detailed information of any HTTP message flowing through the Proxy listener. After setting up Proxy to capture HTTP traffic, you are able to select any single message to reveal the Message Editor. In addition, each editor contains the request and response sides of the message given that the message is properly proxied through Burp:

Understanding the Message Editor:

On almost every tool and tab within Burp that display an HTTP message, you will see an editor identifying the request and response which commonly known as the message editor. It allows viewing and editing HTTP requests and responses with specialties.

Within the Message Editor, there are multiple sub-tabs.

The sub-tabs for a request message include the following:

  • Raw
  • Params (requests that contain parameters or cookies)
  • Headers
  • Hex

The sub-tabs for a response message include the following:

  • Raw
  • Headers
  • Hex
  • HTML (sometimes)
  • Render (sometimes)
Brief explanation

How to do it [Explore message Editor]:

Let’s explore the multiple tabs available in the Message Editor for each request and response that are captured in Burp.

  1. Observe the Target | Site map tab, notice the Message Editor section:

2. When viewing a request, note that the sub-tabs available include Raw, Headers and Hex, at a minimum. However, in the case of a request containing parameters or cookies, the Params subtab is also available:

3. The other side of the message is the Response tab, containing the Raw, Headers, Hex sub-tabs, and sometimes HTML and Render. These are the various formats provided for the HTTP response to the request. If the content is HTML, then the Render tab will appear as it enables HTML display as it would be presented in a browser but without any JavaScript executed:

Thanks for reading and please look into the Burp Official site for more information 😃

Burpsuite
Education
Begineers

--

--

Koay Yong Cett

Written by Koay Yong Cett

99 Followers

A Bachelor CS student with major in Network Security (UniSZa). Every stories I shared is based on my personal opinion. Thanks you. Having my Internship now.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams