Intercepting HTTP traffic with Burp Proxy – The Daily Swig

In this tutorial, you’ll use a live, deliberately vulnerable website to learn how to intercept and modify HTTP requests with Burp Proxy.

Intercepting a request

Burp Proxy lets you intercept HTTP requests and responses sent between your browser and the target server. This enables you to study how the website behaves when you perform different actions.

Step 1: Launch Burp’s embedded browser

Go to the Proxy > Intercept tab and click Open Browser. This launches Burp’s embedded Chromium browser, which is preconfigured to work with Burp right out of the box.

Position the windows so that you can see both Burp and the browser.

Opening Burp Suite's embedded browser

Step 2: Intercept a request

In Burp, notice that the Intercept is on button is selected.

Intercept is on

Using the embedded browser, try to visit https://portswigger.net and observe that the site doesn’t load. Burp Proxy has intercepted the HTTP request that was issued by the browser before it could reach the server. You can see this intercepted request on the Proxy > Intercept tab.

Viewing an intercepted request in Burp Proxy

The request is held here so that you can study it, and even modify it, before forwarding it to the target server.

Step 3: Forward the request

Click the Forward button several times to send the intercepted request, and any subsequent ones, until the page loads in the browser.

Step 4: Switch off interception

Due to the number of requests browsers typically send, you often won’t want to intercept every single one of them. Click the Intercept is on button so that it now says Intercept is off.

Proxy Intercept is off

Go back to the embedded browser and confirm that you can now interact with the site as normal.

Step 5: View the HTTP history

In Burp, go to the Proxy > HTTP history tab. Here, you can see the history of all HTTP traffic that has passed through Burp Proxy, even while interception was switched off.

Click on any entry in the history to view the raw HTTP request, along with the corresponding response from the server.

Viewing the HTTP history in Burp Proxy

This lets you explore the website as normal and study the interactions between your browser and the server afterwards, which is more convenient in many cases.


Modifying requests in Burp Proxy

In this section, you’ll learn how to modify an intercepted request in Burp Proxy. This enables you to manipulate the request in ways that the website isn’t expecting to see how it responds. Using one of our deliberately vulnerable websites, known as “labs”, you’ll see how this can help you identify and exploit real vulnerabilities.

Web Security Academy

To follow along, you’ll need an account on portswigger.net. If you don’t have one already, registration is free and it grants you full access to the Web Security Academy.

Step 1: Access the vulnerable website in the embedded browser

In Burp, go to the Proxy > Intercept tab and make sure interception is switched off.

Launch the embedded browser and use it to access the following URL, logging in if prompted:

https://portswigger.net/users?returnurl=/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

When the page loads, click Access the lab to launch your own instance of a fake shopping website. This may take a few seconds to load.

Lab home page

Step 2: Log in to your shopping account

On the shopping website, click My account and log in using the following credentials:

Username: wiener

Password: peter

Notice that you have just $100 of store credit.

Step 3: Find something to buy

Click Home to go back to the home page. Select the option to view the product details for the Lightweight “l33t” leather jacket.

Step 4: Study the add to cart function

In Burp, go to the Proxy > Intercept tab and switch interception back on. In the browser, add the leather jacket to your cart to intercept the resulting POST /cart request.

Study the add to cart function

Note

You may initially see a different request on the Proxy > Intercept tab if your browser is doing something else in the background. In this case, just click Forward until you see the POST /cart request as shown in the screenshot above.

Study the intercepted request and notice that there is a parameter in the body called price, which matches the price of the item in cents.

Step 5: Modify the request

Change the value of the price parameter to 1 and click Forward to send the modified request to the server.

Changing the price parameter

Switch interception off again so that any subsequent requests can pass through Burp Proxy uninterrupted.

Step 6: Exploit the vulnerability

In the embedded browser, click the basket icon in the upper-right corner to view your cart. Notice that the jacket has been added for just one cent.

Note

There is no way to modify the price via the web interface. You were only able to make this change thanks to Burp Proxy.

Click the Place order button to purchase the jacket for an extremely reasonable price.

Congratulations, you’ve also just solved your first Web Security Academy lab! You’ve also learned how to intercept, review, and manipulate HTTP traffic using Burp Proxy.

Next step – Reissuing requests with Burp Repeater

CONTINUE

In this tutorial

  1. Initial Installation
  2. Intercepting HTTP traffic with Burp Proxy
  3. Manually reissuing requests with Burp Repeater
  4. Running your first scan

Source of this news: https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic

Related posts:

IoT News | How to Circumvent Online Blocks and For you to be Undetectable - iotbusinessnews. junto d...
The world wide web is one of the leading innovations of the twentieth one. While the internet is mainly an open platform, it is also former segregated, particularly in handheld media. Being c...
+1-888-652-8714 Fix Gmail Error 502 Easily | | laconiadailysun. com - The Laconia Daily Sun
[embedded content] There is no single cause of the Gmail 502 olvido. It can be caused by multiple disorders and the issues we provide under. A problem in the Gmail computer may prevent ...
Fix 'The Proxy Server Refusing Connections Error' Message - BollyInside
This tutorial is about the Fix ‘The Proxy Server Refusing Connections Error’ Message. We will try our best so that you understand this guide. I hope you like this blog Fix ‘The Proxy Server Refusing ...
Why Should You Use Proxy Rotation Tools? - The Union Journal
Proxy Rotation ToolsWhile there are many possible solutions to hiding your identity online and browsing from a different IP, a proxy rotator might be the best one. A proxy rotator, or proxy rotation ...
Procaps Group Reports Record Second Quarter 2021 Financial Results - Yahoo Finance
Second Quarter 2021 Net Revenues Increased 35% to $97 Million Year-Over-Year with Adjusted EBITDA Up 28% Year-Over-Year Company Reaffirms Revenue and Adjusted EBITDA Growth Trajectory for Full Year 2...
Marcus Stroman's 2021 contract is literally sign of the future - New jersey Daily News
Between his in the midst of in an organizational smear for the reporter harassed by personnal right hand man, in addition to other stuff, former Houston Astros GM Jeff Luhnow has gone little to a...
How to Run Etherpad Lite on Ubuntu 20.04 LTS - BollyInside
This tutorial is about the How to Run Etherpad Lite on Ubuntu 20.04 LTS. We will try our best so that you understand this guide. I hope you like this blog How to Run Etherpad Lite on Ubuntu 20.04 LTS...
Work Hints Breakthrough Covid Has become Less Infectious - Chef Health News
A new study advocates roughly 67% of contain with breakthrough covid conditions had positive nasal swabs, compared to nearly 85% from unvaccinated patients. Separately, a substitute study repo...
Key Reasons to Have a Proxy Server for Online Business in 2022 - Legal Reader
A proxy server acts as a go-between for your device and the destination website. The ordinary individual usually has just a hazy idea of what a proxy server is for. If you’re like the majority of ...
How can one Stay Secure And Vague While Surfing The www - Somag News
Is it essentially possible to stay anonymous despite surfing the www? Thoroughly, despite stating that the websites was built on being anonymous, it is not possible to stay wonderfully private a...
How to watch Amazon Prime Video shows in Zim the right way - Technology Zimbabwe
Here is a little known fact, Amazon Prime has been available to Zimbabweans for years! Just like Showmax they even have a mobile-only plan that’s dirt cheap and sells for below $1.99, although that’s...
Scrapy vs BeautifulSoup - The perfect the Best Free Python scraper? - Programming Insider
You can find businesses, communities, and individuals that utilize statistics collection. An increase in scale and simply quantity of web scraping procedures highlights the importance of ...
Linux Fu: VPN For Free With SSH - Hackaday
If you see a lot of banner ads on certain websites, you know that without a Virtual Private Network (VPN), hackers will quickly ravage your computer and burn down your house. Well, that seems to be w...
Adelaide password management software firm injured by supply chain approach - iTWire
Australian company Click Ateliers has warned users of enterprise password manager Passwordstate that a supply chain ravage may have led to their customers' password records being took in. The c...
Bidirectional IP With New Info Radio - Hackaday
There are a few options should you want to network computers on groupie radio. There are WiFi hacks of sort, and of course there’s always packet radio. New Packet Car stereo , a project from [f4...
Portworx improves stateful application back ups for Kubernetes - DataCenterNews Asia
Due to Ryan Morris-Reade, Thu 14 Oct 2021 Portworx by Pure Garden has released a new data therapy platform, PX-Backup 2 . one Portworx has also released investigate data assessing end-user c...
Bothersome new malware targets Microsoft-exchange servers - Texas Happenings Today
another Ransomware An operator medically known as LockFile encrypts a Room windows domain after breaking into the vulnerability Microsoft-exchange A server that uses the just recently publish...
Building Networks on the Fly - IEEE Spectrum
By the early 1990s, IBM and Hewlett-Packard, as well as Canon, Hitachi, Ricoh, and other large makers of office equipment, had realized that customers expanding their networks with new copiers and o...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30