Sometimes, it is necessary to go beyond the functionality provided by the UI, for example, to test whether the server is properly validating the value. Instead of using the standard API call, you can manipulate the requests and responses directly, which can be more fun and give you more flexibility.
Burp Suite is an awesome tool that is widely used for security testing. It has a Community Edition, which contains only the basic features, but it is free and sufficient for our needs. Here you can find more information about it and download it. The tool is available for most platforms, such as Windows, macOS, and Linux. The installation process is very easy: simply run the installer and click “Next” until the installation is complete. Once the installation is complete, you can try to run the tool. The following image shows the Community Edition start-up screen:
Here, we can observe the first limitation of the Community Edition: only temporary projects are allowed. So, we can simply click “Next” to see the next screen.
We are allowed to select the configuration, but as we are newbies, we will use the default one. We could also disable the extensions, as we will not use them, but we can also leave them as they are. So, let’s hit the “Start Burp” button. This action should open the Burp dashboard screen (as shown below).
We can see many things here: many tabs, the Event log area, Issue activity, and advisories. Most of these things are not important for us (at the moment). We will focus on the Proxy tab’s functionality. You can also check the Event log for information about the proxy service starting. So, let’s click the Proxy tab (third from the left) and then the Open browser button.
This will open a Chromium browser with the proxy configuration applied. Of course, you can configure your own browser to use the same proxy, but this is the easiest way to start. As you can see, the Proxy tab has its own tabs below. The first is called Intercept, which we will use later. The second is HTTP History, followed by WebSockets History and Proxy Settings. We will not go into the details of each of these, but instead focus on the first two. Let’s switch to the HTTP History tab and use the open browser to open the page we want to test.
As you can see, the HTTP History tab shows all the requests that were made while you were using the browser. This is mostly the same information that is displayed in the Network tab of the browser’s developer tools. If you select a request from the history list, you will see the request and response details below.
Now, the best part: switch back to the Intercept tab and enable interception by clicking the “Intercept is off” button.
At first, nothing will happen, except that the button name will change. The button should now be displayed with the label “Intercept is on.” So, go back to the browser, click on any button, and observe Burp Suite.
So, the outgoing request should be intercepted and held by Burp Suite until you decide what to do (as shown in the screenshot above). What you can do now:
- Forward: Forward the request without any interaction.
- Forward after you change it: You can easily change anything you want in the Raw view or Hex view, and then click Forward.
- Drop: Drop the request.
- Actions: This allows you to do much more than we will discuss here. Have a look at the Actions menu.
In fact, we will use one action here. Since we are dealing with the request, it would also be great to be able to interact with the response for the modified request. So, before we click the Forward button (after our modification), we need to click the Actions menu and select the option “Do intercept” -> “Response to the request.”
This will also allow you to intercept the response. However, you need to carefully follow the appearing requests in the Intercept tab, as you can easily miss the response you are waiting for.
That’s it. As you can see, it’s very easy to interact with the stuff happening behind the scenes in the browser. Burp Suite is a really powerful tool, and I have only shown you a small percentage of its possibilities. In most cases, this is enough to perform basic tests. So, have fun and experiment with the tool! ;)
