burp web penetration testing guide

Introduction

When it comes to testing the security of web applications, you'd have a hard time finding a set of tools better than Burp Suite from Portswigger web security. It allows you to intercept and monitor web traffic along with detailed information about the requests and responses to and from a server.

There are way too many features in Burp Suite to cover in just one guide, so this one will be broken down into four parts. This first part will cover setting up Burp Suite and using it as a proxy for Firefox. The second one will cover how to gather information and use the Burp Suite proxy. The third part goes into a realistic testing scenario using information gathered through the Burp Suite proxy. The fourth guide will cover many of the other features that Burp Suite has to offer.

In this guide, you will practice using Burp Suite on a self-hosted instance of WordPress. If you need help setting it up, check out your Debian guide.

Burp Suite comes installed by default on Kali Linux, so you don't need to worry about installing it. In fact, it's one of the applications in the favorites list on a Kali live CD.

Open it up and click through the opening menus. Just use the defaults. There is a certain depth of configuration that Burp Suite can get into, but it isn't necessary for this guide or basic usage.

Setting Up Firefox

Burp Suite contains an intercepting proxy. In order to use Burp Suite, you must configure a browser to pass its traffic through the Burp Suite proxy. This isn't too hard to do with Firefox, which is the default browser on Kali Linux.

Open up Firefox and click on the menu button to open up the Firefox setting menu. In the menu, click on "Preferences." This will open up the "Preferences" tab in Firefox. On the far left of the tab is another menu listing. Click on the last option, "Advanced." At the top of the "Advanced" tab is a new menu. Click the "Network" option in the center. In the "Network" section, click the top button labeled, "Settings..." That will open up Firefox's proxy settings.

Configure Firefox to use the Burp Suite proxy

There are a number of options built in to Firefox for handling proxies. For this guide, select the "Manual Proxy Configuration:" radio button. This will open up a series of options that will allow you to manually enter the IP address and port number of your proxy for each of a number of protocols. By default, Burp Suite runs on port 8080, and since you're running this on your own machine, enter 127.0.0.1 as the IP. You're main concern is going to be HTTP, but you can check the box marked, "Use this proxy server for all protocols," if you're feeling lazy.

Below the other manual configuration options is a box that allows you to write in exemptions for the proxy. Firefox adds both the name, localhost, as well as the IP, 127.0.0.1, to this field. Either delete or modify them, since you're going to be monitoring traffic between your browser and a locally hosted WordPress install.

With Firefox configured, you can proceed to configure Burp and start the proxy.

Configuring The Proxy

The proxy should be configured by default, but just take a second to double-check it. If you want to change the settings in the future, you would do so by following the same method.

Configure the Burp Suite proxy

In your Burp Suite window, click on "Proxy" on the top row of tabs, then "Options" on the lower level. The top section of the screen should say "Proxy Listeners" and have a box with the localhost IP and port 8080. Next to it to the left should be a checked box in the "Running" column. If that's what you see, you are ready to start capturing traffic with Burp Suite.

Closing Thoughts

At this point you have Burp suite running as a proxy for Firefox, and you're ready to start using it to capture information coming from Firefox to your locally hosted WordPress install.

In the next guide, you'll capture that information and learn how to read and break it down into usable pieces. The amount of information that Burp Suite can gather is pretty amazing, and it opens up a world of new possibilities for testing out your web applications.