Getting Started with Burp - Part 1: Fast Proxy Switcher and the CA Certificate

Well, here we are. I recently needed a presentation for the December 2018 OWASP Sioux Falls chapter meeting, and I thought to myself, "Self, you should talk about interception proxies, specifically ZAP an Burp." If you aren't familiar with interception proxies, they are tools that are designed to intercept, analyze, and manipulate web requests and responses. These tools allow the user to be a man-in-the-middle between the browser and the web server. These posts are going to be a bit "to-the-point," as they are intended to be give instructional guidance. This is the first post in the series, so pour yourself a nice drink, put on your favorite hacking music, and jump on in.

Note: these posts reference an instance of JuiceShop that is set up on the free tier of service at Heroku. The site not maintained and it may or may not be available when you want to test it. If you happen to find that the site is down, you can set up your own JuiceShop instance in Heroku for free. I have a post from August 2018 detailing how to do this, and you can find it at https://blog.sodaksec.com/2018/08/setting-up-juiceshop-in-heroku.html. I recommend taking the time to set this up, as it is an excellent learning tool and you can safely use it to sharpen your pen testing skills.

The Fast Proxy Switcher
Since we are dealing with an interception proxy, we first need a way to intercept the web traffic. We could do this by manually changing the proxy settings in the browser, but that can be tedious and time consuming. Rather than opening multiple windows so that we can enable and disable the proxy settings in the browser, we would prefer a shortcut that will allow us to do this with just one or two clicks; you need a fast proxy switcher.

There are a few good proxy switchers out there that you can use. I recommend using either Foxy Proxy or SwitchyOmega. Both are good tools, but Foxy Proxy's Chrome plugin is a bit out of date and it doesn't appear that it is being maintained. With that said, I still use it and so far it has worked fine for me. You can download these from the following URLs:


Once you have the proxy switcher installed, you can add multiple proxies for later use. This is helpful if you have more than one interception proxy tool that you like to use and you want to quickly switch between them.
  1. Click the Foxy Proxy icon at the top of the browser, just to the right of the address bar and choose Options.

  2. In Foxy Proxy, click the Add New Proxy button.


  3. In the new proxy window in the General tab, enter the Proxy Name.



  4. In the same window under the Proxy Details tab, enter the local host address (127.0.0.1) and the port that you wish to use. By default, Burp uses port 8080.

  5. Once you have your proxy configure, click the Save button at the bottom. You will now be able to enable/disable proxies using the proxy option at the top of the screen.

Once you have the Proxy Switcher set up and configured, you are now ready to use Burp. To intercept traffic from your browser, you must first switch to the Burp settings that you recreated previously. From there, it is just a matter of starting the Burp Suite tool and browsing to the website that you want to test - but wait, something is wrong. I keep getting SSL errors in the browser!

The Portswigger CA Cert

This section assumes that you have either downloaded the stand-alone Burp JAR file or that you have installed the Burp suite on your system. You will want to use either the community edition or the professional edition; the enterprise suite is a different animal and is not suitable for these tutorials. This post also assumed that you have installed the Foxy Proxy plugin and that you have configured it to work with Burp. If you have not downloaded Burp yet, you can download the community edition at https://portswigger.net/burp/communitydownload. You can find installation and setup guidance at https://support.portswigger.net/customer/portal/articles/1783038-Installing_Launching%20Burp.html, as well as full documentation for how to use the various components of the Burp suite.

This post also assumes that you have installed the Foxy Proxy plugin and that you have configured it to work with Burp. Instructions for installing and configuring Foxy Proxy can be found in the steps above.
  1. Start Burp (community or standard edition) and then change Foxy Proxy to use Burp.

  2. With Burp running and your browser running through it, open https://burp. In the top-right corner, click the CA Certificate button to download the certificate to your computer.

  3. Install the CA Certificate into your favorite browser. You can find instructions for installing the certificate into your browser of choice at https://support.portswigger.net/customer/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser. This will prevent you from getting SSL errors when testing web pages with Burp.
You should now be ready to continue on to the next post!

Comments

Post a Comment

Popular posts from this blog

OWASP ZAP Tutorial - Part 1: Intercepting Traffic

OWASP ZAP Tutorial - Part 2: Crawling

OWASP ZAP Tutorial - Part 3: Scanning