Getting Started with Burp - Part 3: The Proxy Tab
Welcome to part three of this series. In this post, we will discuss the Proxy tab and how it is used. Using the Proxy tab in Burp, you can manually intercept and alter HTTP requests and responses. This can be useful if you suspect that there may be an issue with a page and you want to tinker with it. Repeater, which we will look at next, can also do this but it is a bit more involved. If you are looking for a quick and dirty way to test a parameter, this is the place to start.
- Open Burp and enable proxy settings for it in Foxy Proxy.
- In the browser, go to https://sf-owasp-juiceshop.herokuapp.com/#/search.
- In Burp, go to the Proxy tab and make sure that the intercept option is set to “on.”
- In the Proxy tab click the “Options” sub-tab.
- Scroll down to Intercept Server Responses and check the box labeled “Intercept responses based on the following rules."
- In the same section, check all of the options that are listed in the box.
- In the browser, click on the product called “Melon Bike” (about half-way down). Look at the request in Burp. Has the content loaded?
- Forward the individual requests in the Burp tab by clicking the Forward button in the Intercept sub-tab and watch the behavior of the popup windows.
- When no more requests are being stopped by Burp, the page should be fully loaded. Add a product review and submit it. Go back to Burp and look at the request headers.
- Change the author name in the request data. Be sure to keep the quotes. Forward the request.
- Look at the window. Did the name change? Why or why not?
- Close the product review and reopen it. Is the author name the same as it was in step 11? What does this tell us about how the application works?
- What other things could an attacker potentially do using the Proxy tab?
- Try a few other items. Try removing the quotes, adding an extra quote, or providing other “unexpected” data and note how the application responds.