Getting Started with Burp - Part 3: The Proxy Tab

-
Welcome to part three of this series. In this post, we will discuss the Proxy tab and how it is used. Using the Proxy tab in Burp, you can manually intercept and alter HTTP requests and responses. This can be useful if you suspect that there may be an issue with a page and you want to tinker with it. Repeater, which we will look at next, can also do this but it is a bit more involved. If you are looking for a quick and dirty way to test a parameter, this is the place to start.
  1. Open Burp and enable proxy settings for it in Foxy Proxy.
      
  2. In the browser, go to https://sf-owasp-juiceshop.herokuapp.com/#/search.
      
  3. In Burp, go to the Proxy tab and make sure that the intercept option is set to “on.”
  4. In the Proxy tab click the “Options” sub-tab.
      
  5. Scroll down to Intercept Server Responses and check the box labeled “Intercept responses based on the following rules."
      
  6. In the same section, check all of the options that are listed in the box.


      
  7. In the browser, click on the product called “Melon Bike” (about half-way down). Look at the request in Burp. Has the content loaded?
      
  8. Forward the individual requests in the Burp tab by clicking the Forward button in the Intercept sub-tab and watch the behavior of the popup windows.
      
  9. When no more requests are being stopped by Burp, the page should be fully loaded. Add a product review and submit it. Go back to Burp and look at the request headers.
      
  10. Change the author name in the request data. Be sure to keep the quotes. Forward the request.


      
  11. Look at the window. Did the name change? Why or why not?
      
  12. Close the product review and reopen it. Is the author name the same as it was in step 11? What does this tell us about how the application works?
      
  13. What other things could an attacker potentially do using the Proxy tab?

  14. Try a few other items. Try removing the quotes, adding an extra quote, or providing other “unexpected” data and note how the application responds.

Comments

  1. Jimmy CarterDecember 22, 2021 at 10:04 PM

    It is a proficient article that you have shared here. I got some different kind of information from your article which I will be sharing with my friends who need this info. Thankful to you for sharing an article like this. captcha proxies

    ReplyDelete
  2. MorganApril 6, 2022 at 9:26 AM

    These security products and solutions offer a lot of value for the price. Regardless of which subscription plan is right for you, you can expect a good deal. Top Best Cybersecurity Certifications

    ReplyDelete

Post a Comment

Popular posts from this blog

OWASP ZAP Tutorial - Part 2: Crawling

-
Image
If you completed part one of this series, you have now successfully intercepted an HTTP request and response with OWASP ZAP. Don't you feel proud and empowered? I knew you would. But guess what? We're not done yet... not by a damn site. Now it's time to learn how to  crawl  a web application with ZAP. Now I know what you're thinking to your self. Your thinking, "Pablo, why do I need to crawl the site? Can't I just do an outright scan? Won't that crawl the site first anyway?" Well, the answer to your question is "yes," you can just scan the site, which usually starts with a crawl. But here is the deal, maybe you don't want to be noticed, especially if you are doing a test where stealth is important. Have you ever worked on a blue team and had your email inbox explode with alerts because some jackhole decided to scan your company's website? If so, then you understand why running a full scan might not be desirable (you may also wa
Read more

OWASP ZAP Tutorial - Part 1: Intercepting Traffic

-
Image
So you want to use OWASP's Zed Attack Proxy to intercept web requests and responses, but you don't know where to start. ZAP isn't quite as pretty as Burp and there isn't even a proxy tab that you can use to intercept traffic and monkey with the parameters! What is the deal!? OK, OK, OK, just take a chill pill there my friend. Although ZAP is a little different from Burp, I think you will find that it is just as useful, and in some cases perhaps more so. Let's jump in with a little exercise that will help you figure out the basics of this often overlooked gem. Before going any further, I am going to take a moment to warn you about testing web applications without permission; don't do it. Testing a site that is not yours is what a friend of mine has referred to as a "non-extradition country career choice" (thanks Adrien de Beupre). Equador is a lovely country, but you probably don't want to live there. Manually Intercepting HTTP Requests and
Read more

OWASP ZAP Tutorial - Part 3: Scanning

-
Image
Good day, eh. Welcome to Part 3. In this post, we will spend a little time walking through how to perform active scanning with ZAP. I'm gonna level with you, this is probably the easiest part of workin with ZAP, but it is also the most perilous. Web scanners have taken down sites, and if the scope isn't configured properly you could find yourself winning an extended stay at Club Fed (located in beautiful Leavenworth, Kansas). As always, don't scan stuff that isn't yours or that you don't have permission to scan. Got it? Good. Let's move forward. As you may or may not know, OWASP ZAP can perform two different levels of scanning: passive scanning and active scanning. Our tutorial will focus on active scanning, but I think it is worthwhile to have a brief discussion about passive scanning. Passive scanning is the scanning that takes place when ZAP is interacting with a web application through any other process other than an active scan. What this means is that
Read more