I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Part 1 (Outline)
This room covers the foundations of using the Burp Suite web application framework. Nothing else to do here, so let’s move on to part 2.
Part 2 (What is Burp Suite?)
Burp Suite is a framework written in Java that provides a great package of tools for penetration testing of web and mobile apps. It does this by providing the ability to capture and manipulate all traffic between the attacker and a web server.
There are different editions of Burp Suite available, but in this room we will work with Burp Suite Community. This is free to use for any non-commercial use. Burp Suite Professional and Enterprise (provides continuous scanning*) provide more powerful features, but require experience licenses.
Questions
Which edition of Burp Suite will we be using in this module?
Answer: burp suite community
Which edition of Burp Suite runs on a server and provides constant scanning for target web apps?
Answer: burp suite enterprise
Burp Suite is frequently used when attacking web applications and
__???___ applications.
Answer: mobile
Part 3 (Features of Burp Suite Community)
Burp Suite Community is free and therefore consists of less features than Burp’s premium products. But there are still many great tools available:
- Proxy: allows us to intercept and modify requests/responses when interacting with web applications.
- Repeater: allows us to capture, modify, then resend the same request numerous times.
- Intruder: allows us to spray an endpoint with requests. This is often used for bruteforce attacks or to fuzz endpoints.
- Decoder: allows us to decode captured information, or encode a payload prior to sending it to the target.
- Comparer: allows us to compare two pieces of data at either word or byte level.
- Sequencer: allows us to assess the randomness of tokens such as session cookie values or other supposedly random generated data. If the algorithm is not generating secure random values, then this could open up some devastating avenues for attack.
In addition to these features, it is very easy to write extensions to add functionality to Burp. These can be written in Java, Python or Ruby. The Burp Suite Extender module can quickly and easily load extensions into the framework, as well as providing a marketplace to download third-party modules (referred to as the “BApp Store”). Whilst many of these extensions require a professional license to download and add in, there are still a fair number that can be integrated with Burp Community.
Questions
Which Burp Suite feature allows us to intercept requests between ourselves and the target?
Answer: proxy
Which Burp tool would we use if we wanted to bruteforce a login form?
Answer: intruder
Part 4 (Installation)
PortSwigger have made installing Burp Suite extremely easy on Linux, macOS, and Windows, providing dedicated installers for all three. As a Java application, Burp can also be downloaded as a JAR archive and run on effectively anything that will support a Java runtime environment.
Burp Suite comes pre-packaged with Kali Linux, so you should not need to install it there. If, for some reason, Burp is missing from your Kali installation, you can easily install it from the Kali apt repositories.
For other systems, we can download installers from the Burp Suite Downloads page.
Questions
If you have chosen not to use the AttackBox, make sure that you have a copy of Burp Suite installed before proceeding.
Answer: No answer needed
Part 5 (The Dashboard)
After opening Burp Suite Community and opening a new project you are met by the Burp Dashboard.
In short, the Dashboard interface is split into four quadrants:
- The Tasks menu allows us to define background tasks that Burp Suite will run whilst we use the application.
- The Event log tells us what Burp Suite is doing (e.g. starting the Proxy), as well as information about any connections that we are making through Burp.
- The Issue Activity section is exclusive to Burp Pro. It won’t give us anything using Burp Community, but in Burp Professional it would list all of the vulnerabilities found by the automated scanner.
- The Advisory section gives more information about the vulnerabilities found, as well as references and suggested remediations. These could then be exported into a report.
Questions
Open Burp Suite and have a look around the dashboard. Make sure that you are comfortable with it before moving on.
Answer: No answer needed
Part 6 (Navigation)
Navigating around the Burp Suite GUI by default is done entirely using the top menu bars. These allow you to switch between modules. If the selected module has more than one sub-tab, then these can be selected using a second menu bar which appears directly below the original bar (the bottom row of the image above).
In addition to the menu bar, Burp Suite also has keyboard shortcuts that allow quick navigation to key tabs. By default, these are:
Shortcuts
Ctrl + Shift + D
Switch to the Dashboard
Ctrl + Shift + T
Switch to the Target tab
Ctrl + Shift + P
Switch to the Proxy tab
Ctrl + Shift + I
Switch to the Intruder tab
Ctrl + Shift + R
Switch to the Repeater tab
Questions
Get comfortable navigating around the top menu bars.
Answer: No answer needed
Part 7 (Options)
There are two type of settings available for configuring Burp Suite.
- Global settings can be found in the User options tab along the top menu bar.
- Project-specific settings can be found in the Project options tab.
The options provided in the User options tab will apply every time we open Burp Suite. In contrast, the Project options will only apply to the current project. Given that we can’t save projects in Burp Community, this means that our project options will reset every time we close Burp.
I won’t the different settings here. Read the description at https://tryhackme.com/room/burpsuitebasics for more info.
Questions
Change the Burp Suite theme to dark mode
Answer: No answer needed
In which Project options sub-tab can you find reference to a “Cookie jar”?
Answer: Sessions
In which User options sub-tab can you change the Burp Suite update behaviour?
Answer: Misc
What is the name of the section within the User options “Misc” sub-tab which allows you to change the Burp Suite keybindings?
Answer: hotkeys
If we have uploaded Client-Side TLS certificates in the User options tab, can we override these on a per-project basis (Aye/Nay)?
Answer: Aye
There are many more configuration options available. Take the time to read through them. In the next section, we will cover the Burp Proxy — a much more hands-on aspect of the room.
Answer: No answer needed
Task 8 (Introduction to Burp Proxy)
Burp Proxy is the most important tool in the toolbox of Burp Suite. It allows the user to capture requests and responses between your system and our target. In addition, you can then manipulate the requests before sending them further towards their target.
For example, if we make a request to https://tryhackme.com
through the Burp Proxy, our request will be captured and won’t be allowed to continue to the TryHackMe servers until we explicitly allow it through. We can choose to do the same with the response from the server, although this isn’t active by default. When the proxy is active and you refresh your browser you will capture a request:
With the proxy active, a request was made to the TryHackMe website. At this point, the browser making the request will hang, and the request will appear in the Proxy tab giving us the view shown in the screenshot above. We can then choose to forward or drop the request (potentially after editing it). We can also do various other things here, such as sending the request to one of the other Burp modules, copying it as a cURL command, saving it to a file, and many others.
When we have finished working with the Proxy, we can click the “Intercept is on” button to disable the Intercept, which will allow requests to pass through the proxy without being stopped.
It is also possible to send the request to other tools in the framework by right-clicking them and choosing “Send to…”. For example, we could take a previous HTTP request that has already been proxied to the target and send it to Repeater.
Finally, there are also Proxy specific options, which we can view in the “Options” sub-tab. These options give us a lot of control over how the proxy operates, so it is an excellent idea to familiarize yourself with these.
For example, the proxy will not intercept server responses by default unless we explicitly ask it to on a per-request basis. We can override the default setting by selecting the “Intercept responses based on the following rules” checkbox and picking one or more rules. The “Or
Request
Was Intercepted
” rule is good for catching responses to all requests that were intercepted by the proxy:
Questions
Which button would we choose to send an intercepted request to the target in Burp Proxy?
Answer: forward
[Research] What is the default key-bind for this?
Answer: Ctrl+F
Task 9 (Connecting through the proxy)
There are two ways to proxy our traffic through Burp Suite.
- We could use the embedded browser.
- We can configure our local web browser to proxy our traffic through Burp; this is more common and so will be the focus of this task.
The Burp Proxy works by opening a web interface on 127.0.0.1:8080 (by default). As implied by the fact that this is a “proxy”, we need to redirect all of our browser traffic through this port before we can start intercepting it with Burp. We can do this by altering our browser settings or, more commonly, by using a Firefox browser extension called FoxyProxy. FoxyProxy allows us to save proxy profiles, meaning we can quickly and easily switch to our “Burp Suite” profile in a matter of clicks, then disable the proxy just as easily.
If you are using your own machine, you can download FoxyProxy Basic here. Read more about setting it up on TryHackMe’s task description.
After getting up and running you can switch over to Burp Suite and make sure the intercept is on.
Now, try accessing the homepage for http://MACHINE_IP/
in Firefox. Your browser should hang, and your proxy will populate with the request headers. Congratulations, you just intercepted your first request!
Questions
Read through the options in the right-click menu.
There is one particularly useful option that allows you to intercept and modify the response to your request. What is this option?
Answer: response to this request
[Bonus Question — Optional] Try installing FoxyProxy standard and have a look at the pattern matching features.
Answer: No answer needed
Task 10 (Proxying HTTPS)
If you have decided to use your own system instead of an AttackBox, then you will run into the following problem: When viewing https://www.google.com for example you will get the following error message: Software is Preventing Firefox From Safely Connecting to This Site. See the task description on TryHackMe to solve this problem.
Questions
If you are not using the AttackBox, configure Firefox (or your browser of choice) to accept the Portswigger CA certificate for TLS communication through the Burp Proxy.
Answer: No answer needed
Task 11 (The Burp Suite Browser)
If you decide not to use Firefox as a browser (which has been setup with a proxy during the last tasks), it is possible to use the Burp Suite Browser. This is a built-in Chromium browser that is pre-configured to use the proxy without any of the modifications we just had to do. This is not as commonly used as the process detailed in the previous few tasks. People tend to stick with their own browser as it gives them a lot more customisability; however, both are perfectly valid choices.
We can start the Burp Browser with the “Open Browser” button in the proxy tab:
If we are running on Linux as the root user (as we are with the AttackBox), Burp Suite is unable to create a sandbox environment to start the Burp Browser in.
There are two simple solutions to this:
- The smart option: We could create a new user and run Burp Suite under a low privilege account.
- The easy option: We could go to
Project options -> Misc -> Embedded Browser
and check theAllow the embedded browser to run without a sandbox
option. Checking this option will allow the browser to start, but be aware that it is disabled by default for security reasons: if we get compromised using the browser, then an attacker will have access to our entire machine.
Questions
Using the in-built browser, make a request to http://MACHINE_IP/
and capture it in the proxy.
Answer: No answer needed
Task 12 (Scoping and Targeting)
Now we come to one of the most important parts of using the Burp Proxy: scoping.
It can get extremely tedious having Burp capturing all of our traffic. When it logs everything (including traffic to sites we aren’t targeting), it muddies up logs we may later wish to send to clients. In short, allowing Burp to capture everything can quickly become a massive pain.
Setting a scope for the project allows us to define what gets proxied and logged. The easiest way to do this is by switching over to the “Target” tab, right-clicking our target from our list on the left, then choosing “Add To Scope”. Burp will then ask us whether we want to stop logging anything which isn’t in scope — most of the time we want to choose “yes” here.
The Scope sub-tab allows us to control what we are targeting by either Including or Excluding domains / IPs. This is a very powerful section, so it’s well worth taking the time to get accustomed to using it.
We just chose to disable logging for out of scope traffic, but the proxy will still be intercepting everything. To turn this off, we need to go into the Proxy Options sub-tab and select “And
URL
Is in target scope
” from the Intercept Client Requests section:
With this option selected, the proxy will completely ignore anything that isn’t in the scope, vastly cleaning up the traffic coming through Burp.
Questions
Add http://10.10.108.173/
to your scope and change the Proxy settings to only intercept traffic to in-scope targets. See the difference between the amount of traffic getting caught by the proxy before and after limiting the scope.
Answer: No answer needed
Task 13 (Site Map and Issue Definitions)
Control of the scope may be the most useful aspect of the Target tab, but it’s by no means the only use for this section of Burp.
There are three sub-tabs under Target:
- Site map allows us to map out the apps we are targeting in a tree structure. Every page that we visit will show up here, allowing us to automatically generate a site map for the target simply by browsing around the web app.
- Scope: We have already seen the Scope sub-tab — it allows us to control Burp’s target scope for the project.
- Issue Definitions: Whilst we don’t have access to the Burp Suite vulnerability scanner in Burp Community, we do still have access to a list of all the vulnerabilities it looks for. The Issue Definitions section gives us a huge list of web vulnerabilities (complete with descriptions and references).
Questions
Take a look around the site on http://10.10.108.173/
— we will be using this a lot throughout the module. Visit every page linked to from the homepage, then check your sitemap — one endpoint should stand out as being very unusual! Visit this in your browser (or use the “Response” section of the site map entry for that endpoint). What is the flag you receive?
Click around on the site while having your sitemap submenu open. There should pop a URL up with a bunch of numbers and letters. Then look at the response (or visit the URL in the browser).
Answer: THM{NmNlZTliNGE1MWU1ZTQzMzgzNmFiNWVk}
Look through the Issue Definitions list.What is the typical severity of a Vulnerable JavaScript dependency?
Look at the issue definitions submenu. Vulnerable JavaScript dependacy is listed as a low severity.
Answer: low
Task 14 (Example Attack)
Having looked at how to set up and configure our proxy, let’s go through a simplified real-world example. We will start by taking a look at the support form at http://<target ip>/ticket/:
In a real-world web app pentest, we would test this for a variety of things: one of which would be Cross-Site Scripting (or XSS). If you have not yet encountered XSS, it can be thought of as injecting a client-side script (usually in Javascript) into a webpage in such a way that it executes. There are various kinds of XSS — the type that we are using here is referred to as “Reflected” XSS as it only affects the person making the web request.
Questions
Try typing: <script>alert("Succ3ssful XSS")</script>
, into the “Contact Email” field. You should find that there is a client-side filter in place which prevents you from adding any special characters that aren’t allowed in email addresses:
Answer: No answer needed
Fortunately for us, client-side filters are absurdly easy to bypass. There are a variety of ways we could disable the script or just prevent it from loading in the first place. Let’s focus on simply bypassing the filter for now. First, make sure that your Burp Proxy is active and that the intercept is on.
Answer: No answer needed
Now, enter some legitimate data into the support form. For example: “pentester@example.thm” as an email address, and “Test Attack” as a query. Submit the form — the request should be intercepted by the proxy.
Answer: No answer needed
With the request captured in the proxy, we can now change the email field to be our very simple payload from above: <script>alert("Succ3ssful XSS")</script>
. After pasting in the payload, we need to select it, then URL encode it with the Ctrl + U
shortcut to make it safe to send.
Answer: No answer needed
Finally, press the “Forward” button to send the request. You should find that you get an alert box from the site indicating a successful XSS attack!
Answer: No answer needed
Congratulations, you bypassed the filter! Don’t expect it to be quite so easy in real life, but this should hopefully give you an idea of the kind of situation in which Burp Proxy can be useful.
Answer: No answer needed
Task 15 (Room Conclusion)
We have now reached the end of the Burp Basics room.
This room has hopefully given you a good grasp of the Burp Suite interface and configuration options, as well as giving you a working knowledge of the Burp Proxy.
Questions
I understand the fundamentals of using Burp Suite!
Answer: Yes, we do!
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: