TryHackMe: Burp Suite: The Basics – Walkthrough

September 8, 2023 Jasper
Hi! In this walkthrough we will cover the Burp Suite: The Basics room on THM
Burp Suite is a comprehensive web application security testing tool used for identifying vulnerabilities, analyzing traffic, and performing penetration tests. Burp Suite is popular due to its user-friendly interface, extensive features, and adaptability for both beginners and advanced security professionals.
Burp Suite Basics Banner

Burp Suite Basics Banner

Room URL: https://tryhackme.com/room/burpsuitebasics

 I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.


Part 1: Outline

This room provides a foundational understanding of Burp Suite, focusing on:

  1. Introduction to Burp Suite.
  2. Overview of its tools.
  3. Guidance on installing Burp Suite.
  4. Navigating and configuring the framework.

The core focus is on Burp Proxy, emphasizing theoretical content to build a strong base for practical applications in future modules. Users are encouraged to actively read and experiment with the tool for better understanding and preparation.

Questions

Let us start!

Answer: No answer needed


Part 2: What is Burp Suite?

Burp Suite is a framework written in Java that provides a great package of tools for penetration testing of web and mobile apps. It does this by providing the ability to capture and manipulate all traffic between the attacker and a web server.

There are different editions of Burp Suite available, but in this room we will work with Burp Suite Community. This is free to use for any non-commercial use. Burp Suite Professional and Enterprise (provides continuous scanning*) provide more powerful features, but require experience licenses.

Questions

Which edition of Burp Suite runs on a server and provides constant scanning for target web apps?

The Enterprise edition runs on a server and provides constant scanning.

Answer: burp suite enterprise

Burp Suite is frequently used when attacking web applications and__???___ applications.

Burp Suite can be used both for web applications and mobile applications.

Answer: mobile


Part 3: Features of Burp Suite Community

Burp Suite Community is free and therefore consists of less features than Burp’s premium products. But there are still many great tools available:

  • Proxy: allows us to intercept and modify requests/responses when interacting with web applications.
  • Repeater: allows us to capture, modify, then resend the same request numerous times.
  • Intruder: allows us to spray an endpoint with requests. This is often used for bruteforce attacks or to fuzz endpoints.
  • Decoder: allows us to decode captured information, or encode a payload prior to sending it to the target.
  • Comparer: allows us to compare two pieces of data at either word or byte level.
  • Sequencer: allows us to assess the randomness of tokens such as session cookie values or other supposedly random generated data. If the algorithm is not generating secure random values, then this could open up some devastating avenues for attack.

In addition to these features, it is very easy to write extensions to add functionality to Burp. These can be written in Java, Python or Ruby. The Burp Suite Extender module can quickly and easily load extensions into the framework, as well as providing a marketplace to download third-party modules (referred to as the “BApp Store”). Whilst many of these extensions require a professional license to download and add in, there are still a fair number that can be integrated with Burp Community.

Questions

Which Burp Suite feature allows us to intercept requests between ourselves and the target?

The Burp Proxy feature in Burp Suite allows us to intercept requests between ourselves and the target. It acts as an intermediary, enabling users to view, modify, and analyze HTTP/S traffic before it reaches the target server or comes back to the client.

Answer: proxy

Which Burp tool would we use to brute-force a login form?

Burp Suite Intruder allows us to spray an endpoint with requests. This is often used for bruteforce attacks or to fuzz endpoints.

Answer: intruder


Part 4: Installation

PortSwigger have made installing Burp Suite extremely easy on Linux, macOS, and Windows, providing dedicated installers for all three. As a Java application, Burp can also be downloaded as a JAR archive and run on effectively anything that will support a Java runtime environment.

Burp Suite comes pre-packaged with Kali Linux, so you should not need to install it there. If, for some reason, Burp is missing from your Kali installation, you can easily install it from the Kali apt repositories.

For other systems, we can download installers from the Burp Suite Downloads page.

Questions

If you have chosen not to use the AttackBox, make sure that you have a copy of Burp Suite installed before proceeding.

Answer: No answer needed


Part 5: The Dashboard

After opening Burp Suite Community and opening a new project you are met by the Burp Dashboard:

Burp Suite Dashboard

Burp Suite Dashboard

In short, the Dashboard interface is split into four quadrants:

  1. The Tasks menu allows us to define background tasks that Burp Suite will run whilst we use the application.
  2. The Event log tells us what Burp Suite is doing (e.g. starting the Proxy), as well as information about any connections that we are making through Burp.
  3. The Issue Activity section is exclusive to Burp Pro. It won’t give us anything using Burp Community, but in Burp Professional it would list all of the vulnerabilities found by the automated scanner.
  4. The Advisory section gives more information about the vulnerabilities found, as well as references and suggested remediations. These could then be exported into a report.

Questions

What menu provides information about the actions performed by Burp Suite, such as starting the proxy, and details about connections made through Burp?

The Event log tells us what Burp Suite is doing (e.g. starting the Proxy), as well as information about any connections that we are making through Burp.

Answer: Event log


Part 6: Navigation

Navigating around the Burp Suite GUI by default is done entirely using the top menu bars. These allow you to switch between modules. If the selected module has more than one sub-tab, then these can be selected using a second menu bar which appears directly below the original bar (the bottom row of the image above).

In addition to the menu bar, Burp Suite also has keyboard shortcuts that allow quick navigation to key tabs. By default, these are:

Shortcuts

Ctrl + Shift + D
Switch to the Dashboard

Ctrl + Shift + T
Switch to the Target tab

Ctrl + Shift + P
Switch to the Proxy tab

Ctrl + Shift + I
Switch to the Intruder tab

Ctrl + Shift + R
Switch to the Repeater tab

Questions

Which tab Ctrl + Shift + P will switch us to?

Ctrl + Shift + P makes us switch to the Proxy tab

Answer: Proxy tab


Part 7: Options

Burp Suite offers two types of settings:

  1. Global Settings (User Settings): Affect the entire installation and persist across sessions.
  2. Project Settings: Specific to the current project and apply only during the session. Note that project settings are not saved in the Community Edition.

Accessing Settings:

  • Use the Settings button in the top navigation bar to open the settings window.
  • The settings menu includes:
    • Search: Find specific settings using keywords.
    • Type Filter: Switch between User and Project settings.
    • Categories: Browse settings by category.

Key Features:

  • Tools like the Proxy module provide direct shortcuts to their specific settings.
  • The search functionality enables quick access to specific configuration options.

Familiarize yourself with these configurable options before proceeding to exercises on configuring Burp Suite.

Questions

In which category can you find a reference to a “Cookie jar”?

Take a look at the sessions sub-tab:

Cookie Jar settings

Cookie Jar settings

Answer: Sessions

In which base category can you find the “Updates” sub-category, which controls the Burp Suite update behaviour?

The update behaviour settings can be found in the Suite base category.

Burp Suite update behaviour

Burp Suite update settings

Answer: Suite

What is the name of the sub-category which allows you to change the keybindings for shortcuts in Burp Suite?

Keybindings are changed in the Hotkeys sub-category:

Burp Suite hotkeys settings

Burp Suite hotkeys settings

Answer: hotkeys

If we have uploaded Client-Side TLS certificates, can we override these on a per-project basis (yea/nay)?

Yes, we can. If you search for TLS in the setting you will see the following Client TLS certificates section, which includes a switch to override options on a project basis.

TLS Options Burp Suite

TLS Options Burp Suite

Answer: yea


Task 8: Introduction to Burp Proxy

The Burp Proxy is a core tool in Burp Suite that captures and manipulates traffic between the user and the target web server. Here’s a summary:

Key Features:

  1. Intercepting Requests:
    • Requests are held back for actions like forwarding, dropping, editing, or sending to other modules.
    • Use the Intercept is on button to enable or disable interception.
  2. Control and Analysis:
    • Enables full control over web traffic for testing purposes.
    • Logs and captures HTTP/S and WebSocket traffic for review and analysis in HTTP history and WebSockets history tabs.
  3. Proxy Settings:
    • Response Interception: Allows interception of server responses based on specific rules.
    • Match and Replace: Uses regex to modify requests and responses dynamically, such as altering user agents or cookies.

Questions

Click me to proceed to the next task.

Answer: No answer needed


Task 9: Connecting through the proxy (FoxyProxy)

The Burp Proxy is a core tool in Burp Suite that captures and manipulates traffic between the user and the target web server. Here’s a summary:

Key Features:

  1. Intercepting Requests:
    • Requests are held back for actions like forwarding, dropping, editing, or sending to other modules.
    • Use the Intercept is on button to enable or disable interception.
  2. Control and Analysis:
    • Enables full control over web traffic for testing purposes.
    • Logs and captures HTTP/S and WebSocket traffic for review and analysis in HTTP history and WebSockets history tabs.
  3. Proxy Settings:
    • Response Interception: Allows interception of server responses based on specific rules.
    • Match and Replace: Uses regex to modify requests and responses dynamically, such as altering user agents or cookies.

Questions

Click me to proceed to the next task.

Answer: No answer needed


Task 10: Site Map and Issue Definitions

The Target tab in Burp Suite offers several key features for controlling and analyzing the scope of web application testing:

  1. Site Map:
    • Displays the structure of the web application as a tree.
    • Automatically generates a site map by browsing the application, useful for mapping APIs and identifying pages.
    • In Burp Suite Professional, it supports automated crawling to explore links and map the entire site.
  2. Issue Definitions:
    • Provides a list of vulnerabilities that Burp Suite scans for, along with descriptions and references.
    • Although Burp Suite Community lacks full scanning functionality, this section is valuable for manual testing and reporting.
  3. Scope Settings:
    • Controls which domains or IPs are included in the test scope.
    • Helps focus testing on specific targets and exclude irrelevant traffic.

Challenge:

Browse the site at http://MACHINE_IP/ and visit all pages linked on the homepage. Check the site map for an unusual endpoint that stands out.

Questions

What is the flag you receive after visiting the unusual endpoint?

Click around on the site while having your sitemap submenu open. There should pop a URL up with a bunch of numbers and letters. Then look at the response (or visit the URL in the browser).

Finding the flag in the sitemap

Finding the flag in the sitemap

Answer: THM{NmNlZTliNGE1MWU1ZTQzMzgzNmFiNWVk}

Answer: No answer needed


Task 11: The Burp Suite Browser

Burp Suite includes a built-in Chromium browser, which is pre-configured to use the proxy without requiring modifications to your regular web browser. Here’s a breakdown:

  1. Starting the Burp Browser:
    • Click the Open Browser button in the Proxytab to launch the Chromium browser. Any requests made will automatically go through the proxy.
      Open browser button

      Open browser button

      Settings for Burp Browser:

      • There are various settings in both project options and user options to customize the Burp Browser as needed.
  1. Linux Users (Root Access Issue):
    • On Linux (like in the AttackBox), running Burp Suite as root may prevent the Burp Browser from starting due to sandboxing issues.
    • Smart Option: Run Burp Suite under a low-privilege user account.
    • Easy Option: Go to Settings > Tools > Burp’s browser and enable the option Allow Burp’s browser to run without a sandbox.
      • Note: This option is disabled by default for security reasons. Enabling it may pose security risks, so it should be used cautiously, especially outside a controlled environment.

Questions

Click me to proceed to the next task.

Answer: No answer needed


Task 12: Scoping and Targeting

Scoping in Burp Suite is crucial for focusing on specific web applications and avoiding the overload of unnecessary traffic. Here’s a summary of how it works:

  1. Setting the Scope:
    • In the Target tab, right-click on the desired target and select Add To Scope.
    • You’ll be prompted to stop logging traffic that isn’t in scope—usually, you’ll choose yes.
  2. Checking the Scope:
    • The Scope settings sub-tab in the Target tab allows you to define and control your target scope by including or excluding specific domains or IPs.
  3. Limiting Intercepted Traffic:
    • Even with logging disabled for out-of-scope traffic, the proxy still intercepts everything by default.
    • To prevent this, go to the Proxy settings sub-tab and enable And URL Is in target scope under the “Intercept Client Requests” section.
    • This ensures the proxy only intercepts traffic within the defined scope, offering a cleaner traffic view in Burp Suite.

Questions

Add http://MACHINE_IP/ to your scope and change the Proxy settings to only intercept traffic to in-scope targets. See the difference between the amount of traffic getting caught by the proxy before and after limiting the scope.

Just play around with this. Limiting the scope helps make your day a lot easier.

Answer: No answer needed


Task 13: Proxing HTTPS

Note: The AttackBox is already configured to solve the problem posed in this task. If you use the AttackBox and don’t wish to read through the information here, you can skip to the next task.

When intercepting HTTP traffic, you may encounter errors on sites with TLS enabled, such as receiving a message indicating that the PortSwigger Certificate Authority (CA) is not trusted. To resolve this, you need to add the PortSwigger CA certificate to your browser’s trusted list. Here’s how to do it:

  1. Download the CA Certificate:
    • With Burp Proxy activated, navigate to http://burp/cert to download the cacert.der file. Save it on your machine.
  2. Access Firefox Certificate Settings:
    • Type about:preferences in the Firefox URL bar and press Enter.
    • Search for “certificates” and click on View Certificates.
  3. Import the CA Certificate:
    • In the Certificate Manager window, click Import and select the cacert.der file you downloaded.
  4. Set Trust for the Certificate:
    • In the trust settings window, check the box Trust this CA to identify websites and click OK.

After completing these steps, your browser will trust the PortSwigger CA certificate, allowing you to visit TLS-enabled sites through Burp Suite Proxy without encountering certificate errors.

Questions

If you are not using the AttackBox, configure Firefox (or your browser of choice) to accept the PortSwigger CA certificate for TLS communication through the Burp Proxy.

Answer: No answer needed


Task 14: Example Attack

In a simplified real-world web application penetration test, we can start by testing the support form at http://MACHINE_IP/ticket/. One common vulnerability to test for is Cross-Site Scripting (XSS), specifically Reflected XSS.

Reflected XSS occurs when a malicious script is injected into a webpage, but it only affects the person making the request. The injected JavaScript is reflected back to the user by the server and executed in their browser, potentially allowing attackers to steal cookies, session tokens, or perform actions on behalf of the user.

To test for reflected XSS, you would typically inject a JavaScript payload into the support form and check if it gets reflected back in the response. If the script executes in the browser, it indicates a vulnerability.

Questions

There are no questions here to answer, but be sure to read about the example attack on THM. Generally the process is as follows:

The goal is to bypass a client-side filter on the “Contact Email” field, which is preventing the injection of special characters like <script> tags. Here’s a step-by-step guide to bypassing this filter and triggering a Reflected XSS attack:

  1. Start by ensuring your Burp Proxy is active and the intercept is on.
  2. Submit legitimate data in the support form. For instance:
    • Email: pentester@example.thm
    • Query: Test Attack
  3. Intercept the request: Once you submit the form, Burp Proxy will capture the request.
  4. Modify the request:
    • Change the email field to your XSS payload: <script>alert("Succ3ssful XSS")</script>.
  5. URL encode the payload: Select the payload and press Ctrl + U to URL encode it, ensuring it can be safely sent through the form.
  6. Forward the request: Press the “Forward” button in Burp Proxy to send the modified request to the server.
  7. Check the result: If successful, the website should display an alert box indicating that the XSS payload was executed, confirming the vulnerability.

This method demonstrates how easily client-side filters can be bypassed by modifying the request directly in the Burp Proxy.

Click me to proceed to the next task.

Answer: No answer needed


Task 15 (Room Conclusion)

Congratulations on completing the Burp Suite: The Basics room on TryHackMe! You now have a solid foundation in Burp Suite, including the interface, configuration options, and the Burp Proxy. These skills are crucial for your journey into web and mobile application penetration testing.

To continue improving, it’s a great idea to practice and experiment with Burp Suite. Explore its features, tweak different settings, and familiarize yourself with all the available tools. The more you use Burp Suite, the better you’ll become at identifying and exploiting vulnerabilities in web applications.

We have now reached the end of this walkthrough of the Burp Suite: The Basics room.
This room has hopefully given you a good grasp of the Burp Suite interface and configuration options, as well as given you a working knowledge of the Burp Proxy.

Questions

I understand the fundamentals of using Burp Suite!

Answer: No answer needed


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

Buy me a coffee

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

, , , , ,