How to use Burp Suite to intercept and modify request/response in penetration testing

Burp Suite is a powerful web testing tool with a wide range of features

Phạm Ngọc Sơn (PNS), senior QA of Safewhere team, had a quick introduction about using Burp Suite on Linux to do penetration testing

Burp Suite is a powerful web testing tool with a wide range of features. One of its most useful feature is the ability to act as an intercepting proxy server which in turn allows us to intercept web traffic and modify a web request before it goes to the remote web server, and modify a response before it comes to browser.

You can use Burp Suite to view and modify:

  • Form data and hidden fields of requests/responses.
  • AJAX requests.
  • Headers including cookies sent from/to a browser.
  • Remove client side JavaScript.

Burp Suite on kali Linux

In this post, I will introduce how to use Burp Suite on Kali Linux. First, fire up Burp Suite, and browse to Proxy –> Options:

image alt text
image alt text

As you can see, the proxy server is running on port 8080 where I need to route all traffic of my browser through it. In Iceweasel on Kali Linux, this is found in Edit –> Preferences –> Network –> Settings:

image alt text

After setting the proxy, Burp will show an alert that it captured a request whenever a request is made:

image alt text

Now let’s move to a functional example in which I modified a request:

image alt text

After making a request to a site, I changed the __RequestVerificationToken parameter for checking CSRF attack and clicked on the Forward button to submit the modified request. The result from the web application meant it is doing CSRF check correctly:

image alt text

Intercepting the response is easy too:

image alt text

Pham Ngoc Son-