Fundamentals

First touch with BurpSuite

Easy
10 min

From the BurpSuite program you will find many different functions and levers, but don't let this discourage you. The use of the BurpSuite program is learned quickly and you will often find that you only need a few functionalities in daily use. Next, we will go through some core functionalities that the BurpSuite program supports and what the use of the tool is based on.

Recording HTTP Messages

Start by going to the Proxy page and click the Open Browser button. This will open the chromium browser, which is prepared to forward browser traffic to the BurpSuite program. Once the browser has opened, go back to the BurpSuite program and make sure that the capture of HTTP requests on the Proxy page is turned on ("Intercept is ON"). Then return to the browser and try navigating to the address https://www.hakatemia.fi/.

You notice that the browser is still loading that page. Go back to the BurpSuite program. On the Proxy page, you should now see the HTTP request we caused.

Proxy is in intercept is on mode, which means that every message caused by the browser is stopped and displayed to the user. We can manipulate the request, block the request, or forward it to the web page using the Forward button.

We can also set the Proxy program to passive mode. When the program is in passive mode, it does not stop messages, but instead, upon viewing a message, it saves that message and automatically forwards it. Set the program to passive mode by pressing the Intercept is on - button.

Note that https://www.hakatemia.fi successfully loaded into the browser.

Next, go to the Target page. On the left side, you can see a list of all the websites the browser has made requests to.

Defining the Target

Notice that moving to the Hakatemia website has caused multiple queries. This is because the Hakatemia website uses different resources that are maintained on other websites.

These resources can be, for example, images, videos, style sheets, JavaScript libraries, etc.

You will notice that because websites often have many dependencies on resources that are loaded from other addresses, it would be more practical if we could set the focus of the Burp Suite program only on certain websites, as we do not want to accidentally focus on testing the wrong website.

Focus the BurpSuite program on only the desired target, by right-clicking on the addresses listed on the left side of the page, https://www.hakatemia.fi, and selecting Add to scope. Next, BurpSuite will ask if you want to stop recording the traffic from other websites, to which you can answer yes, or yes.

Now we have defined the target, that is, the BurpSuite program will no longer save traffic caused by other websites. Next, we want to display only the Hakatemia website on the Target page. Press the Filter button, select the Show only in-scope items checkbox, and press the Apply button to save the filtering settings.

Show the tree structure saved by the BurpSuite program of the website www.hakatemia.fi by pressing the arrow key on the left side of the list.

Repeater

One of the most commonly used tools in the BurpSuite program is the Repeater functionality. With this, we can easily modify and send HTTP requests and see how the webpage responds to these requests.

You can send an HTTP request to the Repeater page by right-clicking on the HTTP request saved by the BurpSuite program and selecting Send to Repeater.

After this, go to the Repeater page. You will see your selected query on the left side and an empty response view on the right side. Press the Send button. This instructs the BurpSuite program to send the corresponding HTTP request to the website and return the response.

Next, try modifying the HTTP request by editing the resource path after the GET directive, setting the path to /test.

Note that the page you requested cannot be found on the website https://www.hakatemia.fi, and the webpage returned an HTTP response of 404 Not found.

Final Words

We have now gone through how to install the BurpSuite program and how to use it to capture and replay browser-made HTTP requests.

We strongly recommend boldly experimenting with the different functionalities of the tool and freely seeking more information about the possibilities offered by the tool.

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.