How to use Burp Suite to intercept and modify request/response in penetration testing

Burp Suite is a powerful web testing tool with a wide range of features

Posted by RITVN on December 24, 2017

How to use Burp Suite to intercept and modify request/response in Security testing

Phạm Ngọc Sơn (PNS), senior QA of Safewhere team, had a quick introduction about using Burp Suite on Linux to do penetration testing

Burp Suite is a powerful web testing tool with a wide range of features. One of its most useful feature is the ability to act as an intercepting proxy server which in turn allows us to intercept web traffic and modify a web request before it goes to the remote web server, and modify a response before it comes to browser.

You can use Burp Suite to view and modify:

  • Form data and hidden fields of requests/responses.

  • AJAX requests.

  • Headers including cookies sent from/to a browser.

  • Remove client side JavaScript.

Burp Suite on kali Linux

In this post, I will introduce how to use Burp Suite on Kali Linux. First, fire up Burp Suite, and browse to Proxy –> Options:

image alt text

image alt text

As you can see, the proxy server is running on 127.0.0.1 port 8080 where I need to route all traffic of my browser through it. In Iceweasel on Kali Linux, this is found in Edit –> Preferences –> Network –> Settings:

image alt text

After setting the proxy, Burp will show an alert that it captured a request whenever a request is made:

image alt text

Now let’s move to a functional example in which I modified a request:

image alt text

After making a request to a site, I changed the __RequestVerificationToken parameter for checking CSRF attack and clicked on the Forward button to submit the modified request. The result from the web application meant it is doing CSRF check correctly:

image alt text

Intercepting the response is easy too:

image alt text

We are hiring

Would you like to work with the coolest IT guys in Vietnam? Apply to one of the following jobs:

C# / .Net Developer
Senior / Specialist
1000 – 3000 USD

Job requires a high level of technical skills and experience within Microsoft technologies and offers high salary, exciting projects, and constant challenges in terms of technology and design.

Tell me more
Xamarin Developer
Experienced
800 – 1500 USD

Want to have fun developing innovative Xamarin products? We are developing a number of exciting games and social applications of our own as well as supporting third party clients.

Tell me more
Technical Writer
Advanced English
2000 – 4000 USD

Job requires both good English as well as the ability to understand complex technical subjects and systems. You will mainly be writing SEO articles and guidelines for our many products.

Tell me more
Front-End Developers
Experienced
1000 – 2500 USD

We are looking to fill Developer positions with a new team that uses JavaScript, TypeScript, HTML5, AngularJS.
Knowing Ionic framework or NodeJs is a plus, but is not mandatory.

Tell me more
.NET/WPF Developers
Advanced English
1000 – 3000 USD

2 Senior Developer positions in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.

Tell me more
Ruby/Cucumber QA/Test engineering
Advanced English
1000 – 2000 USD

1 Senior QA/Test Engineer in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.

Tell me more