Phạm Ngọc Sơn (PNS), senior QA of Safewhere team, had a quick introduction about using Burp Suite on Linux to do penetration testing
Burp Suite is a powerful web testing tool with a wide range of features. One of its most useful feature is the ability to act as an intercepting proxy server which in turn allows us to intercept web traffic and modify a web request before it goes to the remote web server, and modify a response before it comes to browser.
You can use Burp Suite to view and modify:
Form data and hidden fields of requests/responses.
Headers including cookies sent from/to a browser.
In this post, I will introduce how to use Burp Suite on Kali Linux. First, fire up Burp Suite, and browse to Proxy –> Options:
As you can see, the proxy server is running on 127.0.0.1 port 8080 where I need to route all traffic of my browser through it. In Iceweasel on Kali Linux, this is found in Edit –> Preferences –> Network –> Settings:
After setting the proxy, Burp will show an alert that it captured a request whenever a request is made:
Now let’s move to a functional example in which I modified a request:
After making a request to a site, I changed the __RequestVerificationToken parameter for checking CSRF attack and clicked on the Forward button to submit the modified request. The result from the web application meant it is doing CSRF check correctly:
Intercepting the response is easy too:
Would you like to work with the coolest IT guys in Vietnam? Apply to one of the following jobs:
Job requires a high level of technical skills and experience within Microsoft technologies and offers high salary, exciting projects, and constant challenges in terms of technology and design.Tell me more
Want to have fun developing innovative Xamarin products? We are developing a number of exciting games and social applications of our own as well as supporting third party clients.Tell me more
Job requires both good English as well as the ability to understand complex technical subjects and systems. You will mainly be writing SEO articles and guidelines for our many products.Tell me more
Knowing Ionic framework or NodeJs is a plus, but is not mandatory.
2 Senior Developer positions in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.Tell me more
1 Senior QA/Test Engineer in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.Tell me more