How to configure burp suite for web application penetration testing

0 Comment blog

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp Suite allows you to combine manual and automated techniques to enumerate, analyses, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
BurpSuite allow us to forward all of the web traffic from your browser through BurpSuite so that you can see each HTTP Request and Response and manipulate it to your heart’s content. We will configure burp suite with firefox or Iceweasel in Kali Linux or Backtrack.

Let’s get started into the steps of configuring Burp Suite:

1. Open Firefox or Iceweasel and Click on Edit then Preference
1

2. Preference Window will be open Now go to Advance → Network → Setting  2

3. Select Manual Proxy then write localhost or 127.0.0.1 in HTTP Proxy area and port should be 8080. Use this proxy server for all protocols by checking the box. Clear the No Proxy field then Finally Click OK.
3

4. Now open burp suite
    A. GUI Method
         Application → Kali Linux → Web Application → Web Vulnerability Scanners → burpsuite
4
B. Open Terminal and type burpsuite.jar and Press Enter
5
  1. If you are running burpsuite first time in your Kali Linux you will see this window Click on I Accept.

6

6. Burp Suit has been opened. Now Click on Proxy Tab then Click on Option Subtab and watch carefully local host interface running box should be check in Proxy Listeners.
7

7. Scroll down in the same tab (Proxy Tab → Option subtab)
Intercept Client Requests
    → Select URL Match type and keep Clicking UP button till URL Match type reach at the top.
    → Check Box ‘Intercept requests based on the following rules.’
8
  1. As we can see URL match type now at the top. Now select ‘File Extension’ and click on Edit.

9

9. Edit Window will be open. Here we will add ‘jpeg’ file extension. You can add or remove file extension as per your need. So, Write code and click on OK.
10
10. Scroll Down in the same tab (Proxy Tab → Option subtab)
Intercept Client Responses
       → Check Box ‘Intercept Responses based on the following rules.’
       → Select URL Match type and keep Clicking UP button till URL Match type reach at the top.

11

  1. Click on Add – we are going to add a new rule.

12

12. We will Add file extension match type according to below details:
      Boolean Operator : And
      Match type : File Extension
      Match relationship : Does not match
      Match condition: (^gif$|^jpg$|^png$|^css$|^js$|^ico$|^jpeg$)

13

  1. Select ‘File extension’  and keep Clicking UP button till ‘File extension’ reach at the 2nd top.

14

  1. We have organized it.

15

15. Now Open Your Firefox or Iceweasel and write www.google.com in the web address area. You may see a message ‘This Connection is Untrusted’ if you’re using Google over HTTPS.
You can add an exception everytime this happens when you’re using a proxy, but that can be irritating. We can also set Firefox or Iceweasel to trust the burp certificate so that we don’t get this error.The Pro version of burp allows us to get the certificate easily, but in the free version we have to do little work. You can browse any https enable website for doing this. After opening https enable website Click on ‘I Understand the Risks

16

16. Click on Add Exception…

17

17. Click on View

18

  1. Click on Details Tab, Select PortSwigger CA then Click on Export.

19

  1. Choose Your Save location, (must remember the location where you are saving your certificate.) Click on Save.

20

  1. Open Your Browser Click on Edit then Click on Preferences.

21

  1. Click on Advance Tab then Click on Encryption Subtab and Click on View Certificates.

22

  1. Click on Authorities Tab then Click on Import.

23

23. Find the location where you saved your PortSwiggerCA. If you are unable to view saved file from the location, change your file type as ‘All File’. Select your PortSwiggerCA and Open It.
24

  1. A new window will appear, Check box ‘Trust this CA to identity websites’ then Click on OK.

25

  1. If you will scroll down your Certificates Name You will Notice your Added Certificate there. Click OK. Now, you should be able to navigate to any SSL site in burp without being prompted to trust the certificate.

26

26. Here we want to make is to disable Google Safebrowsing. Safebrowsing is enabled for a reason but it can cause unwanted traffic during tests so we will disable it. Go to Security Tab and uncheck two boxes ‘Block Reported Attack sites’ and ‘Block Reported web forgeries’ Click Close
27

That’s it 🙂

You May Also Like

Leave a comment

Your email address will not be published. Required fields are marked *