A quick example
Before I start to dig deeper into the functionality of each section, it is best to start with a simple example, so that you can quickly visualize how you can use this amazing application. "Not just talking but by doing!"
This is going to be an oversimplified example, so I will not go into too much detail. I want you to understand the big picture. Later in this chapter, you will learn the nitty-gritty details of the functionalities:
- Fire Burp up, and open your browser in Kali Linux (I already set the Proxy settings in Firefox; I will show you how to do that later).
- Browse to the Mutillidae home page; you will see that the page is not loading, and that's normal, because the Proxy in Burp has intercepted the request and is waiting for you to take action.
- Switch to Burp, and you will see the web request in the Proxy/Intercept section. At this point, you can change the request, but I will just send it to the server using the Forward button:
- When you click on the Forward button, Burp will send the request to the web server. If you enabled the option to intercept the response in the Options tab, then you'll see that, as well.
- By default, the response is not intercepted; if you would like to change this behavior, go to the Options tab, and make sure that you have the following settings:
The preceding settings are the ones that I use for request and response interception in Burp on a daily basis (by default, you will have different settings for request/response interception).
- What's next? Let the response go back to the client by clicking on the Forward button. Then, switch the interception off by clicking on the Intercept is on button. Note that by clicking on this button, Burp will still collect the web requests/responses, but they will not stop the page from loading, and it will not give you a chance to intercept and change the contents (of the web request/response).
- I will now go back to the Mutillidae website and try to log in, and then manually browse to a couple of pages, because I want burp to start recognizing the structure of this website. Now, go back to Burp and click on the Target tab, and you should see something similar to the following:
- It looks like Burp intercepted everything that my browser was trying to connect with, and that's normal, because I did not filter or set the scope yet. To do this, I will right-click on the Mutillidae server IP address and select Add to scope:
- I'm not done yet; we still need to clean up the mess, showing only the scope in the site map tree. To make this happen, click on the Filter: Hiding not found items; section, a menu will appear. Select the checkbox to Show only in-scope items:
Alright! You're done with this basic tutorial. Here's what a pen tester can do after finishing all of the preceding steps:
- Spider the web application branch
- Discover the hidden contents
- Inspect the web request/response of each page
- Passively scan the web application
- Actively scan the web application
- Perform some manual tests using the Intruder and Repeater tabs
- Test the vulnerabilities for false positives
- Generate a report
If you have purchased Burp Pro, then you can start it through the Terminal window by using the following command:
java -jar -Xmx2G /[path]/[burp.jar]