BSCE - DrAlzahraniProjects/csusb_fall2024_cse6550_team4 GitHub Wiki
Table of Contents
Installation
Follow these steps to install Burp Suite Community Edition for web security testing:
Download burp suite:
- Visit the Burp Suite Downloads page and select the appropriate version for your operating system (Windows, macOS, or Linux).
- For Windows: Download the .exe installer.
- For macOS: Download the .dmg file.
- For Linux: Download the appropriate .tar or .deb file.
- Install burp suite:
- Follow the standard installation prompts based on your OS.
- Windows: Double-click the .exe installer and follow the on-screen instructions.
- macOS: Open the .dmg file and drag the Burp Suite icon into your Applications folder.
- Linux: Extract the .tar file or use the package manager for .deb files
sudo dpkg -i burpsuite_community_version.deb
Configuration
After installation, you need to configure Burp Suite to effectively use its features
- Set up the Proxy: In order to intercept traffic, you need to configure the proxy settings in Burp Suite
Go to the “Proxy” tab, then click on the sub-tab “Options/Proxy Setting”
- You should see an entry in the table with a ticked Checkbox in the Running column, and “127.0.0.1:8080” showing in the Interface column
By default Burp Suite runs on port 8080
- You can modify this setting for it to listen to other ports by just clicking on the “Edit”, button and changing the port number of the listener to a different number
Setting up Proxy Configuration
-
Launch Burp Suite.
-
Go to the Proxy tab and select Options.
-
Ensure the proxy listener is enabled on the default port (usually 8080).
-
Configure your browser to use Burp as a proxy:
- In your browser's network settings,
set the HTTP proxy to 127.0.0.1 and port 8080.
Interface: 127.0.0.1:8080 (Running)
- Go to the Proxy > Intercept tab and Click the Intercept is off button, so it toggles to Intercept is on. This toggle allows you to intercept any request or response, and modify it before forwarding it.
Configuring browser
To use Burp Suite as a proxy, you need to configure your browser. The process varies depending on the browser you’re using; in this example, I’ll use Firefox. However, you can refer to the Burp Suite documentation here on how to configure other browsers.
- Open Firefox in the top right corner and go to Settings and then search for the word proxy. Click on the icon to open proxy settings
- Select Manual proxy configuration.
- Set the HTTP Proxy to 127.0.0.1 and the Port to 8080 (or the port you configured).
- Enable the option to Use this proxy server for all protocols.
- Other Browsers: Follow similar steps for Chrome, Edge, or Safari, referring to the Burp Suite documentation for specific configurations
Setting up a proxy server for Firefox
SSL Certificate Installation
-
To intercept HTTPS traffic, you need to install the Burp SSL certificate:
-
Open your browser and navigate to http://burpsuite.
-
Click on the CA Certificate link to download the Burp CA certificate.
-
Install the certificate in your browser’s trusted root authorities.
-
Firefox: Go to Settings → Privacy & Security → View Certificates → Authorities → Import. Chrome: Go to Settings → Privacy and Security → Security → Manage Certificates → Import.
-
Once installed, your browser will trust SSL connections made by Burp Suite without showing security warnings.
To configure your host computer, open the relevant configuration options and select ‘Manual proxy configuration.’ Enter the same HTTP Proxy and Port number as entered on Burp Suite, and then click ‘OK’ to save the settings.
Now the browser is already setup to use Burp Suite as a proxy which is listening at port 8080. Now you need to install Burp’s CA cert.
Go to burp/ or 127.0.0.1:8080 in Firefox. Click on ‘CA Certificate’ in the top menu bar to download it.
Download Burp’s CA cert
Downloaded Burp Certificate
The CA cert must be installed in your browser as a trusted root so that the browser will trust the SSL connections made to Burp Suite. Go to Firefox > Click on Options from the side menu > Write Certificates in the search field and then Click on “View Certificates” > Authorities > Import.
Once the Burp’s CA cert is installed you should have no problem using Burp Suite as an interceptor. At Firefox, try to browse to https://google.com/ and you will not see any security warning.
At Burp Suite, when the interceptor is turned on, you will see all the requests made by the browser. You can analyze the requests and make any modifications. When you’re satisfied, click on the Forward button to send the message.
You can also click on the HTTP History tab to view the list of request history.
Implementation
- Burp Suite provides various features for web application testing. Here are some essential functionalities:
Intercepting Requests:
- Ensure the Proxy is active and your browser is configured.
- Use the browser to navigate to a web application.
- Burp will intercept the requests, allowing you to analyze and modify them before they reach the server.
Spidering a Website:
- Navigate to the Target tab.
- Right-click on the target site and select Spider this host.
- Burp will start crawling the website to discover additional endpoints.
Scanning for Vulnerabilities:
- Go to the Scanner tab.
- Right-click on the target and select Scan.
- Review the findings for potential vulnerabilities.
Usage
Once Burp Suite is configured, use the tools to generate useful reports and test your web application.
Generating reports
- In Burp Suite, after scanning or intercepting traffic, navigate to the Target tab.
- Right-click the relevant scan results or intercepted requests.
- Select Save Item or Generate Report to export findings in various formats like HTML, XML, or CSV.
Example project test case
1.Test Objective: Test for SQL Injection vulnerabilities in the login form of a sample web application.
2.Steps
- Open Burp Suite and configure the proxy as mentioned earlier.
- Navigate to the login page of the target web application in the browser.
- Intercept the login request and modify the input fields to test for SQL injection (e.g., entering ' OR '1'='1 in the username field).
- Forward the request.
3.Expected Results: The web application should return an error message or log in without proper credentials if vulnerable to SQL injection.
Troubleshooting
Here are solutions for common problems:
Installation Issues
- Error: Missing dependencies on Linux. Solution: Run:
sudo apt --fix-broken install
- Proxy Issues:
- Solution: Ensure proxy settings in your browser match Burp Suite (127.0.0.1:8080).
Verify Burp’s proxy listener is active in Proxy > Options.
Check if a firewall is blocking the connection
- SSL Errors:
- Solution: Confirm that the Burp CA certificate is installed in your browser. Re-download and re-install the certificate if necessary.
- Performance Issue:
- Solution:
- Increase JVM heap size in the Burp startup configuration
-Xmx2G
- Close unnecessary applications to free up resources.
- Intercepting Issues:
- Ensure that Burp Suite’s Intercept is set to on.
- Confirm your browser is configured to use Burp as the proxy.
- Check for firewall or network issues that might block proxy communication.
Resources
- Official Burp Suite Documentation:
(https://portswigger.net/burp/documentation)
- Burp Suite Community Forum:
(https://community.portswigger.net/)
- Burp Suite Tutorials:
(https://portswigger.net/web-security)