Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070

Department of Information Technology

Secure Application Development Lab

Roll no.: 07 Date: / /2023

Name : Shreejeet Bhabal

Experiment No. 7

Aim: Demonstrate Burp proxy to test web applications.

Objectives: The objective of this experiment is to

● Understand data validation and authentication for web applications.
Outcomes: After study of this experiment, the student will be able to ●
Use Burp Proxy to test web applications.

Prerequisite: Knowledge of Vulnerabilities.

Requirements: PC and Internet

Burp Suite
Brief Theory:
Burp Suite software is the best toolbox for web security testing. In web security testing, the incursion
also protects engineer grace. Used to find and exploit search flaws. Burp Suite is therefore designed
to be used by point-and-click. Understanding how systems are attacked is essential for everyone
working in security, whether they are developers or security professionals. Burp Suite is a platform
and graphical tool that work together to do security testing on online applications. It supports the
whole testing process, from the initial mapping and analysis of an application's attack surface through
the discovery and exploitation of security flaws.

What is Burp Suite?

Burp Suite is a proxy program that enables us to track, examine, and alter requests made by our
browsers before they are forwarded to a distant server.

Burp Suite is a prominent web application security solution. It gives us the ability to manually test for
vulnerabilities, intercepts HTTP messages, and change a message's body and header.

It is the most widely used tool among experts in online app security and bug bounty hunters. It is a
better option than free substitutes like OWASP ZAP because of how simple it is to use. The
community edition of Burp Suite is accessible for free, whereas the professional edition and the
enterprise edition need payment.

Why is Burp Suite Used in Cybersecurity

Burp Suite is a comprehensive framework that may be used to carry out several activities, including:

● Web crawling.
● Web application testing, both manually and automatically.
● Analysis of web applications.
 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab
● Vulnerability detection

Burpsuite also has the advantage of being built into the Chrome browser.

Laboratory Exercise
1. Follow step by step process for available in the following URL:

https://docs.google.com/document/d/1Raxt0Lts2uaiQkjMgTH8uKJ5lWuef5oP/edit?usp=sharing&o
uid=105710360085268780210&rtpof=true&sd=true

2. Add the screenshot of your output.

Steps to perform learned how to intercept, review, and manipulate HTTP traffic using Burp Proxy

Steps to Download and Install Burp Suite:- Step 1:

Download the community version and install
URL: https://portswigger.net/burp/releases/professional-community-2022-8-
4?requestededition=community&requestedplatform=

Step 2: Run the installer and launch Burp Suite

 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab

• Select “Temporary Project in Memory”

• Use “Burp Default” Configuration
• click on Start Burp
 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab

Step 3: Start exploring Burp Suite

 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab

If you're completely new to Burp Suite, follow the rest of this tutorial for an interactive, guided tour
of the core features.
• Steps for intercepting HTTP traffic with Burp Proxy

Intercept HTTP traffic with Burp Proxy

In this tutorial, you'll use a live, deliberately vulnerable website to learn how to intercept requests
with Burp Proxy.

Intercepting a request
Burp Proxy lets you intercept HTTP requests and responses sent between Burp's browser and the
target server. This enables you to study how the website behaves when you perform different actions.
Step 1: Launch Burp's browser
Go to the Proxy > Intercept tab.

Click the Intercept is off button, so it toggles to Intercept is on.

Click Open Browser. This launches Burp's browser, which is preconfigured to work with Burp right
out of the box.
Position the windows so that you can see both Burp and Burp's browser.
 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab

Step 2: Intercept a request

Using Burp's browser, try to visit https://portswigger.net and observe that the site doesn't load.
Burp Proxy has intercepted the HTTP request that was issued by the browser before it could reach
the server. You can see this intercepted request on the Proxy > Intercept tab.

The request is held here so that you can study it, and even modify it, before forwarding it to the
target server.

Step 3: Forward the request

 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab
Click the Forward button several times to send the intercepted request, and any subsequent ones,
until the page loads in Burp's browser.

Step 4: Switch off interception

Due to the number of requests browsers typically send, you often won't want to intercept every single
one of them. Click the Intercept is on button so that it now says Intercept is off. Go back to the
browser and confirm that you can now interact with the site as normal.

• Step 5: View the HTTP history

 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab
In Burp, go to the Proxy > HTTP history tab. Here, you can see the history of all HTTP traffic that
has passed through Burp Proxy, even while interception was switched off.
Click on any entry in the history to view the raw HTTP request, along with the corresponding response
from the server.

the server afterward, which is more convenient in many cases.

Modifying HTTP requests with Burp Proxy

In this part, you'll learn how to modify an intercepted request in Burp Proxy. This enables you to
manipulate the request in ways that the website isn't expecting in order to see how it responds. Using
one of our deliberately vulnerable websites, known as "labs", you'll see how this can help you identify
and exploit real vulnerabilities.

Step 1: Access the vulnerable website in Burp's browser

In Burp, go to the Proxy > Intercept tab and make sure interception is switched off.
Launch Burp's browser and use it to visit the following URL:
https://portswigger.net/web-security/logic-
flaws/examples/lab-logic-flaws-excessive-trust-in-clientside-
controls
 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab

Step 2: Log in to your shopping account

 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab

Step 3: Find something to buy

Click Home to go back to the home page. Select the option to view the product details for the
Lightweight "l33t" leather jacket.

Step 4: Study the add to cart function

In Burp, go to the Proxy > Intercept tab and switch interception on. In the browser, add the leather
jacket to your cart to intercept the resulting POST /cart request.
 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab

You may initially see a different request on the Proxy > Intercept tab if the browser is doing
something else in the background. In this case, just click Forward until you see the POST /cart request
as shown in the screenshot above.

Study the intercepted request and notice that there is a parameter in the body called price, which
matches the price of the item in cents.

Switch interception off again so that any subsequent requests can pass through Burp Proxy uninterrupted.

Step 6: Exploit the vulnerability

In Burp's browser, click the basket icon in the upper-right corner to view your cart. Notice that the
jacket has been added for just one cent.

Note : There is no way to modify the price via the web interface. You were only able to make this
change thanks to Burp Proxy.
Click the Place order button to purchase the jacket for an extremely reasonable price.

Congratulations, You've also learned how to intercept, review, and manipulate HTTP traffic using
Burp Proxy.
 Don Bosco Institute of Technology, Kurla (W), Mumbai – 400070
Department of Information Technology
Secure Application Development Lab

Conclusion: learned how to intercept, review, and manipulate HTTP traffic using
Burp Proxy

Mention your References:

01. https://docs.google.com/document/d/1Raxt0Lts2uaiQkjMgTH8uKJ5lWuef5oP/edit