Man in the Middle with Burp Suite
Man in the Middle with Burp Suite

Man in the Middle with Burp Suite

Become a cyber pro by building your skills in the National Cyber League!

Have you ever wondered what happens when you surf the web?

This blog will discuss using Burp Suite (https://portswigger.net/burp) for a variety of network analysis such as:

  1. Analyze HTTP requests and responses
  2. Perform parameter tampering and modify http headers such as user-agent
  3. Look at and possibly modify web cookies

There are two versions of Burp Suite: the free Community Edition and the paid Enterprise Edition. The free Community Edition is pre-installed on Kali.

One of the major differences between the two editions is that nothing can be saved in the Community Edition.

This blog will walk through how to set up Burp Suite and set up Mozilla Firefox to use Burp Suite as a proxy. We will go through an example where we intercept, analyze, and modify a search request made to DuckDuckGo using Burp Suite. More specifically, we will search for the word “baseball” and will receive results for “football”.

Setting Up

Burp Suite

Start up Burp Suite. If you receive a warning message about Java, you can usually ignore it. If Burp Suite doesn’t work correctly, you will have to update your Java version to the one recommended in the message.

Since projects cannot be saved in the Burp Suite Community Edition, only the “Temporary project” option is available.
Since projects cannot be saved in the Burp Suite Community Edition, only the “Temporary project” option is available.
The “Burp defaults” can be used to start up. Click on “Start Burp”.
The “Burp defaults” can be used to start up. Click on “Start Burp”.
Once Burp Suite loads up, click on “Proxy”.
Once Burp Suite loads up, click on “Proxy”.
Then click on “Options”
Then click on “Options”

You should get a screen similar to the one below. Make note of the port number 8080 as you will need this later on.

Click on “Import/export CA certificate” to export the CA certificate as a PKCS#12 keystore.
Click on “Import/export CA certificate” to export the CA certificate as a PKCS#12 keystore.
Enter a password and save the CA certificate as a new file, for example
Enter a password and save the CA certificate as a new file, for example certificate.p12
image

Scrolling down the options will show what types of network packets are intercepted. In the screenshot shown below, files ending with extensions such as gif, jpg, png, css, and js are not intercepted. The default works well in most cases.

image

Mozilla Firefox

Now that Burp Suite is running, the next step is to set up Mozilla Firefox. Go to Settings/Preferences and click on “View Certificates”.

Note: There is an option to use Burp Suite built-in web browser. Setting up a different browser is shown here for flexibility.

image
Click on “Your Certificates” and then “Import”.
Click on “Your Certificates” and then “Import”.
Look for the location where the CA certificate was stored and then open it. Enter the corresponding password.
Look for the location where the CA certificate was stored and then open it. Enter the corresponding password.
Theis screen (or similar) should then show up showing that the CA certificate was successfully imported into Mozilla Firefox.
Theis screen (or similar) should then show up showing that the CA certificate was successfully imported into Mozilla Firefox.

This allows Burp Suite to act as a MITM even for encrypted HTTPS connections.

The next step is to set up Mozilla Firefox to use Burp Suite as a proxy.

Go back to Settings and click on “Network Settings”.
Go back to Settings and click on “Network Settings”.

Remember the port number from earlier?

Select “Manual proxy configuration” and then enter that port number. The IP address is 127.0.0.1. Check the box “Also use this proxy for FTP and HTTPS”.
Select “Manual proxy configuration” and then enter that port number. The IP address is 127.0.0.1. Check the box “Also use this proxy for FTP and HTTPS”.

You are now set up and can start using Mozilla Firefox with Burp Suite as the proxy (aka MITM).

Running

Go to back to Burp Suite → Proxy → Intercept and make sure that “Intercept is on” as shown below. On Mozilla Firefox, enter the URL “http://duckduckgo.com”

You will notice that nothing is loading. On the Burp Suite screen, you will see that the HTTP request has been intercepted. If you want to see the response, click on Action → Intercept Response. You can drop that packet or forward the packet to the real webserver.

image

Since the HTTP request has been intercepted, you will notice that all the HTTP headers are available. You can edit any of the fields in lines 1-10. If there was a web cookie, it will also be listed here. For POST requests, the POST data will be at the end — in the case above, it would be at line 9.

Since Burp Suite acts as a proxy or MITM, Mozilla Firefox will show the following error message.

Click on “Advanced” and “Accept”.
Click on “Advanced” and “Accept”.
On the webpage, search for “baseball”
On the webpage, search for “baseball”

Burp Suite will intercept the following packet.

Change “baseball” to “football” and then
Change “baseball” to “football” and then forward the packet.

What do you see on the search results for DuckDuckGo. Is it baseball or football? What happened?

Other Uses

We have shown how Burp Suite can be used to analyze HTTP packets and perform a simple parameter tampering. Burp Suite can also be used for other cases such as password cracking given a wordlist and for crawling a website.

This post was not affiliated, associated, authorized, endorsed by, or in any way officially connected with Port Swigger. The Burp Suite name and marks are registered trademarks of Port Swigger and are only used for informational purposes.

Published by DECT