Burp is a Java-based application that can be downloaded from the PortSwigger website. There is a limited-use free version, along with paid versions available. For this write-up, I’ll be using the free version. You can also use Kali Linux as Burp is already installed. In Kali, you can launch Burp by selecting the icon in the dock:
Starting Burp Suite
You may receive a warning about the installed version of Java – this is ok to ignore. You may also be informed of an update for Burp, this is also safe to ignore for now but it’s usually best to keep your software up to date (so upgrade at a later time). The next screen is used for configuring your Burp projects. With the free version of Burp, you can only create “Temporary Projects”.
After selecting “Next”, the following screen allows you to load configuration information for Burp – we’ll just use the defaults. You’re now ready to start Burp by clicking “Start Burp”
You should now see Burp’s primary user interface:
Configuring Your Browser
By default, Burp will start as a proxy listening on the localhost with port 8080. You can verify this information under Proxy -> Options:
In order to send traffic through Burp, you need to configure your browser to use it. In Kali, open the FireFox web browser and go to the configuration page. At the bottom of this page is the option for network settings – selecting this will open a “Connection Settings” dialog. Here you can specify proxy information such as IP address and port. You can also check the box to use this proxy for all protocols. Finally, make sure that there is no value entered in the “No Proxy For” text box. Your configuration should look similar to the following:
Before we can begin intercepting traffic, it’s helpful to add the Burp CA Certificate to our browser. This allows for a more seamless integration when working with sites that use HTTP. In a browser tab, enter the following URL:
You may have to accept the self-signed certificate to proceed to the page. You should see the following:
Click on the “CA Certificate” link in the upper right-hand corner. This will download the Burp certificate, the default location will be to the downloads folder.
After the certificate has been downloaded, you need to import it into your browser. Go back to the browser settings page and select “Privacy & Security” and then “View Certificates”.
From the dialog that opens, select “Import”:
Then select the certificate from the file system that you just downloaded. This will bring up another dialog, select “Trust this CA to identify websites”:
Click “OK” and now you’re all set!
Testing That it All Works
The reason we installed the previous certificate is so that we can browse to sites that use HTTPS without being consistently warned about invalid/self-signed certificates. In a browser tab, visit a website and you should see your traffic begin to populate in the “Target” tab.
There is one last item though – whenever Burp wants to draw your attention to a tab it will highlight that tab in orange. When you first start Burp, it is set to intercept all requests – which means you have the ability to modify the request from your browser before it is sent to the server. You likely won’t want this functionaliy right away, so navigate to Proxy -> Intercept and turn intercept off.
With Burp setup, you can now begin exploring other features that Burp has to offer, such as the ability to create a sitemap, tamper with request data and setup intruder attacks. Check back here often as I’ll continue to post more information about using Burp!