Open in app

Sign in

Write

Sign in

Installing Burp Suite Application Proxy

christina mitchell
2 min readFeb 20, 2019

This is a prerequisite to the onsite training I give at conferences. We will download and verify the signature of the Burp Suite package. Then install a cert to inspect HTTPS traffic.

Download and verify

Navigate to https://portswigger.net/burp/communitydownload and download the Community Edition.

View the shasum by clicking the text “show shasums”.

In your terminal navigate to the same directory that the package was downloaded and run the shasum command. Here’s an example for mac:

$ shasum -a 256 /Users/{your name}/Downloads/{burp suite package name here}

Follow the default install directions. Once the application opens it will ask if you want to save as a temporary project. Press Next to continue.

Proxy HTTP

I strongly recommend proxying your traffic through Firefox. It will not include operating system traffic and be less noisy, as well as not providing false negatives. Chrome has an additional protection for a type of XSS called “Reflected” which we’ll learn about.

  1. Navigate to the preferences menu in Firefox and locate the Network Settings.
  2. Select the following:
  • manual proxy configuration — HTTP proxy: 127.0.0.1 port 8080
  • Check the Use this proxy server for all protocols box.
  • Clear the contents of the No proxy for box.

Verify that proxying is occurring for HTTP:

  1. Ensure burp suite open.
  2. Verify that it is proxying traffic: Proxy tab > Intercept tab > intercept on.
  3. Navigate to an HTTP page like http://example.com

The Proxy > Intercept tab turns orange. It’s now intercepting traffic! Feel free to forward the traffic along or turn the intercept off to forward the remainder of the traffic.

Proxy HTTPS

Browsers use CA certs to verify identity. We will install the Portswigger cert in Firefox to “Man in the Middle” our https traffic.

  1. Ensure burp suite is open.
  2. Verify that it is proxying traffic: Proxy tab > Intercept tab > intercept on.
  3. Navigate to http:// burp in your proxied browser (firefox).
  4. Click CA certificate on the top right to download the cert.
  5. In firefox, navigate to Certificate Manager and click View Certificates.
  1. Click import an select the CA Certificate you downloaded.
  2. Navigate to: https://example.com/ You should now see https traffic inside your proxy.
Security
Information Security
Application Security
Web Proxy
App Security

--

--

christina mitchell

Written by christina mitchell

89 Followers

Application Security

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams