How to intercept web traffic using Burpsuite

Understanding how the web works and use burpsuite to intercept web traffic

Introduction

In starting out as a web application tester, hacker or bug bounty hunter, it is important to master the use of Burpsuite (or OWASP zap). This tool makes it easy to analyze and see what is being sent between a web browser and a server or what is being sent between a Postman application and an API endpoint.

Burpsuite/OWASP Zap is a major application when it comes to Web application hacking/testing. They are both powerful tools that make it easy to interact with a web application beyond what a normal user will do and see.

This article is to explain how to set up either Burpsuite (OWASP Zap) to intercept traffic between a browser or Postman and a web server or API endpoint.

Downloading the Tools

The tools can be downloaded using the following web links:

i. Burpsuite Burpsuite is a tool used for web application penetration testing, it has both a community and professional version, the professional application allows you to perform more tasks such as installing extensions, and having pre-saved settings to use when testing. But if you don't want to buy the professional version, the community version is enough to learn and do some basic tetsing on applications,and it is enough to pratice what is being explained in this article.

ii. OWASP Zap OWASP Zap is a very good tool that can be used as well for testing web applications. it was developed by the OWASP Foundation and it is a open source tool. it is freee and powerful as well.

The tools are easy to download and install using the link above.

How the Web works

An understanding of how the web works will make it easy to understand what Burpsuite / OWASP zap is doing when it intercepts the traffic sent by a browser.

There is two major part that comprises of the internet, which is the client and the server.

The client is a device that allows the user to connect to the internet such as web accessing softwares e.g browsers, mobile applications.

The server are computers that stores webpages, or applications. The client device tries to access the webpages and applications that is on the server.

Simply put the client makes use of requests and responses to get informations from the server.

For example: if a client device wants to naviagate to a webpage such as hashnode.com, the client software sends a request to the server, the server then returns with the response containing the webpage that was requested, which is then rendered by the browser.

The request and response send is called HTTP/HTTPS traffic.

Two circles representing client and server. An arrow labelled request is going from client to server, and an arrow labelled responses is going from server to client

How burpsuite work with intercepting traffic

In testing a website, it is important to be able to analyse what is being sent between the client (browser) and the server. This helps us to be able to analyse the request and also the response to see if the response is the right response or it is returning too much details.

Burpsuite makes use of proxy that allows to intercept the request sent from a browser and can also inspect the response to the request.

This article will address how to setup the proxy between the browser and burpsuite.

Setting up proxy in Burpsuite:

  1. Go to the proxy setting tab and set the proxy to 127.0.0.1:8080 (set to an ip, same ip will be used in the browser, using the localhost address is fine). Ensure that the port is not a port used by another service such as 80 or 443.

    it is possible to add more incase you need to attach more proxy to listen on, for example, for postman connection to burpsuite.

  2. Setting up proxy client on the device browser or on postman, the proxy client is the device from which we want burpsuite to intercept traffic.

    Go to the browser setting and navigate to the prefences and to the proxy tab

    In mozilla firefox:

    In chrome, navigate to

    we will use the same IP address and port [127.0.0.1:8080] used in the burpsuite proxy listener setting here. That is any IP:port used in the proxy listener must be inputed into the browser proxy configuration.

    we have to always turn it to manual when we want burpsuite to intercept the traffic of what is sent in the browser.

  3. Adding Burpsuite certificate to the browser.

    Burpsuite certificate makes it easy for burpsute to be able to intercept all kind of traffic including HTTPs, that is it make burpsuite to be trusted and allow it to intercept traffic sent from the browser.

    (This step is not necessary for postman)

    Navigate to burp on the browser you choose to connect to burpsuite. Click on the CA certicate and it downloads the certificate. Add the certificate to the broswer certificates.

  4. In mozilla firefox: navigate to the settings/preference, go to the privacy & security tab, click on view certificates, import the CA certificate tha was downloaded and check the two boxes.

    (The step is similar in other browsers)

    Foxyproxy extension can help with easily switching between proxy in the browser, it makes it easy to turn it on when you need to intercept traffic and turn it off when you simply need to surf the web only.

    After adding the extension to your browser, set the proxy client by clicking on add new proxy and set it to the IP:port on the burpsuite listener.

    Once that is done, select the new created proxy in the extension tab in the broswer and set interception to ON in burpsuite, and thats all!

    Yay!! you are able to intercept the request sent from the browser.

    Same process applies in postman, it just requires adding the proxy client IP:Port to the proxy setting.

Conclusion:

Burpsuite is a very important tool in a Web tester / Bug bounty hunter tool box and knowing how to set up can be a huge advantage.

This article goes into the step by step of hw to setup burp suite to be able to intercept traffic and what is being sent from the browser/postman to the server and also to be able to see the response body from the server.

The process of connecting burpsuite to postman is the same as what is done for browser, it is just to simply add the proxy to the postman setting.

Reference:

understanding how the web works