Best Practices While Using Burp Suite
If you are interested in web application security testing, you must have heard about Burp Suite. It is the most popular collection of web application security testing tool which is used by application security testers across the world.
In this post chain, I would be sharing some best practices that one should follow when using Burp Suite while practicing or live projects. I would also request all the experienced application security tester to share their learning and tips here, as well.
Here is the first one…
Best Practice #1: While working with Burp Suite, create an exclusive browser profile for generating the requests and response for the application under test which you want to intercept using Bur Suite.
Rationale: We know that Burp Suite intercepts request and response from a browser using browser’s proxy settings. To enable Burp Suite to intercept the traffic on your browser, we basically perform two tasks:
Task 1: On the Options sub tab of Proxy tab in Burp Suite, confirm that by default, interface 127.0.0.1:8080 is present and checked in the Proxy Listeners section.
Task 2: In the browser of your choice (Chrome/Firefox/Edge) setup the proxy settings manually which should match the proxy settings present in Burp Suite.
For E.g.:
· In Firefox, type “about:preferences” and hit enter.
· Scroll down to Network Settings on “General” tab.
· Click on “Settings…”
· In “Connection Settings” pop up, select “Manual proxy configuration” and then type “127.0.0.1” in HTTP Proxy field and “8080” in Port field.
· Select “Use this proxy server for all protocols
· Click Ok to save and close the configuration settings.
If setup proxy settings are changed as mentioned above in the default browser profile in Firefox, then all your HTTP request and response from Firefox browser will pass through Burp Suite. If intercept is on in Burp Suite, you must manually forward those requests, even though you are trying to access Internet for your regular tasks. It also interferes in the working of browser extensions. Therefore, this create un-necessary traffic in Burp Suite leading to complexities.
Therefore, before changing proxy settings, as a best practice, we should create a separate browser profile which should be exclusively used for Burp Suite.
To do the same, perform the below steps:
· In Firefox, type “about:profiles” and hit enter.
· Click on “Create a New Profile” button
· In “Create Profile Wizard” pop up, select “Next”
· Provide an appropriate profile name in “Enter new Profile Name” field and click on finish
Now on “About Profiles” page, click on “Launch profile in new browser” button under newly created profile.
Once the browser is open, perform the Proxy Settings steps as mentioned above in this browser profile. This will ensure that all traffic generated to and from this browser profile will be successfully interrupted by Burp Suite.
Please note: the same steps can also be performed in Chrome as well. One advantage of Chrome is that you can also setup extensions like Foxy Proxy which can help you to manage multiple profiles and multiple proxies with fewer user actions and quite smoothly.