Tutorial #1: How to view the raw HTTP traffic, parameter and data via proxy for web applications

This can be just very basic set up during penetration testing. Sometimes, developers may want to view the HTTP request and data that their application is sending for some debugging purpose. There are many ways to do it ranging from using browser extensions plugin to using more dedicated proxy tools. In this blog, I will just go through how we can achieve this task using free BurpSuite community version. BurpSuite is irrefutably number one pentesting tool for HTTP protocol based application so it is good to know how it works.

For setting up proxy in iOS simulator, you can read it here instead.

Requirements

These are what we will need:

• Java should be installed in your machine. JRE will do. JDK can also be used.
• BurpSuite community version from https://portswigger.net/burp/communitydownload. There are installer version for Windows, MacOS etc or just JAR file. I like the .jar file due to its portability to run on any platform.
• Browser (obviously) — Chrome or Firefox. I would prefer Firefox as it uses separate proxy setting. Chrome uses the system proxy setting which tends to interfere with other tasks on my machine.

Viewing web application or web API traffic

The steps as follows:

• configure proxy in the BurpSuite
• configure proxy in the browser
• install Burp CA certificate in your browser
• view the traffic

configure proxy in the BurpSuite:

Launch the burp with java command. If you use installer, you can just double click burp to launch which would be easier approach to avoid quirky java related errors

The basic command is this java -jar <then your burp file>. Due to some error the current I used above is java — illegal-access=permit -jar <burp filename>. It is probably easier to just use installer version to avoid typing commands.

After the burp is launched, it will ask whether Temporary project to be used or New Project File on disk. I think the community version will not allowed us to save the project to disk so just use Temporary Project here for example. Afterwards, just click through default settings through other pages then the burp will be launched as screenshot below. Choose Proxy tab and configure the Proxy Listener setting under Options tab at second menu row as shown.

After launching Burp, proxy can be configure at Proxy > Options

BurpSuite auto configure proxy to port 8080 if the port is free so no additional configuration is needed. But sometime you may have to configure “Bind to address” to “All Interfaces” to get the traffic. There is some nuance to this but this is out of scope in this article. If you can confirm the “tick” presence under Running column, the proxy is working.

configure proxy in the browser:

Next, launch your FireFox browser and go to Settings. We can find proxy setting through search function as shown below.

Find proxy setting in the browser

sConfigure the browser proxy to redirect traffic to Burp’s listening IP address and Port which is 127.0.0.1 and 8080 respectively. Also tick HTTPS as shown so that HTTPS traffic can also be flow through Burp

We can check whether the traffic is redirecting correctly to our proxy by visiting http://burp on our proxy. If you can see the Burp landing page, it is working correctly.

Confirming the proxy setup is working as well as downloading CA Certificate

install Burp CA certificate in your browser:

For the initial set up, we will need to install CA Certificate but no longer need to do this step again in subsequent usage. After downloading cacert.der from the previous step, we need to install the certificate into the browser.

Go to Certificate Manager > Authorities > Import > Import cacert.der > Trust what needed and click OK

Every browser has some kind of Certificate Manager which let you manage what certificate to trust for what purpose. For Burp or proxy in general to be able to decrypt the HTTPS traffic, it has to do a thing call Man-in-the-Middle attack (MitM) configuration. To do this, the proxy’s certificate (Burp’s CA certificate) need to be imported as Authorities aka authorized certificate authority that your browser trusted. MitM is a separate topic which I may write in details when I have time.

view the traffic:

After the certificate has been imported, we can test run viewing of the traffic. For this, try to visit any HTTPS website in your browser. e.g. I am visting https://www.bing.com in the FireFox browser. The Burp should start to intercept the traffic.

When visiting Bing page on the browser, we can see Proxy and Intercept tab lights up and plain traffic can be seen as above

We can let the traffic by turning intercept is off and all the traffic that browser sending and receiving will flow through the proxy as clear text traffic. Do check it in HTTP history tab

Well, we have reached our final goal viewing the HTTP request format and data that your application is dealing with. This will allow us to debug the application on HTTP request level. Intercepting mobile application traffic is also similar but configuration needs to be made on the mobile phone itself. This will be a topic for another day.

For setting up proxy in iOS simulator, you can read it here instead.