Burp Suite is a powerful web application auditor with a huge range of features, from simple to advanced. One of its core features is an intercepting proxy server. This allows us to pass our web traffic through burp suite, allowing us to view and modify both our browsers request before it goes to the remote web server, and the web server’s response before it returns to our browser.

A couple common request modifications:

  • Add data to form submissions, modify hidden fields.
  • View and modify browser AJAX data
  • View and edit headers including cookies

And a couple of common response modifications:

  • Remove client side JavaScript (usually validations or other limitations)
  • Add or remove cookies sent to the browser

First, fire up Burp Suite, and browse to Proxy –> Options:

Burp Suite Proxy

Notice that the proxy server is active on 127.0.0.1 port 8080. Now we’ll need to set the browser to use that proxy. In Iceweasel this is found in Edit –> Preferences –> Network –> Settings:

Iceweasel Proxy

After setting the proxy, attempt to make a request, and Burp will provide an alert that it caught an outbound request:

Burp Caught Request

Functionality of ‘forward’ and ‘drop’ is self explanatory. Clicking ‘Intercept is on’ will both pass the request, and automatically pass future requests, whilst the ‘Action’ brings up a host of other useful options (one of which is allowing the response to be intercepted).

Now let’s move to a functional example:

Modify Request

I make a request to whatismyuseragent.com – notice that I’ve changed the User-Agent Header. I’ll also select that the response should be intercepted:

Intercept Response

Pressing ‘Forward’ then passes my modified request to the webserver. After a short pause, Burp pops up again with the response:

Modify Response

Let’s modify the IP address in the web page being returned to the browser, before again hitting ‘Forward’, this time passing the modified response to the browser:

Browser Display

We’ve successfully provided a modified User-Agent header to the server, and then modified the content further within the response. As we saw, the full request and response can be modified – both headers and data.