SPIKE and BURP for real world computer security usage (Part 4)

by Don Parker [Published on 6 Sept. 2006 / Last Updated on 6 Sept. 2006]

In previous articles we covered the SPIKE HTTP proxy, and how to use it. Well there are many different HTTP proxies out there, and the BURP HTTP proxy is one of the better ones. Choosing an HTTP proxy to use is often a matter of preference.

If you would like to read the other parts in this article series please go to:

The BURP HTTP proxy

Over the course of the past several articles on HTTP proxies I have attempted to convey the sheer versatility that these tools bring to you as a computer security professional. They are perfectly suited, and really were designed for such things as protocol debugging, protocol bending, and application level attacks amongst a wide variety of other uses. Due to these wide array of usages, the HTTP proxy is a tool that you really should learn how to use.

Not all HTTP proxies are the same though. Most of them have the same level of functionality, but have a different look and feel to them. You will also, at times, get differing results when using various HTTP proxies. Due to this it is always good to be comfortable in using a couple of them. One of the other HTTP proxies that I would definitely recommend is the BURP proxy suite. This HTTP proxy will be the focus of the article. As you will soon see, there is indeed a tremendous amount of functionality built into this tool. One caveat though. You will need to install a JRE (Java runtime environment) but you can get one for free from SUN.

Let’s install BURP

Well now that you have the appropriate links seen in the above paragraph, we are good to go and install BURP. It really is pretty easy. Once you have downloaded the JRE from SUN you are ready to download BURP itself. Please ensure that you download the BURP suite, and not the standalone proxy. Once the file is finished downloading please uncompress it, and install it at the root of C drive ie: c:\ Then open up a DOS prompt and navigate to the root of C drive. Now simply “cd” to the “burpsuite_v1.01.jar” directory as noted in the screenshot below.

Figure 1

Now that you are in the Burp directory it is always a good idea to read the “readme.txt” file that is there. To save you some time, all you have to do now is configure your preferred web client to use a proxy with an address of on port 8080. This will allow the BURP proxy to intercept any web requests and returning stimulus. This is where the proxy part of HTTP proxy comes in. Now that your web client is configured you are ready to invoke the proxy itself. You do this by simply typing in what you see in the below noted screenshot. Once done it will take a few seconds for the GUI to come up.

Figure 2

You should now be seeing the below noted screenshot of the BURP HTTP proxy GUI.

Figure 3

Well congratulations, you have now successfully installed the BURP HTTP proxy suite. As you can see, there was not all that much to it. That said, it can be confusing if you have never done it before. On that note, let’s get to using BURP!

Onwards and upwards!

You will see in the screenshot above that the “intercept on” tab is highlighted in the GUI. We are now ready to surf to our first web page using our web client. Just make sure that you configured it to use a proxy! On that note I surfed over to the Google home page. Seen in the below noted screenshot is that BURP intercepted the request for Google’s home page. It is at this point that you would modify any of the fields before allowing this HTTP GET request to move on to Google itself.

Figure 4

Noted in the screenshot above is the information that is sent from our web client to the web server. It is all of the parts of the HTTP protocol that are used to communicate between web clients and web servers. Think of the web client and web server as two separate people if you like. What these two people use to speak is HTTP. That is, in essence, what protocols are ie: a language used to communicate between two entities or more.

You will have also seen in the screenshot above a tab called “spider”. Please click on this tab and you will see what is shown in the screenshot below. What this tab does is “spider” all the information that is sent to the web client from the web server. All of the various links sent are organized in the “spider results” tab as you can see. From there you can begin to “drill down” into them.

Figure 5

Should you prefer the information seen here in a table format then simply click on the “table” tab to have it displayed as such.

Figure 6

Personally I prefer the tree display as I find it more intuitive, and it just seems to flow the information better in that format. Now from there you can simply expand one of the links to reveal the contents of that link and the information that it sent. From here you simply begin to explore each link shown, and in turn “drill down” further. This will allow you to see exactly what was sent to your web client.

The intruder

One of the most potent parts of the BURP HTTP proxy is the “intruder”. You will see this tab to over from the “proxy” tab. Once clicked on, it will reveal more tabs and options. This is the meat of the BURP proxy as it relates to attacking web applications, or stress testing them. At this point you really do need to have a very good grasp of HTTP, SQL, and other topics to make use of a tool such as “intruder”.

Figure 7

Going over how to use “intruder” is beyond the scope of the article, and by extension this article series. Web application security, as I have mentioned before, is an enormous world and honestly a rather complex one. Don’t be intimidated into not learning it by the apparent complexity of it. All you really need to do is choose one topic and begin learning it. For example, you decide to learn how SQL injection works. Well you begin by reading up on it and then, once confident, begin practicing it via BURP.

Wrapping it all up

Over the course of the previous articles that I have written on HTTP proxies, several things should now be readily apparent to you. The first and foremost being that an HTTP proxy is a powerful tool in the hands of a skilled individual. Secondly, an HTTP proxy is also a wonderful way to further explore the HTTP protocol itself. Much like packet crafting will help you cement lessons learned about TCP/IP, the proxy will also do the same for HTTP. Another aspect is that the HTTP proxy is the gateway to a very neat area of computer security. That being the murky and very interesting realm of web application security. I for one highly encourage you to further pursue your studies in this area. It can be a greatly rewarding one. Remember, knowledge will part the waters of ignorance. I sincerely hope you enjoyed this series on HTTP proxies, and as always welcome your feedback. Till next time!

If you would like to read the other parts in this article series please go to:

See Also

The Author — Don Parker

Don Parker specializes in matters of intrusion detection, and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security.