Setting up Burpsuite for your web penetration testing
In this article we will be learning how to set up burpsuite for our web penetration testing, we will be setting up burpsuite to work with the two most common web browsers which are “Mozilla Firefox” and “Google Chrome”, sorry we will be limiting this tutorial to just these two browsers, if you make use of other browsers, feel free to google it out(How to set up burpsuite with “your favorite browse”). Before we continue I will like to briefly talk about Burpsuite.
What is BurpSuite?
Burpsuite is like the swiss army knife of web penetration testing, it is a tool mostly used to intercept and modify request before they get to the server and it can also be used to intercept response and it can be used for other stuffs like decoding hashes, spidering a website, e.t.c. It can be used to discover and exploit various vulnerabilities such as SQL, XSS, CSRF, SSRF, and some other cool vulnerabilities. This wonderful tool was developed by Portswigger. It comes pre-installed on Kali linux and another penetration testing intended O.S, other Linux users can download and install it from their website, if you are a windows user, you can also download and install it manually yourself at Burpsuite Website. Enough of long talk, let’s get started with setting up.
N.B: The version of the Firefox browser used in this tutorial is “64.0.2” and Chrome is “71.0.3578.98” which are the latest at the time of writing this post, the positions of some settings on your browser might be different from mine, so if you are having any difficulty locating anything kindly check Google it out.
Setting up on Mozilla Firefox:
To use Burpsuite with firefox you need a proxy, there are tons of tutorials out there that teaches setting up the proxy to use with burpsuite but from experience switching from the proxy to the default firefox settings can be stressful so for this tutorial we will be using a Mozilla addon called “foxyproxy”, feel free to google it up and install the addon on your browser.
1.After installing “foxyproxy”, you should see it at the right top corner of your browser, click on the icon and click on “options”.
2. Click on “Add”.
3. And fill the form, in my case I used Burpsuite as the title, you can use anything for yours, fill the rest as I did in mine and “save”.
4. Now you can fire up burpsuite and wait till it is done loading, switch to the “Proxy” tab and go to the “Options” tabs, note your browser proxy has to be set up on the proxy you just created, click on the foxyproxy addon and switch to the “burp” proxy, now in the “Options” tab in Burpsuite, it should be listening on that proxy automatically now, if it not just click on “Add” and set the “Bind to port” to 8080 and “Bind to address” to “Loopback only 127.0.0.1” and tick the running box and click on “Okay”
5. The next thing to do is to Export the BurpSuite certificate we will be using, still in the same tab click on “Import/export CA certificate”, click on “Certificate in DER format” and save.
6. The next thing is to import this certificate into our browser, click on “Options” tab in your browser and click on “Privacy and Settings”
7. Scroll to the bottom of the page and click on “View certificates”
8. Click on “Authorities” tab and click on “Import” and go to the location where you saved the certificate.
9. After browsing and selecting the certificate before clicking on okay mark the checkbox that says “Trust this CA to identify websites” and click on “OK”.
On Google Chrome:
1.Go to the “settings” tab
2. Scroll to the bottom of the page and click on “Advanced” which will drop down other options
3. Locate the “open proxy settings” which will pop up the system internet proxy settings, click on “LAN settings”
4. Tick the “Use a proxy server for your LAN” and fill the input fields as: “Address”: 127.0.0.1 and “Port”: 8080 and save it
5. The next thing to do is to import burpsuite certificate into Google chrome, click on “Trusted Root Certificate Authorities”, click on “Import” and import the certificate.
N.B: You can also install “foxyproxy” on Google Chrome.
That’s all for now, Thanks.