☑️Web Proxy
Intercepting Requests
On Burpsuite intercept it on by default under the proxy menu. After intercepting we can test for various web vulnerabilities, such as testing for:
SQL injections
Command injections
Upload bypass
Authentication bypass
XSS
XXE
Error handling
Deserialization
Burpsuite has options to do URL encoding on our parameters when we intercept
Intercepting Responses
Sometimes we might need to intercept the responses before it reaches the browser. In Burp, we can enable response interception by going to (Proxy>Options) and enabling Intercept Response under Intercept Server Responses:
Automatic Modification
Let us start with an example of automatic request modification. We can choose to match any text within our requests, either in the request header or request body, and then replace them with different text.
User Agents
For the sake of demonstration, let's replace our User-Agent with HackTheBox Agent 1.0, which may be handy in cases where we may be dealing with filters that block certain User-Agents.
We can go to (Proxy>Options>Match and Replace) and click on Add in Burp. As the below screenshot shows, we will set the following options:
Type: Request header
Since the change we want to make will be in the request header and not in its body.
Match: ^User-Agent.*$
The regex pattern that matches the entire line with User-Agent in it.
Replace: User-Agent: HackTheBox Agent 1.0
This is the value that will replace the line we matched above.
Regex match: True
We don't know the exact User-Agent string we want to replace, so we'll use regex to match any value that matches the pattern we specified above.
Body
Repeating Requests
We can repeat requests with Burpsuite which is really helpful when we have to send multiple requests that looks the same with slight adjustments. For example if we want to test for SQLi and we can send different queries to test.
To start, we can view the HTTP requests history in Burp at (Proxy>HTTP History):
If we click on any request in the history in either tool, its details will be shown:
Once we locate the request we want to repeat, we can click [CTRL+R] in Burp to send it to the Repeater tab, and then we can either navigate to the Repeater tab or click [CTRL+SHIFT+R] to go to it directly. Once in Repeater, we can click on Send to send the request:
Tip: We can also right-click on the request and select Change Request Method to change the HTTP method between POST/GET without having to rewrite the entire request.
Encoding/Decoding
It is essential to ensure that our request data is URL-encoded and our request headers are correctly set. Otherwise, we may get a server error in the response. This is why encoding and decoding data becomes essential as we modify and repeat web requests. Some of the key characters we need to encode are:
Spaces: May indicate the end of request data if not encoded&: Otherwise interpreted as a parameter delimiter#: Otherwise interpreted as a fragment identifier
On Burpsuite, we can go Convert Selection>URL>URL encode key characters), or by selecting the text and clicking [CTRL+U].
The following are some of the other types of encoders supported by Burp:
HTML
Unicode
Base64
ASCII hex
Proxy Tools
Proxy Chains
One very useful tool in Linux is proxychains, which routes all traffic coming from any command-line tool to any proxy we specify. Proxychains adds a proxy to any command-line tool and is hence the simplest and easiest method to route web traffic of command-line tools through our web proxies.
To use proxychains, we first have to edit /etc/proxychains.conf, comment out the final line and add the following line at the end of it:
Now we can prepend proxychain to any command and tool:
Metasploit
On Metasploit we can configure to use proxy with the command:
If we have Burp running the proxy then running a module for example:
Will be intercepted by Burp and we can see the request.
Last updated