TryHackMe: Web Fundamentals

author: Nathan Acks
date: 2022-01-06

Burp Suite: The Basics

Useful Burp Suite shortcuts:

Options

Burp Suite settings:

Introduction to the Burp Proxy

Even when the proxy is not set to intercept traffic, it will log traffic; check the “HTTP history” and “WebSockets history” Proxy sub-tabs. Any of these logged requests can be modified or replayed.

Server responses can be intercepted per request (though this obviously needs to be set when forwarding a request through the Proxy). Automatic rules can also be set in Proxy > Options > Intercept Server Responses.

The Burp Suite Browser

The Burp Suite embedded browser is a fully up-to-date version of Chromium with a custom user agent string that matches the current version of Google Chrome. The Burp Suite proxy is already set up and active, and a Burp Suite TLS certificate is installed.

So, basically no need for FoxyProxy or any Firefox modifications!

Scoping and Targeting

Sites can be added to the project scope under Target > Scope.

You can also add them by right-clicking on a site in Target > Site map. When you do this, you’ll be prompted to turn off logging outside of the scope. If you want to change this (or forget to set it), then you can still do so in Logger by clicking on the “Capture filter” bar and then checking the “Capture only in-scope items (Suite scope)”

You can further restrict the Proxy to only intercept in-scope requests under Proxy > Options > Intercept Client Requests by turning on “And URL Is in target scope”.

All of these settings are project-specific.

Site Map and Issue Definitions

Target > Issue definitions provides a list of the issues used by the vulnerability scanner built into the paid version of Burp Suite. For the Community Edition (i.e., what comes with Kali Linux), it’s basically just a massive reference.