You’ll notice all of the proxy settings available here, but there’s a few we want to focus on to get started. First, Look at the Proxy Listener section and make sure that the checkbox under the “Running” column is selected and that the interface reads 127.0.0.1:8080
Next, make sure that the checkboxes for “Intercept requests based on the following rules” and “Intercept Responses based on the following rules” are checked in the following sections.
Left click on the icon to open the configuration screen.
Next head over to the “General Tab” at the top and fill in the details. It’s best to call it something you recognize, like “BurpSuite”
Go ahead and click OK and now we can start using our proxy.
Once you save you may see a notice that you haven’t enabled any whitelisted URL patterns. This is one of the features in FoxyProxy that will allow you to use multiple proxy services based on specific URL patterns. We won’t get into that in this guide, so for now just ignore the message for the time being and click “Yes”.
You’ll now see your newly added Proxy on the list. Make sure the enabled column is checked and click close
Now, remember that icon from earlier next to the address bar? If you right click, you’ll be able to select “Use proxy BurpSuite for all URLs”. Make sure Burp is running and visit any website you like. We’ll go to Google for now, so just type http://www.google.com
into the address bar and click Go. If it appears that Firefox is taking forever to connect, it’s likely because burp is capturing the request, if not, you may have to enable intercepting in Burp, so let’s go over that now.
Go to BurpSuite and select “Proxy” on the top row of tabs, and “Intercept” in the second row of tabs, both highlighted orange here.
You will notice that my request to Google has been captured by BurpSuite. If you don’t see this you want to make sure that the “Intercept is On” button appears as circled in orange. If it’s set to “Intercept is off” your traffic is likely going through Burp but you’re not watching each request.
Moving forward, you can click the “Forward” button and look at each request and response as it comes through. You will see a blank white screen if there are no more requests or responses to pass.
If we head back to the browser you may see this message if you’re using Google over HTTPS.
You can add an exception everytime this happens when you’re using a proxy, but that can get a little annoying. We can also set Firefox to trust the burp certificate so that we don’t get this error.
The Professional version of burp allows us to get the certificate pretty easily, but in the free version we have to do a little work.
Since we’re already on a page using HTTPS we can click “Add Exception…”. If you navigated away from the page, simply visit any https enabled website and go from there.
Next you’ll see the add exception screen which will allow us to view the certificate. Go ahead and click the View… button.
Here, you’ll see that you have a certificate your browser is warning you about. Since we know that the Portswigger CA is us, we can go ahead and install this into Firefox, but in order to do this we’ll need to export the certificate and note the location. Some important things to note here:
Make sure you select “PortSwigger CA” under the details of the certificate viewer before clicking export.
Make sure you save as the X.509 .crt, .pem file tye.
Click Save, and note the location.
We have to make sure this certificate is installed in Firefox. Accomplishing this is as easy as going into the options of Firefox and selecting “View Certificates” under “Advanced” in the Firefox Options pane.
On the next screen we just want to select import.
Select the certificate you exported earlier from the noted location and click OK. You will be prompted to select the type of trust for the certificate. You’ll want to select “Trust this CA to identify websites”
If done correctly you should be able to find the “Portswigger CA” Certificate name under the “Authorities” tab.
Now, you should be able to navigate to any SSL site in burp without being prompted to trust the certificate.
The next tweak we want to make is to disable Google Safebrowsing. Safebrowsing is obviously enabled for a reason but it can cause unwanted traffic during tests so we will disable it.
- Firefox button > Options > Options (or Tools > Options) > Security
And unchecking both “Block Reported attack sites” and “Block reported web forgeries”.
I certainly hope this guide has been helpful in getting you up and running easily with BurpSuite. We’ll be posting some additional tidbits in the near future on using Burp effectively.