Security Testing with Demo using the BurpSuite Proxy Interceptor
Security testing:
It is essential to protect Systems and data from unauthorized access and attacks to discover vulnerabilities along with threats and risks in software applications.
The main goal is to maintain application security and protect private information against hackers and unauthorized individuals.
Key Objectives of Security Testing:
- To identify security weaknesses in the system.
- Secure all software applications against unauthorized access and data breaches.
- Keep data accessible and secure while maintaining its integrity.
- Verify adherence to security rules and guidelines.
Types of Security Testing
1. Vulnerability Scanning: Automated scanning for known vulnerabilities.
2. Penetration Testing: A controlled simulated attack authorized for testing evaluates the security of a computer system. Security professionals who perform penetration tests deploy identical tactics used by attackers to identify system weaknesses and show their potential business impacts.
3. Security Auditing: Reviewing the code and architecture for vulnerabilities.
4. Risk Assessment: Finding and assessing potential security threats.
5. Ethical Hacking: Intentionally exploiting vulnerabilities to improve security.
Start with setup:
Step 1: Go to the website and download PortSwigger login with eMail ID and then download it based on your OS.
Burbsuite download
After entering the email and clicking on download -> Select your preference (Professional / Community edition) -> download it.
For BurpSuite download: There are two types
- Burp Suite Community Edition and
- Burp Suite Professional(Paid version)
***Note: I just tried security testing with “Community edition”***
Step 2: Install BurpSuite based on your OS
Go to your downloads and double click on the burpsuiteexe.exe file do the needful actions and install it.
Step 3: Create a project in BurpSuite
After successful installation need to create a new project
After installing the burp suite .exe file it shows the above.
Click on “Next” and click on “Start Burp”. After creating the project page loads and the created project is displayed below.
BurpSuite UI has the following options.
- Intruder
- Proxy
- Target
- Sequencer
- Decoder etc
Intruder
Is another tool that is available in BurpSuite? By using this, try to change “Username and Password.” What is the logic coming from the client side?
Proxy
Proxy is the major one. It runs as an interceptor for the browser/API. Inside Proxy, there is “Interceptor (toggle button on/off)”.
Interceptor under proxy
Repeater
Is the same way as “Intruder”. If you want to change the request payload (or) any request that you are sending and want to modify data while sending the request, you can send it to the server.
Bi-directional, like what are the responses coming from the server side giving back to the client that we can also modify.
Decoder
Decode the URL (or) if you want to decode the html/query.
Extended
Used to modify data in the form of additional applications. It allows users to add extensions to extend the functionality of Burp Suite. These extensions can:
- Modify how Burp Suite processes data
- Perform additional testing tasks
- Automate custom security scans
- Integrate with other tools
Step 4: We have to configure the proxy in the system.
Proxy -> options || proxy running on port: 8080
To verify this, Open BurpSuite → Click on Proxy → Click on Proxy setting
Ex: proxy listener port: 8080
To set a proxy listener in the browser:
Chrome:
- Go to browser -> click on Preference -> set localhost: 8080. (or)
- Go to browser -> Click on “Settings” -> enter “proxy” in browser settings search bar -> Click on “Open your computer’s proxy settings”.
Computer’s proxy settings
- Click on “Set up”
Edit proxy server
- Enable “use proxy server”. After enabled, provide http://localhost in the Proxy IP address and Port value 8080. Click on save.
- **Note: Based on the browser ,“proxy set up” will change.***
Step 5: Need to download the CA certificate
In BurpSuite -> Click on Proxy -> Click on “open browser” -> Launch the URL
Once the URL gets opened in this browser. UI display like below,
BurpSuite Certificate page
Click on the CA Certificate in the right corner and download the certificate.
Note: If you are unable to launch this URL means the “proxy” port is not set up with “8080.”. Make sure the proxy runs on the 8080 port in BurpSuite.
Step 6: Import the downloaded certificate into the browser
Open your browser -> Settings -> Privacy and Security -> Scroll down to the “Security” section and click on it. -> Scroll down to the “Manage certificates” section and click on it. -> Click on “Manage imported certificates from Windows.”
Manage imported certificates from Windows
Click on “Authorities” -> Click on “Import” -> Select your downloaded CA certificate (which you downloaded in Step 5) and import here -> Click on “Finish” (Once all set up done for import CA certificate).
Step 7: Start Security testing with a sample website
Sample website link
- Open a new tab in the browser with a sample website link.
- Click on Access the Lab and log in with your email.
After clicking on “Access the lab”, redirect to this page
Note: If you are not registered with this means you need to create an account.
After logging in, launched the application again. Click on “Access the Lab” and log in with your e-mail and password. It redirects to the shopping application. This application has its dummy username and password.
[dummy Username/Password: wiener/peter]
Home page of sample website(After login)
3. Here, click on “My Account”, and it asks what’s your username and password (It’s not your email and password that you are creating). Here use the dummy username and password that is owned by this application. Paste your email ID and update it.
After logging in with a dummy user account, your account is credited with $100.
After login with a dummy account
4. Then Click on “Home” -> View details on any product
Product details
Here the price is $4.23 I tried to modify this price through Interceptor using BurpSuite.
5. Before clicking “Add to cart” go to BurpSuite and click on “interceptor” on -> After that go to your website and click on “Add to cart”.
page gets loading once “Interceptor” is on through BurpSuite
BurpSuite UI || After interceptor is on || For ex, Below is the actual price for the particular product “productId=2&redir=PRODUCT&quantity=1&price=423” -> If you are changing this into “productId=2&redir=PRODUCT&quantity=1&price=023” means the product price changed
You can see the above request once click “…../.net/cart” POST request in “Intercept” through your BurpSuite. -> You can modify the price value for that particular product and click on “Forward”.
click Forward
After clicking on forward -> need to “Interceptor off”.
You can see the page gets updated and the product is added to your cart. Go to your cart: Only $0.03.
The product price changed and also the product will added to your cart
Just making “Place order”
Order placed successfully with modified price
Your account has only been debited by $0.03, but the product’s price is $4.23. This is the biggest security issue with this application.
Try to modify the data and then the server will perform the request you can place the order here.
It’s a dummy application, you can use the same flow for your application as well.
This is the sample “Security testing with Proxy Interceptor through BurpSuite”.
About The Author:
Rathi is an expert in automating Web, API, and mobile apps as a test automation engineer. Her areas of experience include planning, creating, and executing test strategies, test case development, test procedures as well as software quality assurance testing throughout the software development life cycle.
About CodeStax.Ai
At CodeStax.Ai, we stand at the nexus of innovation and enterprise solutions, offering technology partnerships that empower businesses to drive efficiency, innovation, and growth, harnessing the transformative power of no-code platforms and advanced AI integrations.
But the real magic? It’s our tech tribe behind the scenes. If you’ve got a knack for innovation and a passion for redefining the norm, we’ve got the perfect tech playground for you. CodeStax.Ai offers more than a job — it’s a journey into the very heart of what’s next. Join us, and be part of the revolution that’s redefining the enterprise tech landscape.
