I get asked a lot about what tooling I’m using these days for web app pentesting, and why I’m not using Kali for everything. Seriously, stop telling me to use Kali. I like it, it’s just fine, but I’m not ever going to use it as my daily driver, and sometimes I just want to be able to look at some API calls intelligently from my main OS.
Say what you want about Ubuntu, it’s certainly no Arch Linux, but for what I do (which, these days, is mostly development) it’s stable, easy to use, and gives me enough control to not complain very much. And hey, it’s not Windows. So, anyway, I’ve put together a little guide to help you get started pentesting from Ubuntu with Burp Suite.
Head over to Portswigger and get the download for Burp Suite Community Edition. You’ll get what is possibly the largest bash script I’ve ever seen in my life. So, in your terminal, migrate to whichever folder it downloaded to an run the following:
chmod +x burpsuite_community_linux_v<your version here>.sh
./burpsuite_community_linux_v<your version here>.sh
That’ll take a moment to run, and when it’s done you’ll have the latest version of Burp Suite installed. I know, it’s surprising.
Open up the program (either by running
BurpSuiteCommunity in your terminal or hitting the super/windows key and searching for it). You’ll see a pretty little splash screen, and then this:
Hit next again…
Alright, now we’re in business. Next, you’ll want to set a few of the Proxy options so you can actually use the damn thing. Go to the proxy tab:
Click on the options tab. Here, you can set up the listeners that will essentially allow you to do a Man in the Middle attack on yourself, so you can view/modify/replay traffic in real time. Modify the current entry to allow invisible proxying, and create a new entry on port 8443 for HTTPS traffic, as seen below:
Remember to check off “Force use of TLS” when you create the listener for HTTPS:
Bonus: if you never want to do this again, click the Burp menu (top left of main window) >> User Options >> Save user options and name the file something like
burp.json . Now, you can load this template when you start a new project.
Setting up your browser
To make use of Burp, we need some source of traffic. Let’s setup Firefox to be our testing browser. Open up Firefox and go to the preferences page. At the bottom, you’ll see Network Settings:
Click on the
Settings button beside that section, and you’ll see a window with proxy options pop up:
Enter the loopback address for each, since Burp Suite is running locally, and make sure you use the correct port numbers. If you’ve been following this guide exactly, they will be 8080 for HTTP and 8443 for HTTPS.
Ok, now you have the means to direct the traffic to Burp Suite. Now, you need to force your browser, who really just wants to be secure, to trust Burp. So, in your browser, navigate to
http://burp (exactly). You’ll see this nifty little screen:
Hidden in the top right corner is what we’re after. Click the ‘CA Certificate’ link and save it:
That is the certificate that Burp Suite uses when signing HTTPS traffic. If you were only going to proxy HTTP traffic (good luck), you wouldn’t really need this, but that’s not the world we live in. Next, you’ll need to import this certificate into Firefox’s trusted certificate store. Go back to Preferences, and click on the Privacy & Security tab:
Near the bottom, click on ‘View Certificates’. You’ll see a window listing all of the certificates you currently trust. At the bottom, click Import:
Navigate to the folder where you saved the certificate from earlier and import it. Firefox will ask how you want to use it:
We don’t really need this to identify anything but websites, so for the sake of ‘scurity, just check off the first box. Older versions of Firefox had more options, but I can’t recall what they were and I’m too lazy to look it up. Use your best judgement, security professional.
Looking at some traffic
Now, we could go back to Burp and click on the proxy tab while navigating around the web all willy-nilly and capture everything going to and fro. But what about this project you’re working on where you really just need to see traffic from a certain domain or subdomain?
Easy. Go to the Target tab:
We’re highly advanced, here, so click on the ‘Use advanced scope control’ checkbox. Really, it’s just easier to use I think:
So, pretend we’re wanting to look at Twitter traffic and only want to view traffic from subdomains (like api.twitter.com). You would set a new target scope like so:
Going back to the proxy tab, you may have to change the filters in the HTTP history to ensure you only see items from your scope. Click on the Filter bar right above the traffic history and make sure ‘Show only in-scope items’ is checked off:
Navigate to Twitter, log in, and click around on stuff. You can now see only the traffic coming from Twitter subdomains (the Repeater tab is shown below):
You’ll notice that I’ve magically switched to dark mode, check this article out to be a big copy cat and do the same.
Wrapping it up
That’s pretty much it, you should be good to go. So what’s next? Anything you want really. I use Burp to pentest (obviously), assist with API development, and diagnose weird website issues. If you haven’t worked it into your web app pentesting work flow, do it now!