Intercept HTTP requests with Burp Proxy
Intercepting a request means halting the request before it completes the round-trip to the server and back. Instead, the user can inspect and edit the request before allowing it to be sent to the server.
Download Burp Suite from here. The tutorial will be based on the Community Edition, although you can install the Professional Version for a fee.
Open Burp Suite Community Edition and select ‘Temporary project’ in the startup wizard. Click Next.
In the next window continue with Burp Defaults and click on Start Burp. Once it is launched, Select Proxy from the menu and click on the intercept tab.
To turn on the interception, click on the “Intercept is off” button. Then it will display the change in interception status as follows,
Next, click on ‘Open Browser’. This will open a window of the default browser. Type in the URL portswigger.net. The intercepted HTTP request body will be displayed in the Burp window for you to edit as you wish. Clicking on the ‘Forward’ button will forward the request to the server, and clicking on the ‘Drop’ button will drop the request. The ‘Action’ button is for other operations that can be done on the request.
Note that without forwarding the request to the server, nothing will load in the browser and will show a requesting status indefinitely. Once you click Forward, the webpage will load in the browser window (turn off intercept to observe how the requests will no longer be displayed, and the browser will load the requested web page without further prompts).
You may not see the requested page after clicking on ‘Forward’, instead being shown a different request on the intercept tab. This happens when the browser runs other tasks in the background. In this situation keep clicking on the Forward button until the requested page loads. A history of the messages intercepted can be viewed by clicking on the HTTP history tab.
This entire list of intercepted messages is only a few of the requests made for a single search query for a product on an online shopping platform.
Some of the messages are for images. The effect of forwarding individual requests can be observed more clearly considering the same site as an example, where I have clicked on a link leading to Samsung products.
After forwarding a few requests, the above page loaded, with only a single image. As more requests were forwarded, each image was loaded onto the page one by one.
This allows us to clearly identify the requests that were responsible for the respective images. It displays how a page is loaded as a result of several requests made to the server.
How is the proxy set up?
Burp suite creates a listener on port 8080 of the loopback interface. What does that mean? A loopback interface is a virtual network interface that the device uses to communicate with itself. The created listener waits — “listens” — for inbound requests. This allows the service that set up the listener to listen on the port. 127.0.0.1:8080 is used as the proxy server. Type it in the browser search bar to view a welcome message by Burp Suite.
Customization
Request interception can be customized in the rules section which can be found under the ‘Options’ tab. You can add new rules to intercept only a specific type of request, defined according to several criteria.
To add a new rule, click on the ‘Add button’ and type www.google.com as the Match condition. Search or click on a link in the browser. If no requests are made to the given domain in fetching the requested data, the page will load without Burp Proxy intercepting any messages, as well as requiring no manual forwarding of requests.
You may notice that there is a similar option to set up rules for response interception as well, which can be turned on or off at any time.
There are more features in Burp Proxy alone, with Burp Suite offering an enormous array of testing tools. Play around with the options available, to become more familiar with the interface and fully utilize the tool.
