Quick Answer: To block HTTP/HTTPS traffic using Burp Suiteyou need to install Burp, configure the browser to use a proxy 127.0.0.1:8080then install the certificate Burp CA into the browser. When the feature is enabled Interceptevery request from the browser will go through Burp before reaching the server, allowing you to view and edit data.

When working with Web Securityobserving and editing HTTP requests is an extremely important skill. This is how security experts detect vulnerabilities such as SQL Injection, XSS, Authentication Bypass or debug API.

One of the most popular tools today is Burp Suite – web security testing toolkit by PortSwigger develop.

In this article, AnonyViet will guide you how to set up Burp Suite to:

• Block all web traffic from browsers
• Analyze HTTP request/response
• Decrypt HTTPS traffic with TLS Certificate

What is Burp Suite?

Burp Suite (often referred to as Burp) is a graphical tool that helps test Web application security.

It works like one intermediary proxy (MITM – Man in the Middle) between browser and server. When the request goes through Burp, you can:

• View all HTTP requests
• Edit parameters
• Header analysis
• Replay request
• API security testing

Burp Suite has many versions:

• Community Edition – free of charge
• Professional – for pentester
• Enterprise – large-scale security testing

This article uses version Community Edition.

What we will do

To block traffic with Burp Suite, you will take 3 main steps:

1. Download and install Burp Suite
2. Configure the browser to use Burp’s proxy
3. Install a TLS certificate to block HTTPS

Step 1: Download and install Burp Suite

You can download Burp Suite Community at PortSwigger’s official site:

https://portswigger.net/burp/communitydownload

Note:

• Burp Suite requests Java Runtime
• Supports Windows, Linux and macOS

After installing and opening Burp Suite, you will see the project initialization interface:

If you don’t want to save the project:

• Press Next
• Then choose Start Burp

The main interface of Burp Suite will appear:

Step 2: Configure Proxy for the browser

In order for Burp to block requests, the browser must send traffic through Burp’s proxy.

In this example I use Firefox.

Open settings:

about:preferences#general

Scroll down to the section Network Settings and press Settings.

Set up the proxy as follows:

• Manual proxy configuration
• HTTP Proxy: 127.0.0.1
• Port: 8080
• Tick Use this proxy for all protocols

Then press OK.

Now all browser traffic will go through Burp.

Check out Burp’s Proxy Listener

Open Burp Suite:

Make sure the Proxy Listener is:

• Host: 127.0.0.1
• Port: 8080
• Status: Running

Test blocking HTTP traffic

Access the simple HTTP page:

http://neverssl.com

Burp will block the request and display it in the tab Intercept.

You can:

• See header
• Edit parameters
• Forward requests
• Drop requests

Why does HTTPS fail TLS?

When accessing an HTTPS site like:

https://google.com

You will see a TLS error.

Reason:

• HTTPS encrypts data using TLS
• Burp is in the middle (MITM)
• The browser does not trust Burp’s certificate

Therefore we need to install Burp’s CA certificate.

Step 3: Install Burp CA certificate to block HTTPS

Open a browser and access:

http://burp/

Press CA Certificate.

Save the certificate file.

Next open:

about:preferences

Search Certificates.

Select:

• View Certificates
• Authorities
• Import

Select the Burp certificate file you just downloaded.

Tick ​​both options:

• Trust this CA to identify websites
• Trust this CA to identify email users

Press OK.

You can now block HTTPS without TLS errors.

How Burp Suite blocks requests

Open:

Proxy → Intercept

When turned on Intercept is ON:

• Request stops at Burp
• You can edit the data
• Then press Forward

For example, when logging into a website:

You will see:

• HTTP headers
• Cookies
• POST data
• Tokens

Edit request parameters

Switch tabs Params.

Here you can:

• Edit value
• Add parameters
• Delete parameters

This is how the pentester checks the server’s logic.

View full request history

To see all requests:

Proxy → HTTP History

You will see:

• List of requests
• Status code
• Domain
• Method (GET/POST)

Very useful when analyzing APIs or debugging web apps.

Actual use-case in Vietnam

Burp Suite is often used to:

• Analyze mobile app API
• Debug website requests
• Reverse engineer web service
• Web security testing

Many classmates Bug Bounty or Web Pentest all start with Burp.

If you are new to web security, you should combine it with a practice platform such as:

• TryHackMe
• PortSwigger Web Security Academy

Common errors when using Burp Suite

1. Cannot block requests

The cause is usually due to:

• Proxy is not configured correctly
• Wrong port
• Listener is not running

2. HTTPS fails TLS

The Burp CA certificate has not been installed in the browser.

3. Website does not load

Because Intercept is on but you have not forwarded the request yet.

FAQ – Frequently asked questions

Is Burp Suite free?

Have. Burp Suite Community Edition is free but some advanced features are only available in the Professional version.

Is Burp Suite used for hacking?

Burp Suite is a legitimate security testing tool. It is used by pentesters and security experts to detect vulnerabilities.

Is Java needed to run Burp Suite?

New versions have integrated runtime, but some older versions still require Java.

Which browser should I use with Burp?

Firefox is often used because it is easy to configure proxies and certificates.

Burp Suite setup checklist

• Install Burp Suite Community
• Proxy configuration 127.0.0.1:8080
• Check Proxy Listener
• Download Burp CA certificate
• Import into Firefox
• Turn on Intercept
• Analyze request/response

Conclude

Burp Suite is an extremely important tool in the field Web Security. Knowing how to intercept and analyze HTTP/HTTPS traffic helps you understand how web applications work and detect security issues.

If you are studying Pentest, Bug Bounty or API analysis, mastery of Burp Suite is an almost mandatory skill.

In the next articles, AnonyViet will provide further instructions on:

• Repeater
• Intruder
• Burp automation
• Exploit real web vulnerabilities

Reference source

• PortSwigger Web Security Academy
• TryHackMe
• Burp Suite Official Document

Many of you who work on web servers or work in the security field have probably heard of a software that helps us check Web security called Burp Suite, right? Today I will guide you through the simplest Active Burp Suite Pro that ensures no malicious code.

What is Burp Suite?

Burp Suite is known as a software that integrates features in testing the security of web applications. These features will test and evaluate the security level of elements of your website or today's modern websites.

With Burp Suite, you can use it to evaluate the following security criteria: Conduct authentication mechanism checks (Authentication), check user version issues (Version) or list and evaluate evaluate the input parameters of the web application (Input).

Burp Suite not only supports the manual security assessment process, but also provides functions that allow scanning for SSL security vulnerabilities and a number of other vulnerabilities. The two versions of Burp Suite distributed by PortSwigger Ltd are Burp Suite Free and Burp Suite Pro (also known as Burp Pro). Although the free version will have limited features, with the paid version you can exploit the full capabilities of Burp Suite at an affordable price.

AnonyViet has many quite detailed articles about Burp Suiteyou should read it all to understand how to use it.

Why should you use Burp Suite?

• All free: Although there are two versions that exist in parallel, the Burp Suite Free version and the Burp Suite Pro version, the free version gives us most of the necessary functions such as proxy server, web spider, intruder and repeater.
• Convenient: Instead of having to turn on many tools at once, Burp Suite will help you and support you in security testing
• Easy to use: With the development of Java, Burp Suite has a simple and neat user interface.

Compare Burp Free and Burp Pro

Burp Free

• Inspect and modify traffic between browser and Target using Proxy
• Target information collection and functionality
• Resend each package individually
• Many utilities analyze and decode data

Burp Pro

• Has all the functions of Burp Free
• Automatically scan for security vulnerabilities
• Exploit complex security vulnerabilities
• Allow Save process and continue
• Analyze web data
• Receive regular updates and security patches

Active Burp Suite Pro 2024 Instructions

Currently the latest version is Burp Suite 2022.3.9, I have packaged into a compressed file all the tools to Active License for Burp Suite Pro in the link below, you need to follow the steps below:

Download Burp Suite Pro 2024

(Includes Burp Suite Pro installation file from PortSwigger Ltd)

Note that if you want to download it yourself, you can download it here:

• You need to install it JDK (Java Developer Kit) and Java to be able to install Burp Suite Pro. It is mandatory to have these two things, otherwise the active file will not run!
• Download files Burp Suite Pro latest edition here.

Latest Active Burp Suite:

1. Go to the Java Setup folder, install 2 files inside.
2. Open the burploader.jar file to Get Key
3. Open the burp.bat file to run Burp Suite

See detailed image below:

Step 1: You unzip the Zip file just arrived into the folder

Step 2: Run file burp.bat. After running, Burp Suite's setup will appear

Step 3: Click Accept

Step 4: Run File burploader.jar

Step 5: Change the “License to ” section. I will leave the License to Anonymousviet

Step 6: Copy the License section to the setup section and click Next

Step 7: You choose Manual Activation

Step 8: You choose Copy Request and paste it into Activation Request

Step 9: Copy the Activation Response section and Paste into Setup and click next

Note: If it reports Activation Failed then try again from step 8

Step 10: Click Finish

Step 11: Run file burp.vbs to open Burp Suite Pro.

Remember to right click on the file burp.vbs to correct the file path burp.bat.

How to fix error to run burp suite using java 17+ please provide the following jvm arguments

For new versions of Burp Suite, even though Java 17 and Java 18 are installed, they still get the error “run burp suite using java 17+ please provide the following jvm arguments”, do the following:

Step 1: Open the folder containing the Burpsite file and File Loader

Step 2: Open CMD in the above directory and type the command:

Change burploader.jar and burpsuite_pro_v2022.3.9.jar matches the file name in the directory

java -noverify -javaagent:burploader.jar -jar --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.desktop/javax.swing=ALL-UNNAMED burpsuite_pro_v2022.3.9.jar

Or create files start.bat with the content below, then run the file start.bat is to be.

java -noverify -javaagent:burploader.jar -jar --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.desktop/javax.swing=ALL-UNNAMED burpsuite_pro_v2022.3.9.jar

So I have completed instructions on how to setup and activate Burp Suite Pro in the simplest way. Does anyone else's installation fail continuously?🤣 Please leave a comment below so I can answer you as well as support you! Wish everyone have a good day <3

SQL injection (SQLi) remains one of the most common web vulnerabilities today. But how to learn how to exploit it legally? It’s simple, you just need to download and configure Burp Suite Community Editionand create and set up an account in PortSwigger Labs.

To exploit SQL Injection, you should first Download Burp Suite Pro to practice.

Plan

Task: Find Lab “SQL injection attack, list database contents on non-Oracle database”. I chose this Lab because it shows all the steps of basic SQLi and helps you understand Burp Suite tools.

In short: find the Admin login

Necessary steps:

1. Find and confirm Entry Point in web request
2. Learn type SQL comments Valid
3. Find Row number in current table
4. Find Columns that return STRING
5. Find which Table is in the database of this web application
6. Find the Target Table (Table with admin credentials)
7. Specify the Column name of the Table
8. Get content

Basic SQL Injection with Burp Suite

1. Find and confirm the Entry Point in the web request

When you visit the page, you will see a normal landing page. Our goal is to explore this page and look for parameters that are related to the database.

Here we obviously have two options: filters like ‘All’, ‘Clothing’… and My Account are at the top right.

Let’s focus on filters.

Clicking “All” will not invoke any filters.

So select the “Gifts” filter to get a valid response.

Now power up Burp and access its Proxy’s HTTP history. Make sure you have Intercept turned off. If not, it will still work but everything will be much slower… you can try it yourself.

Burp intercepted a Request to the Lab Application. Now we need to edit it. We send this Request to Repeater in Burp by right clicking on Request Body and selecting “Send to Repeater”.

Then go to the Repeater tab in Burp and find Request. You can edit it now.

Web servers only understand URL characters and only some human readable content. So enable automatic URL encoder in Burp by clicking Request body in Repeater and select URL-encode as you type. Now, whenever we enter characters that are not understood by the Web server will be encoded as URL and most of the human readable characters will be preserved.

The easiest way to find entry points in SQLi is to insert Bad Characters. Here is the basic list:

‘
%27
“
%22
#
%23
;
%3B
)
Wildcard (*)

Start testing them from top to bottom by including them in the “category” parameter. Eg:

?category='

Immediately after trying the first character ‘, an error occurred. This is a good sign because it means that the server did not filter the request. The symbol we sent caused an error in SQL.

You can automate this process with Burp Intruder.

We already have the entry point, which is the value of the “category” parameter after the = sign.

Now, we need to learn how to control this entry point as it can break valid SQL request.

The control is done using the appropriate comment. Depending on the SQL type, there are different comments. So the best way is to try all of them but most databases are MSSQL or MySQL.

The double dash (-) comment doesn’t generate an error, so it’s valid and we can enter valid statements before it.

3. Find the number of rows in the table

To exploit a vulnerable database, you first need to find a way to pass commands to it. Note that direct commands have no effect.

‘ SELECT * FROM information_schema.tables —

The application returns SQL query results in its responses, so a UNION Injection attack can be used.

To perform the UNION attack, you need to determine the number of active table columns.

Number of columns: each SQL table has a certain number of columns. To make the UNION attack work, the request after the UNION keyword needs to contain the same amount of columns as the active table has.

Working table: not an official SQL term but I like to use it because it fits the way SQL works on the web. The active table is the one used by the application to provide expected responses to user requests.

Therefore, the number of columns can be determined using: ORDER BY. By incrementing the number after it, we can determine the exact number of columns.

You will notice that ‘ORDER BY 1 -‘ produces no error but ‘ORDER BY 1 0—’ the number of columns is greater than 1 but less than 10.

Tried 2 results with no errors but the 3rd one failed. There are no more than 3 columns: there are exactly 2 columns in the active table.

4. Find columns that return STRING

Now, we know the number of columns, but we need to know which columns should provide the response. Only columns with data type CHAR and the like can return human readable information.

This can be checked with a UNION SELECT query. It works by combining the results of multiple select statements. The first select statement provides information from the active table, but since we are locking down the first query, it provides nothing. After UNION is the next select statement. This statement is just an empty query but it gets the output along with the empty results from the latest query.

Enter a random string in each column:

‘ UNION SELECT ‘a’, ‘b’ —

The answer prints both a and b. So both columns are mineable.

Let’s use the first column for the response and nullify the second column with NULL.

What we need in response is the table name, which in normal conditions would be identified with:

SELECT table_name FROM information_schema.tables

information_schema is an important table in any SQL Database. It contains all the table names, columns and other cool stuff.

So we ask it to give us all the tables that can be stored in the DB so that we can manually choose the most suitable ones.

Integrating the select query above into the UNION SELECT statement yields:

The injected query will find multiple tables. Normally, you would select the Search field in Burp’s response to find keywords like admin, users, credentials, passwords…

The first keyword is Administrable_role_authorizations due to the word admin contained in it. Let’s see what the column names in this table are.

Nothing stands out… So let’s skip this table.

The next table is users_spkopw due to the word users Inside.

Query column names.

It’s better. Please output the contents of the columns in this table. This time, we’ll output the response in both UNION columns.

There are several logins, but admin is what we need. Now go to the login page and use them.

So that’s a success.