There is also an Enterprise Edition for sale, but it is more of a application scanner than a penetration testing tool. It will not be evaluated or described any more than that in this particular series.
You also want to make sure Java is installed on your machine because, well, Burp is made with Java.
After downloading all the required software, run the installers as you would any other application and launch the program. The first screen you see will look a little something like this:
If you bought professional you might see a popup to put in your license key at this time. Please do. I’ll wait.
If you want to save your project, click new project on disk. Otherwise click next and then “Start Burp” and you will be in the Dashboard.
So the thing about an HTTP proxy is you need to force your browser to use it. Every browser does things a little differently, but the best way to do it is use a browser extension like FoxyProxy for FireFox or SwitchyOmega for Chrome. I’ll go over both.
Go to https://addons.mozilla.org/ and search for FoxyProxy. The one you are looking for looks like this:
Once it is installed (you may need to restart your browser) you can open the options by clicking on the FoxyProxy icon in the browser toolbar and selecting “Options”.
To set up the proxy, click Add, give it a title, set 127.0.0.1 as the IP address, and 8080 as the port. This assumes you didn’t change the Burp defaults. If you did you can go to the Proxy tab in Burp, the Options tab under Proxy, and look at the settings under Proxy Listeners to find the right informaiton.
Once everything is set correctly. Save the configuration and turn on the proxy by clicking on the icon in the toolbar again and select use “for all URLs (ignore patterns)” I’ll go over patterns at some point becasue they are very helpful, but we have enough to do right now.
Now you might think you are done, but if you try to navigate to any HTTPS site, you will see an error saying the connection is not secure. Remember when I mentioned Burp is like a man-in-the-middle attack? Well you have just fallen victim to yourself. No worries though. Burp has a way to fix this that I explain below. If you are not interested in seeing how to set up Chrome’s SwitchyOmega, feel free to skip ahead.
To get started installing SwitchyOmega, go to the <a href=https://chrome.google.com/webstore/category/extensions> Chrome Web Store</a> and search for SwitchyOmega. It looks like this:
Add it to Chrome and give it the permissions it needs. Once it is installed you can go through the tutorial or skip it. Eventually you will need to add a New Profile, give it a name, change the protocol to HTTP, set the server to 127.0.0.1, and set the port to 8080. As with FireFox, if you changed the default Burp settings you can go to the Proxy tab in Burp, the Options tab under Proxy, and look at the settings under Proxy Listeners to find the right informaiton. Finally click apply changes and make sure the new profile is selected when you click on the icon in the Chrome toolbar.
As with FireFox, HTTPS sites will not work because Burp is intercepting the requests. The next section will explain how to fix that.
Burp has to use its own SSL certificate when attempting to proxy for sites using HTTPS because it has to strip away the encryption so it can read and display the data for you. Unfortunately, your browser doesn’t like receiving plaintext data when it asked for something encrypted, so you have to load Burp as a trusted Certificate Authority and install the applications certificate. Luckily this is simple.
First, go to the Proxy tab in Burp and then the Options tab in Proxy.
Then click “Import/Export CA Certificate”, select “Certificate in DER Format” from the export options, click next, choose where to save the file, click next, see that it worked, and close.
To install the recently exported certificate in FireFox, go to Options, search for “certificates”, and click “View Certificates”. Click on the Authorities tab and then Import. Find the certificate you exported before (you may need to change to “All Files (.)” in the explorer file type dropdown), open it, and click through with default settings to the end. When you have reached a success message you have made it! Now restart FireFox and when you browse to HTTPS sites, you should have no Insecure Connection warnings.
To install the certificates in Chrome, go to Settings, search for “Manage Certificates”, and click the highlighted section to open the Certificates dialog window. Make sure you select the “Trusted Root Certificate Authorities” tab and then click import. Find the proper certificate from burp (you may need to change to “All Files (.)” in the explorer file type dropdown), open it, and click through to the end of the wizard with default settings. You should get a popup saying the import was successful. Restart Chrome and once again, HTTPS will work without error warnings.
That was a lot of set up, but it will be worth it soon. In the next installment of Web Hacking with Burp Suite, I will show some examples of some basic tools provided with Burp. For now take a breath, and get ready to hack the web!
Ryne Hanson INFOSEC
blog pentesting web applications burp tutorial