Wednesday, September 16, 2009

BToD > Burp's Web Interface


Today's Burp Suite tip of the Day is about the Burp Suite web interface. What makes it cool? I can only tell you what I think it works well for. Burp's 'Repeater' tool is awesome and in fact a HUGE time saver. Drawback? Well the response to your request doesn't render in the browser. That is sort of not fantastic when you would like to prove to a customer via "Visual stimulus" that XSS is possible or something to that effect.

Often times you will find something like XSS in a parameter during form submission. What happens when you would like to repeat this submission but the populated fields are not remembered? Technically speaking you either use repeater (which in our case isn't the optimum choice) or you fill out all the fields again and resubmit testing your code once more, or you try to submit as is (unpopulated forms) but you take the request from proxy history and pully a "copy/paste". All of this seems much more complicated then simply using the Burp Suite Web Interface.

How do you access the interface? Well, when Burp Suite is up and running, go to the browser in which you are working, open a new tab and browse to http://burp  ..........seriously its that easy.

Your screen will look like so:


*Note: If you browser is not set to route traffic thru Burp this will not work. Of course, I am not sure you will run into that situation if you are using this.

The requests are sequential from top to bottom so if you would like to view the last request you made you have to scroll to the bottom.

Once you've found the request for re-submission just click on the link and the following screen will appear:


Once you click the link you can either choose to view the response or repeat the request. Since are tinkering with our request we will choose that option. Then the request is sent to Burp > proxy:


Well, its not the most known portion of Burp but it is certainly effective and another time saver which I think we all enjoy.

Happy Hacking!
cktricky

No comments: