KB / Статті / Burp Suite: перехоплення та аналіз HTTP
UA EN

Burp Suite: HTTP Interception and Analysis

✍ admin 📅 10.06.2026 👁 25 переглядів

What is Burp Suite?

Burp Suite by PortSwigger is the standard tool for web application testing. It acts as a proxy between the browser and the server, allowing you to intercept, analyze, and modify HTTP/HTTPS traffic.

Community Edition — free, sufficient for CTF. Professional — adds an automated scanner, Collaborator, and more.

Setup

1. Launch Burp Suite

Proxy → Options → verify the listener is on 127.0.0.1:8080.

2. Configure Your Browser

Firefox (recommended): - Settings → Network Settings → Manual proxy: 127.0.0.1:8080 - Or use the FoxyProxy extension

Or use Burp's built-in browser: Proxy → Open Browser

3. Install the Certificate (for HTTPS)

  • Navigate to http://burpsuite or http://127.0.0.1:8080
  • Download the CA certificate
  • Import into the browser: Firefox → Settings → Certificates → Import

Proxy — Intercepting Requests

Intercept is ON — Burp intercepts every request.

What you can do: - Forward — pass the request along - Drop — discard the request - Action → Send to Repeater/Intruder — pass it to another module - Modify any field in the request before forwarding

HTTP History — a log of all requests. Very useful for analysis even without interception.

Repeater — Manual Testing

Repeater lets you send one request many times with modifications — ideal for manual testing.

Workflow: 1. HTTP History → right-click a request → Send to Repeater 2. Repeater tab → modify parameters 3. Send → analyze Response 4. Repeat

Example SQLi testing:

GET /user?id=1 HTTP/1.1
→ change to id=1'
→ id=1 OR 1=1--
→ id=1 UNION SELECT null,null--

Intruder — Automated Attacks

Intruder automates cycling through values in a request.

Marking Positions

GET /login?username=§admin§&password=§password§ HTTP/1.1

§ marks the position for substitution.

Attack Types

Sniper — one list, substitutes one position at a time. The most common.

Cluster Bomb — multiple lists, all combinations. For bruteforcing username+password.

Example: Brute-forcing a Login Form

  1. Send the login request to Intruder
  2. Positions → mark the password field: password=§§
  3. Payloads → load a password list
  4. Start Attack
  5. Sort by Length or Status — a different response = correct password

Note: Community Edition has rate limiting in Intruder. For faster brute-forcing, use ffuf or hydra.

Decoder — Encoding/Decoding

Quick encoding/decoding right inside Burp: - Base64 encode/decode - URL encode/decode - HTML encode/decode - Hex - Hashing (MD5, SHA)

Scanner (Pro only)

Automatically scans the application for vulnerabilities: SQLi, XSS, XXE, SSRF, and more.

In Community Edition, passive scanning is available — traffic analysis without active requests.

Useful Tricks

Match and Replace

Proxy → Options → Match and Replace: automatically replaces parts of requests/responses.

Example: automatically change role=user to role=admin in all requests.

Scope

Target → Scope: limit Burp to the target host only to avoid intercepting noise.

Shortcuts

  • Ctrl+R — Send to Repeater
  • Ctrl+I — Send to Intruder
  • Ctrl+U — URL encode selection

Burp for CTF: Typical Flow

1. Enable Intercept
2. Register / log in / perform actions
3. Analyze HTTP History
4. Suspicious parameters → Send to Repeater → test manually
5. Found SQLi/XSS → Send to Repeater/Intruder for deeper analysis
6. Check cookies, hidden fields, headers
Коментарі (0)
Увійди, щоб залишити коментар.
Коментарів поки немає.
?