Portswigger has an amazing and popular tool called Burp Suite. Generally I would write about it over on my Information Security blog, FFE4.org, but today I wanted to talk about it on the Quality Assurance blog. Although it’s a security tool, its purpose is to find holes and bugs in web applications. For that reason I think it has great potential to be introduced to QA Teams. Specifically the free/manual aspect of the tool is the most relevant to QA.
What it does…
Burp Suite has several features, but the one that is more QA testing focused would be use of the Burp Proxy to filter traffic and modify the headers being sent to and from the target.
Modifying headers allows a tester to fuzz (introduce random data) into a variable, and modify header data to attempt to bypass web application security.
An example…
Awhile back I noticed some users were creating accounts on a site that wasn’t ready for traffic. It was a live site, but we had turned off registration (except for employees). I noticed non-employee’s with accounts on this site. Tracing the activity, I got both a public IP and an internal IP. It appeared to be an employee on a VPN, except this employee had an unusual internal IP and the real location of this individual was outside the country.
Digging further, I noticed they had an unusual field in the header:
X-Forwarded-For: 10.1.1.150
They were appending a fake internal IP, in order to access the registration on our public site. It was clever, and it turns out Burp Suite has a tutorial on this specific security flaw.
A full list of tutorials and labs can be found on their site.
Using Burp
Just starting out, when you open Burp Suite, you’ll get a window like the one below. Simply click next:
Then click “Start Burp” on the next modal:
The default screen below may seem unfriendly and complex, but we’ll just use one aspect of Burp – Burp proxy.
Click on the Proxy tab, which will load the screen below:
Click on the orange button, “Open Browser”.
This spawns a Chromium browser run under the Burp Suite tool. As is, it does nothing other then act as your browser. But now I want you to go to a website you have permission to test (Portswigger academy has VM’s you can play with to get used to the tool)… and click “Intercept is off” to toggle the intercept to on.
When you use the Burp browser to go to the site you have permission to test, you’ll notice HTTP header and fields being captured in Burp:
The browser will appear stuck, that’s because the traffic has been paused. Clicking Forward will move the HTTP traffic one more step in the handshake. Click Forward again and again until your test site loads completely.
All of these fields can be modified and other fields can be input. From here we can test values being passed back-and-forth.
Right-clicking any field, will bring up a contextual menu. This menu offers to send this data to other aspects of the tool (such as Intruder and Repeater).
While this is a security focused tool, the ability to test websites with it can not be understated. This creates a bridge from Software Quality Assurance into Website Security Testing.