Software Testing Tools

Intercept request and response with Burp Suite

When you’re testing a new feature, it’s quite common for the back end and front end to come into testing stage at different times. If testing the back end without a front end is a fairly easy task, then testing the front end without a back end can be challenging. You need to find a way to get responses to front end requests when the back end can’t respond to them. The same question appears when you need to substitute what comes in the response from the back end.

At the time when I worked on a Windows machine, I used Fiddler for these purposes. I do not know the current situation, but then there was a free version of this wonderful tool. But when I started working on Mac and then on Ubuntu I was always looking for an application that could replace Fiddler. At least I needed the ability to substitute the browser request and the server response.

One option is Burp Suite. Of course, this application is much more than just spoofing server responses. It’s a powerful tool for security professionals. But I happened to have it installed and found it very handy for testing purposes.

Basically, applications of this kind require your browser to be configured to use a proxy. And here lies the main advantage of Burp Suite over others. It has a built-in chromium browser, which is already configured to work with Burp Suite.

The main disadvantage of BurpSuite is the difficulty in figuring out how to use it. But I will try to make your life easier and explain what you need to do in order to start substituting requests and responses.

Working with Burp Suite

First of all, of course, you need to install Burp Suite. This app has a community version which is completely free. This version will be sufficient for basic tasks. Of course, if you need more, you can install the paid version. Then you will have access to all the functionality of this powerful product. So, here are the links:

Start Burp Suite

At first run it will ask you to accept Terms and Conditions.

You will then see a welcome screen that offers you several options, but only one is available: Temporary project. All the other options are available only in the Professional edition. So that’s the first limitation – you will not be able to change the results of your work and the settings you have made. But this is not a problem, since the results of our work will be in the browser, and the settings are specific to each task. So choose the “Temporary project” option and move on.

On the next screen, select the “Use Burp defaults” option. You don’t have any configuration file yet. And finally, press the Start Burp button.

Catch all browser requests

Now you see the main window of Burp Suite. At the time of writing this post, it looks like this.

Burp Suite main window

At the top of this window, you see many tabs, each of which deserves its own post cycle. But we only need one of them. Namely, the one called “Proxy”. The proxy tab also has its own set of four tabs. Today we will need almost all of them, except for “WebSockets history”.

To get started, you need to launch the built-in browser. Do this with the “Open Browser” button. The chromium browser will open, which we will use for our work.

Let’s use a site that is created for testing needs and open the “contact us” page:
Fill out the form as you wish and submit.

Now go to Burp Suite and navigate to the “HTTP History” tab. Find the line with the URL “/index.php?controller=contact”. It should be the last one. Click it. You will see the windows with the request, the response and the inspector. In the request we can see all the information that was sent to the server and decide what we want to change the next time. The response window gives us the same possibility for the response.

In the request, all the data that we entered in the form is sent as form-data.

Requests history

Substitute the request

In order to change the data sent to the server, you need to change it in the request. To do this, you need to make sure that the request does not fly away immediately. There is an intercept mode for this. But if we turn it on right now, then every time before sending any request, the process will stop and wait if we want to change something. Therefore, we will indicate that we only want to work with the request to “/index.php?controller=contact”.

This is done in several steps. First, right-click on the line with this query and select Add to scope from the menu. Burp suite will ask you if you want to clear the list of requests and leave only the one in the scope. I usually don’t clean so I don’t lose history. Second, go to the Options tab. In the Intercept client requests section in the conditions table, leave only one item checked – URL in the target scope, like this:

Requests options example

Now everything is set up. Go to the Intercept tab and click on the Intercept is off button. The button will change its color and text to indicate that Intercept mode is now enabled.

Now go back to the chromium browser and open the same page again. Immediately after opening the page, Burp Suite will display the request that was intercepted when the page was called. But so far, we haven’t sent anything in this request. Let’s press forward.

Fill out the form on the site and submit it. Burp Suite will intercept the request and we can change anything in the data that sent to the server. For example, let’s change the contents of the name=”from” field, which contains email that we specified in the site form. After making changes to the request, press the forward button and the modified request flies to the server.

Substitute the response

If we want to intercept only the server response, then go to the Options tab again. You need to disable request interception and enable response interception. Also, in the conditions of interception, you need to leave only the item “URL in the target scope”, like this:

Response options example

After you have set up intercepting responses, check that the Intercept mode is still active on the Intercept tab. Open the same page in the browser (remember that for the first request on this site we can press forward button, since this is just loading the page itself), fill out the form and submit. This time Burp Suite gets the server response. After you make changes to it, click forward. Now you can see the changes you made on the site page.

Additional options

If the site you are testing actively uses web sockets, you can disable their interception on the same options tab in this section:

WebSockets section

And of course, you can intercept both the request and the response at the same time. Enable both of these interception options and use them.

Save the configuration

At the end of the work, you may want to save the settings that you used. You can do it with the menu Project -> Project options -> Save project options. Later, when you open Burp Suite again, you can load configuration from this options file.

By Eugene Okulik