Problem solve Get help with specific problems with your technologies, process and projects.

Debug and test Web applications using Burp Proxy

The Burp Proxy tool, part of the Burp Suite, has many useful features that test Web application security. Learn how to start using Burp Proxy.

What is “Burp Proxy”? Could it be used in a large enterprise setting or is it designed to be used for SMBs and...

consumers only?

Burp Proxy is the core component in both the free and professional editions of the Burp Suite, an integrated platform for debugging and security testing Web applications. It can certainly play a role at the enterprise level and is a useful tool for anyone wanting to see how Web applications work, both from a performance and security viewpoint. Penetration testers particularly will find this to be a useful tool, as it's been developed by a penetration tester, so it has many features suited to that kind of work.

Burp Proxy is an interactive HTTP and HTTPS proxy server acting as a man-in-the-middle between a browser and a Web server. This means it can intercept, inspect and modify the traffic passing between the two. This ability to modify browser requests allows testers to see how the application works and handles unexpected or malicious requests, such as SQL injection, cookie subversion, session hijacking, directory traversal and buffer overflows.

It has plenty of features. For example, you can manipulate binary data, such as pictures and videos, while they're being transferred. Requests and responses can be modified using filters based on various parameters, such as domain, IP address, cookies, body content and HTML page title to control which requests and responses are intercepted for manual testing, while the output includes automatic coloring of request and response syntax. All requests and modifications made are maintained in the history and can be logged to a file for further analysis or to provide an audit trail.

Burp Proxy is also tightly integrated with the other tools within the Burp Suite, so any request or response can be sent to another tool for further processing. Both Burp Suite editions contain a spider for mapping websites, which builds up a detailed site map by recording all of the requests made via Burp Proxy. The resulting site map can then be used to select individual items and send them to other Burp tools for analysis or as part of an attack. The fact that all of these tools work together speeds up both manual and automated testing.

Burp runs in both Linux and Windows and you can develop your own plug-ins to extend its functionality using the IBurpExtender interface. The Professional Edition is $275 per user, per year and includes additional tools such as an application vulnerability scanner and an intruder tool for performing customized attacks to find and exploit unusual vulnerabilities. If you are interested in trying Burp, start with the Free Edition available from the PortSwigger website above.

This was last published in August 2011

Dig Deeper on Web application and API security best practices