Skip to main content
Cross-site scripting using Burp Suite

Cross-site Scripting Using Burp Suite

What is Burp suite?

Burp Suite is an integrated platform for performing security testing of web applications. Burp Proxy is an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application, allowing you to intercept and modify all HTTP/S traffic passing in both directions.

Download Burp Suite Free Edition and install: https://portswigger.net/burp/freedownload/

Startup Wizard

The startup wizard is displayed when Burp launches. This allows us to choose what Burp project to open, and what project configuration to use.

Selecting a Project

To create or open a project choose from the following options:

  • Temporary project – This option is used when we don’t need to save any tasks performed for testing. All data is held in memory, and is lost when Burp exits.
  • New project on disk – In this you can specify a name for the project. This creates a new project that will store its data in a Burp project file, and data is saved as and when we perform testing. This file will hold all of the data and configuration for the project.
  • Open existing project – This option will list recently opened projects for quick selection. This reopens an existing project from a Burp project file.

Selecting a configuration

You can choose from the following options for the project configuration:

  • Use Burp defaults – This will open the project using Burp’s default options.
  • Use options saved with project – This is only available when reopening an existing project, and will open the project using the options that were saved in the project file.
  • Load from configuration file – This will open the project using the options contained in the selected Burp configuration file. This option will list recently opened projects for quick selection

How to setup Burp suite with Firefox Browser

To do any kind of testing with Burp, we need to configure browser to work with it. Burp functions as an HTTP proxy server, it sits between client and server, and all HTTP/S traffic from your browser passes through Burp.

We need to check for 2 things

Firstly, you need to confirm that Burp’s Proxy listener is active and running. Go to the Proxy tab, then the Options sub-tab, and look in the Proxy Listeners section. If it’s not listed try to add the same.

Setup Burp Suite

Secondly, you need to configure your browser to use the Burp Proxy listener as its HTTP proxy server.

Http Proxy should be 127.0.0.1/localhost and port should be 8080.

 Burp Proxy

When you run the application in Firefox, in Burp suite all the traffic will be captured in the Target tab.

Where we can see the page request and responses.

Burp Security

Now we will see how to check affected list of parameters and how to inject script from Burp suite.

  1. Go to the Proxy tab
  2. Make sure “Intercept in on”
  3. Using Firefox browser navigate to the page, which we want to test.
  4. When the page is loaded and is in edit mode, all affected parameters are listed with values in Burp suite proxy tab.

Burp suite proxy tab

I have injected script to one of the affected parameter value like as shown in the image.

When we forward the request we can see this affected parameter output in terms of popup in the application window, in our case its Firefox.

Application Window

If this blog was useful, don’t miss my next blog in which I will discuss on configuring the Burp suite for hosted web sites and injecting scripts.

 

 

Anand Suryavanshi

Anand Suryavanshi

Anand Suryavanshi works as Technical Lead with Trigent Software. He has over eight years’of experience in Microsoft DotNet Technologies and has worked extensively on migrating DotNet applications and performance tuning. His interests lie in learning new technologies, listening to musics and playing cricket.

Leave a Reply

Your email address will not be published. Required fields are marked *

ten + = 15