When building a mobile app, several situations call for engineers to monitor the app’s Application Programming Interface (API). One such situation is when engineers may want to test the app’s performance and vulnerabilities. Burp Suite is a software from PortSwigger that allows you to monitor an app’s API and to manipulate the requests that come in as well as the responses from the app.
Click the “Proxy” tab, then click the “Options” tab. About halfway down the page, you’ll find the “Match and Replace” settings. By default, Burp Suite comes with 12 pre-defined, yet disabled, rules, which can change the request and response headers. They’re an excellent starting point for learning how to create rules.
- Now, after closing the burp suite, you will notice that you can’t browse any websites because the proxy server is refusing connections. If you want to use Firefox browser to browse the website normally then go to preferences and under network and proxy, select “no proxy”. Whenever you want to use Burp, change it again to the manual proxy.
- Chrome browser proxy option. Now click on manual proxy enter the Proxy address and port number depending on the changes you have done in your burp suite proxy. If you have a default setting in your burp suite with localhost 8080 port then enter it and check to Use this proxy server for all protocols.
Burp Suite software must run in the same network as the app. This, however, does not mean that anyone can use Burp Suite to hack any device within the network, because the device to be monitored must install the certificate provided by Burp Suite, and its proxy should be configured as accorded in the manual guide.
To use Burp for API monitoring, you will need a laptop with Burp Suite installed in it (you can download it here, preferably the community version) and a device (Android or iOS) where the app is installed. You need to ensure that both use the same internet network.
Configuring Burp Suite
For the configuration, open Burp Suite and click “Next” until the following interface appears:
Click on the “Proxy” tab, then navigate to “Options” tab. Head to the section called “Proxy Listeners” and then click the “Add” button. A box called “Add a New Proxy Listener” will pop up and show you a tab labelled “Binding”.
In the box next to “Bind to Port”, type in a port number that is currently unused. Furthermore, for the “Bind to Address” section, choose “Specific Address” and select according to the network you are using. When all is done, click OK.
After the pop-up box closes, while still in the “Options” tab, scroll down until you find a section called “Intercept Client Requests” followed by a table of request interception rules. This is where you can add HTTP and HTTPS protocols.
Also read: Handling Multiple Datasources Using Repository Pattern
To add HTTP protocol, follow these steps:
- Click the “Add” button, and a box called “Add request interception rule” will pop up.
- For Boolean operator, choose “Or”
- For Match Type, choose “Protocol”
- For Match Relationship, choose “Is HTTP”
- Click OK
Follow the same steps to add HTTPS protocol, only this time selecting “Is HTTPS” for the Match Relationship.
After you have added the two protocols, view the table under “Intercept Client Requests” again. Make sure that only these two protocols are ticked and the other rules are unticked.
Installing certificate in the Android/iOS device
To install Burp Suite certificate in your device, thereby allowing it to be remotely monitored by Burp Suite, firstly, you need to open the device’s browser and type in the IP address of the laptop where your Burp Suite software is installed, followed by the port you had selected when configuring Burp Suite. Follow this format: [ip]:[port] (example: 192.168.8.100:8888).
After you click “Go”, a pop-up box will appear asking you to confirm that you have allowed it to open “Setting”. Select “Allow” and you will be directed to the PortSwigger CA configuration profile. Select “Install” to obtain the certificate.
After this, you will need to set the proxy configuration to manual. To do this, while still in your device’s Settings, go to Wifi and click on the “i” (information) button next to the network you’re using. Under HTTP Proxy section, choose “Configure Proxy” and select “Manual”. Then, click “Save”.
Additional procedure:
If you’re using iOS, the following steps should be taken:
- Still in your device’s “Settings” window, click on “General”.
- Select “About”
- Click on “Certificate Trust Settings”
- Activate PortSwigger CA
Note: do not forget to turn it off after you have completed the API testing.
Monitoring API and manipulating Requests/Responses
After you have completed the installation of the certificate in your device, you can start the monitoring and manipulation processes. Go back to the Burp Suite software and select the “Proxy” tab, followed by the “Intercept” tab. Make sure that the Intercept button is activated. Once you open the application, you can start the interception process. The following picture demonstrates what happens when you manipulate a request from an application when searching for the keyword kereta dorong via the iPhone.
This is an effective method if you are testing an application whose server/response is 500x, 400x, and so on. On the contrary, it will be challenging should you need to collaborate with the backend team and request for the server to be shut down temporarily. You can experiment with this tutorial and adjust it according to your needs.
Happy testing!
This article was originally published in Medium by our mobile engineer, Ashari Juang. Check our website to know more what Juang and team can do for your business!
Burp's upstream proxy settings control whether Burp will send outgoing requests to an upstream proxy server, or directly to the destination web server.
You can define multiple rules, specifying different proxy settings for different destination hosts, or groups of hosts. Rules are applied in sequence, and the first rule that matches the destination web server will be used. If no rule is matched, Burp defaults to direct, non-proxied connections.
Upstream proxy settings allow you to use a proxy, acting in-between Burp Suite and your connection to the internet.
To demonstrate this process we will be using two instances of Burp.
Burp instance 1 will act as a normal instance of Burp, used to perform testing.
Burp instance 2 will be configured to act as a proxy server.
Ensure that you have the correct details for the proxy server.
In this example we will set up Burp instance 2 to act as a proxy. We need to ensure that this instance of Burp is running on a free port. In this case we have used port 8085.
We can configure this in the 'Proxy Listener' section of the Proxy 'Options' tab.
Ensure the proxy listener is running.
Next we need to configure Burp instance 1 to use the proxy (Burp instance 2) to connect to the internet.
We can configure this in the 'Upstream Proxy Servers' section of the 'Options' / 'Connections' tab.
Click the 'Add' button to open the 'Add upstream proxy rule' dialog.
The 'Add upstream proxy rule' dialog allows you to create an upstream proxy rule.
Enter appropriate details in to the form.
In this example we can use a wildcard for the destination host.
The 'Proxy host' field should contain the host address of the proxy.
The 'Proxy port' field should contain the port used by the proxy.
What Is Burp Proxy
Click 'Ok'.
Burp Proxy Download
All traffic will now be routed through this proxy server.
How To Use Burp Proxy
Related articles:
Right-click on the RAR file and choose 'Open with WinRAR'. Double-click on the file you want to open and WinRAR will launch automatically. Open WinRAR and select the file/folder from the WinRAR file panel. Open RAR Files with WinRAR in the Following Windows Versions. Winrar chromebook.