Keeping your Proxy History CleanĪlso on the Proxy -> Options tab, exists the ability to suppress logging out-of-scope request/response information to the Proxy History tab. Your employer or one of their clients may request that you do this at some point. You can also use this technique to introduce headers into requests to mark your activity. Follow the path Proxy Tab -> Options Tab -> Match and Replace to make this config change. The only difference here is the addition of the ‘X-XSS-Protection’ header with a value of zero to ensure no browser defaults are still in play. You can perform the same type of match-and-replace as used in the previous section to prevent your user agent from taking action on any provided XSS-related security headers. I like doing this to ensure I am seeing the latest version of the file hosted by the server. You can force all responses to contain non-cached versions of the requested page by enabling two pre-built match-and-replace rules in Burp’s proxy options. Require a fresh, non-cached response from the server. Work through these instructions to browse TLS/SSL enabled sites without having to accept the certificates created by Burp for each unique site you visit. No need for me to work up any screens or instructions.
To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp’s CA certificate as a trusted root in your browser. This CA certificate is generated the first time Burp is run, and stored locally. By default, when you browse an HTTPS website via Burp, the Proxy generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate. Taken straight from Portswigger’s website. To prevent receiving errors related to invalid certificates in whatever browser you’re using, import Burp’s CA certificate. The first thing I like to do when making use of Burp actually involves the user agents (web browsers) I employ during testing. With that said… I will begin this journey by touching on some of the configurations I make before I begin testing. I’ll be looking to pump out at least three posts in the short-term and then add more as I continue on down the line. This is the first installment of such helpful tips. Stuff I’ve learned from others and things I’ve picked up along the way.
I’ve been meaning to compile a bunch of Burp Suite tips for a while now.