BurpSuite is an integrated penetration testing tool with many penetration testing components. It can implement interception requests, packet capture, etc. but is more powerful than fiddler and postman. Burp Suite is a software that does not need to be installed. After the download is complete, you can enable it directly from the command line. However, Burp Suite is developed in the Java language, and the runtime depends on the JRE, which requires a Java runtime environment in advance.
The tool download package can be downloaded online.
Double-click the burp-loader-xxyyzz.jar file to run the following figure, and then click the buttons in the red box in turn.
You can enter the tool interface.
Second, set the browser proxy, configure the Burp listening port
2.1 Browser proxy configuration Take Chrome browser as an example, open Settings / Advanced / System / Proxy settings, as shown in the figure:
Perform the following configuration:
2.2 Configure Burp Listening Port
Third, after the proxy is configured for the replay attack, Burp Suite will intercept the interaction between the client and the server:
intercept is on is the interception state and its corresponding intercept is off is the non-intercepting state. After the proxy is set, the tool will turn on the interception state by default. Requests initiated by the browser will be intercepted by burstsuite.
forward: The request is intercepted. Click forward to continue the request. If you click drop, the request data is discarded.
The recommended setting is intercept is off. The request to be tested is found in the HTTP history for analysis. Take the login request as an example, you can view the response of the request and the server.
Right-click and select Send to Repeater
After entering the Repeater interface, you can modify the parameters of the data packet here to perform request and response message verification analysis. Change the login name to wxxtest here, and click the button Go to get the requested response.