Friday, 12 July 2013

Data Manipulation - Intercepting HTTP Traffic using Burp Suite Proxy

"Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities." - http://www.portswigger.net/burp/


Open Burpsuite in BackTrack


Click on the Proxy tab. By default, the settings is set to listening on port 8080.


Next, go to your browser and set your proxy settings to 127.0.0.1:8080


In this example, we are going to use a weakly configured test website to demonstrate what Burp Suite Proxy can do.
On your browser, go to www.bayden.com/sandbox/shop/ and click enter. You will notice that the website is trying to load..


Now, on Burp Suite, you will see that the traffic has been intercepted. You can see the data it is withholding. Click Forward to allow the traffic to go through.


On your browser, you will notice that the website now has loaded properly. Check out the price for the laptop... it costs $1095. 
Let's try to change that shall we? Let's order 3 sets of it and click on Check Out.



On the Burp Suite Proxy, you will notice the HTTP traffic and what can we see here is the price of the laptop.


In the Params tab, you can see in a better format the cost of the laptop.


Let's change the price and put it to 65.00. Once changed, click forward.


And now you notice that you have successfully purchase 3 laptops for only $195.


------------------------------------------------------------------------------------------------------

Note: The site http://www.bayden.com/sandbox/shop/ is a site for testing, made available for those who wants to perform a POC (proof of concept) on this security issue.



Check out my previous blogpost on how to perform the same thing on Firefox and IE browser here: http://securityg33k.blogspot.sg/2013/07/5000-to-50-tamperingmanipulating-data.html

No comments:

Post a Comment