Introduction
In this lab, you will learn how to perform web application security testing using Burp Suite within a Kali Linux container in the LabEx VM environment. The focus is on setting up Burp Proxy to intercept web traffic, analyzing HTTP/HTTPS requests, testing for Cross-Site Scripting (XSS) vulnerabilities, and generating detailed reports. These hands-on steps will provide you with foundational skills for identifying and addressing security issues in web applications.
You will work directly in a Kali Linux container shell, which is automatically set up for you when you open the terminal. Through structured steps, you will configure tools, capture traffic, test for vulnerabilities, and document your findings. This lab is designed for beginners, guiding you through each process in a controlled environment to build practical cybersecurity skills.
Installing and Launching Burp Suite
In this first step, you will install and launch Burp Suite, a powerful tool for web application security testing, within the Kali Linux container in the LabEx VM environment. Burp Suite allows you to intercept and analyze web traffic, which is essential for identifying vulnerabilities in web applications.
When you open the terminal in the LabEx VM, you will be automatically connected to the Kali Linux container's shell. There is no need to manually start the container or enter the shell; the environment is already configured for you. Let's begin by ensuring the necessary tools are installed and ready to use.
Start by updating the package list to ensure you have the latest information on available software. In the terminal, type the following command and press Enter:
apt update
This command refreshes the package repository data. It may take a few seconds to complete, and you will see output indicating the progress of the update process.
Next, install Burp Suite Community Edition, which is available in the Kali Linux repositories. Type the following command and press Enter:
apt install -y burpsuite
This command installs Burp Suite without prompting for confirmation due to the -y flag. The installation might take a minute or two, and you will see output showing the download and installation progress.
Expected Output (partial, actual output may vary):
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
...
Setting up burpsuite (2023.10.3.7-0kali1) ...
Once the installation is complete, launch Burp Suite by typing the following command and pressing Enter:
burpsuite
This will open the Burp Suite graphical user interface (GUI). It may take a few seconds to load. When prompted, select the default "Temporary Project" option and click "Next" or "Start Burp" to proceed. You will see the main Burp Suite window appear.
Burp Suite is now running, and in the next steps, you will configure it to intercept web traffic. Keep the Burp Suite window open as you proceed. This step ensures that you have the primary tool ready for web security testing tasks.
Configuring Burp Proxy Settings
Now that Burp Suite is installed and running, the next step is to configure the Burp Proxy settings to intercept web traffic. The proxy acts as an intermediary between your browser and the internet, allowing you to capture and analyze HTTP/HTTPS requests and responses. This is a critical setup for web application security testing.
For beginners, understanding the role of a proxy is important. A proxy sits between your browser and the target website, intercepting all data exchanged. This lets you inspect the raw requests sent by your browser and the responses from the server, helping to identify potential security issues.
Since you are already in the Kali Linux container shell (automatically entered when you open the terminal), let's proceed with configuring the proxy settings directly in the Burp Suite GUI. Ensure that Burp Suite is still running from the previous step. If it is not, relaunch it by typing burpsuite in the terminal and pressing Enter.
In the Burp Suite window, navigate to the "Proxy" tab. This tab contains settings for configuring how Burp Suite intercepts traffic. Under the "Proxy Settings" section, ensure that the proxy is set to listen on 127.0.0.1:8080. This is the default configuration, meaning Burp Proxy will capture traffic on your local machine at port 8080.
If the settings are not set to 127.0.0.1:8080, adjust them manually by entering these values and click "Apply" if the option is available. Do not modify other settings at this stage.
To confirm that the proxy is active, run the following command in the terminal and press Enter:
netstat -tuln | grep 8080
Expected Output (actual output may vary):
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN
This output shows that Burp Proxy is listening on port 8080. If you do not see this output, ensure Burp Suite is running and the proxy settings are correctly configured.
You have now successfully set up Burp Proxy to intercept web traffic. Keep Burp Suite open with these settings as we move to the next step, where you will configure a browser to route traffic through this proxy. This configuration is essential for capturing and analyzing web interactions in subsequent tasks.
Setting Up Firefox to Use Burp Proxy
With Burp Proxy configured, the next step is to set up a web browser to route its traffic through the proxy. This allows Burp Suite to capture and display all HTTP/HTTPS requests and responses made by the browser. For this lab, you will use Firefox, which will be installed and configured within the Kali Linux container.
Since you are already in the Kali Linux container shell (automatically entered when opening the terminal), let's start by installing Firefox if it is not already available. Type the following command in the terminal and press Enter to install Firefox:
apt install -y firefox-esr
This command installs the Extended Support Release (ESR) version of Firefox, suitable for use in Kali Linux. The installation may take a few moments, and you will see output indicating the progress.
Expected Output (partial, actual output may vary):
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
...
Setting up firefox-esr (102.10.0esr-1~deb11u1) ...
Once Firefox is installed, launch it by typing the following command in the terminal and pressing Enter:
firefox &
The & symbol runs Firefox in the background, allowing you to continue using the terminal. A Firefox window will open in the graphical interface of the LabEx VM.
Now, configure Firefox to use Burp Proxy. Follow these detailed instructions within the Firefox browser window:
- Click on the menu icon (three horizontal lines) in the top-right corner of Firefox.
- Select
Settingsfrom the dropdown menu. - Scroll down to the
Network Settingssection under theGeneraltab and click onSettings.... - In the
Connection Settingswindow, chooseManual proxy configuration. - Set the
HTTP Proxyfield to127.0.0.1and thePortto8080. - Check the box labeled
Also use this proxy for HTTPS. - Leave other fields unchanged and click
OKto save the settings.
This setup ensures that all web traffic from Firefox passes through Burp Proxy at 127.0.0.1:8080. To verify that everything is working, navigate to a simple website like http://example.com in Firefox by typing the URL into the address bar and pressing Enter.
Switch back to the Burp Suite window, go to the Proxy tab, and select the HTTP history sub-tab. You should see requests made to example.com listed there. If no requests appear, refresh the page in Firefox and confirm that the proxy settings are correct.
Expected Output in Burp Suite (visual, not terminal):
You will see entries in the HTTP history tab showing requests to example.com, with details like the host, method (e.g., GET), and URL path.
This step completes the browser setup to route traffic through Burp Proxy. Keep both Firefox and Burp Suite open as you move to the next step, where you will use this configuration to capture and analyze web traffic for security testing.
Capturing and Analyzing Web Traffic
Having configured Firefox to use Burp Proxy, you are now ready to capture and analyze web traffic. This step is crucial in web application security testing as it allows you to inspect the raw data exchanged between your browser and a website, helping to identify potential vulnerabilities or misconfigurations.
For beginners, capturing web traffic means recording the requests your browser sends to a website (like loading a page) and the responses the website sends back (like the page content). Burp Suite acts as a middleman, showing you this data in detail so you can examine headers, parameters, and content for security issues.
Since you are working in the Kali Linux container shell (automatically entered when opening the terminal), ensure that both Burp Suite and Firefox are still running from the previous steps. If Burp Suite is not running, relaunch it with burpsuite. If Firefox is not open, start it with firefox &.
In Firefox, navigate to a test website such as http://example.com by typing the URL into the address bar and pressing Enter. This action sends requests through Burp Proxy, which captures them for analysis.
Switch to the Burp Suite window and go to the Proxy tab, then select the HTTP history sub-tab. You will see a list of requests made by Firefox to the website. Each entry includes details such as the host, method (e.g., GET), and URL path.
Select any request related to http://example.com by clicking on it. This displays two panes: Request and Response. The Request pane shows the data sent from your browser, including headers and parameters. The Response pane shows the data returned by the website, such as HTML content or status codes.
Expected Output in Burp Suite (visual, not terminal):
In the HTTP history tab, you will see entries like:
- Host: example.com
- Method: GET
- Path: /
Clicking on an entry will show detailed request headers (like User-Agent) and response content (like HTML code for the page).
Take a moment to explore a few requests to understand the structure of web traffic. This skill of capturing and analyzing traffic is foundational for identifying security issues, which you will build upon in the next step. Keep Burp Suite and Firefox open with the current settings as you proceed to test for specific vulnerabilities.
Testing for XSS Vulnerabilities
With web traffic capture set up, you can now use Burp Suite to test for Cross-Site Scripting (XSS) vulnerabilities. XSS is a common web security issue where attackers inject malicious scripts into web pages that are then executed in a user's browser. This step focuses on identifying potential XSS flaws by submitting test inputs and analyzing responses.
For beginners, XSS occurs when a web application fails to sanitize user input, allowing harmful code (like JavaScript) to be injected and executed. There are different types of XSS, but here you will test for reflected XSS, where the malicious input is immediately reflected back in the server's response without being stored.
Since you are in the Kali Linux container shell (automatically entered when opening the terminal), ensure Burp Suite and Firefox are still running from the previous steps. If not, relaunch them with burpsuite and firefox & respectively.
In Firefox, navigate to a test website that accepts user input, such as a search box or form. For this lab, if no specific test site is provided in the LabEx VM, you can use a public test site like http://testphp.vulnweb.com if accessible. Type the URL into the Firefox address bar and press Enter.
Once the page loads, locate an input field, such as a search bar. Enter a simple test string like test<xss> into the field and submit the form. This input is harmless but helps check if the application reflects the input back without sanitizing it.
Switch to Burp Suite, go to the Proxy tab, and select the HTTP history sub-tab. Find the request corresponding to your form submission. Click on it to view the details. In the Request pane, look for the parameter where your input test<xss> was sent (it might be under a field like search or query).
Then, in the Response pane, search for your input string test<xss>. If you see the exact string reflected in the response without being escaped (e.g., not converted to test<xss>), the application might be vulnerable to reflected XSS.
Expected Output in Burp Suite (visual, not terminal):
In the Response pane, if you see test<xss> as-is in the HTML content, it indicates a potential vulnerability. If it appears as test<xss>, the input has been sanitized, reducing the risk of XSS.
If you identify a potential vulnerability, right-click the request in the HTTP history tab and select Add to site map to organize it for reporting in the next step. This process of testing for XSS by submitting test data and analyzing responses builds your skills in vulnerability assessment. Keep Burp Suite and Firefox open as you move to the final step.
Generating a Burp Suite Report
In this final step, you will generate a report in Burp Suite to document your findings from the web traffic analysis and XSS vulnerability testing. Creating a report is an essential part of security testing, as it compiles the issues you have identified and provides a structured way to review or share results.
For beginners, a Burp Suite report summarizes vulnerabilities or observations from your testing session. It includes details like the type of issue, affected URLs, and associated request/response data. This documentation is vital for tracking security flaws and planning remediation.
Since you are in the Kali Linux container shell (automatically entered when opening the terminal), ensure Burp Suite is still running. If not, relaunch it with burpsuite.
In the Burp Suite interface, navigate to the Target tab or Issues tab (depending on the version). This section lists any vulnerabilities Burp Suite automatically detected or issues you manually added. If you flagged a potential XSS issue in the previous step by adding it to the site map, it may appear here.
If no issues are listed, you can manually add one for practice. Go to the Proxy tab, select a request from the HTTP history where you tested for XSS (e.g., with input test<xss>), right-click it, and choose Report issue or Send to Issues. Select a type like Cross-site scripting (reflected) if available, add a brief description like Potential XSS in input field, and click OK.
To generate the report, in the Issues tab, click the Report button or find Generate Report in the menu. Follow these steps in the report wizard:
- Select the format as
HTMLfor a readable format. - Choose to include
All issuesor specific ones if you added any. - When prompted for a save location, set the path to
/root/xss_report.htmlwithin the Kali Linux container. - Click
NextorFinishto save the report.
After generating the report, confirm it was saved by typing the following command in the terminal and pressing Enter:
ls -l /root/xss_report.html
Expected Output (actual output may vary):
-rw-r--r-- 1 root root [size] [date] /root/xss_report.html
This output confirms the file xss_report.html exists in the /root directory. If the file is not there, repeat the report generation process and ensure the correct path is specified.
You have now successfully created a Burp Suite report documenting your testing results. This completes the lab, providing you with practical experience in web security testing using essential tools in a Kali Linux environment.
Summary
In this lab, you have learned the essentials of web application security testing using Burp Suite within a Kali Linux container in the LabEx VM environment. You started by installing and launching Burp Suite, then configured the Burp Proxy to intercept web traffic. By setting up Firefox to route traffic through the proxy, you captured and analyzed HTTP/HTTPS requests and responses. You also tested for XSS vulnerabilities by submitting test inputs and examining server responses. Finally, you generated a detailed report to document your findings. These steps have equipped you with practical skills for identifying and addressing web security issues using industry-standard tools.
