LabEx
Log InJoin Free

Modify an HTTP Request on the Fly in Burp Proxy

Beginner
Practice Now

Introduction

In this lab, you will learn the fundamentals of intercepting and modifying web traffic using Burp Suite, one of the most popular tools for web application security testing. The ability to intercept an HTTP request, change its contents before it reaches the server, and then observe the response is a foundational skill for discovering a wide range of vulnerabilities, such as parameter tampering and insecure direct object references.

You will use Burp Proxy to capture a request from your browser, modify a URL parameter on the fly, and forward it to a simple web application running locally. This hands-on exercise will demonstrate how a proxy can be used to manipulate the communication between a client and a server.

Enable Intercept Mode in the Proxy Tab

In this step, you will launch Burp Suite and enable its core feature for intercepting traffic. The Burp Proxy acts as a man-in-the-middle between your browser and the target web server, allowing you to view and alter all traffic that passes through it.

First, open the application launcher in the top-left corner of the desktop and start Burp Suite.

  1. Click "Temporary project" and then click "Next".
  2. Select "Use Burp defaults" and click "Start Burp".

Once Burp Suite is open, navigate to the Proxy tab. This is where you control the interception of HTTP traffic.

Inside the Proxy tab, you will see several sub-tabs. Make sure you are on the Intercept sub-tab. Here, you will find a button that toggles the interception on and off. By default, it might be off.

Click the button that says "Intercept is off" to enable it. The button's text will change to "Intercept is on", and it will appear pressed.

Now, Burp Proxy is actively waiting to capture the next HTTP request made by the pre-configured browser in this lab environment.

Intercept a Request from Your Browser

In this step, you will generate an HTTP request from the web browser and capture it in Burp Suite. Since intercept mode is on, Burp will hold the request, preventing it from reaching the server until you decide what to do with it.

Open the web browser provided in the lab environment. The browser is already configured to send its traffic through the Burp Proxy running on 127.0.0.1:8080.

In the browser's address bar, navigate to the simple web application that was started by the setup script. Type the following URL and press Enter:

http://127.0.0.1:5000/search?q=books

You will notice that the browser tab shows a loading icon, and the page does not load. This is expected behavior. It indicates that Burp Proxy has successfully intercepted the request and is waiting for your action.

Now, switch back to the Burp Suite window. In the Proxy -> Intercept tab, you will see the raw content of the HTTP request that your browser just sent.

GET /search?q=books HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
...

You have now successfully captured an HTTP request before it reached its destination.

Change a Parameter Value in the 'Raw' Request View

In this step, you will modify the intercepted HTTP request. This is the core of on-the-fly request tampering. You can change any part of the request, including the method, path, headers, or body. For this lab, you will change a URL parameter.

With the request displayed in the Proxy -> Intercept tab, ensure you are in the Raw view. This view shows the plain text of the request, making it easy to edit directly.

Locate the first line of the request:

GET /search?q=books HTTP/1.1

The part q=books is a URL parameter. The server-side application uses the value of q (which is currently books) to generate its response.

Now, edit this value directly in the text area. Click into the Raw view and change books to dvds.

The modified first line should now look like this:

GET /search?q=dvds HTTP/1.1

You have successfully altered the request data in transit. The browser is unaware of this change; it still thinks it requested the page with q=books. The server has not yet received any request.

Forward the Modified Request

In this step, you will release the modified request from Burp Proxy and allow it to continue to the web server.

After editing the request in the Intercept tab, you need to decide what to do with it. You have three main options via the buttons at the top of the view:

  • Forward: Sends the request (in its current, possibly modified, state) to the server.
  • Drop: Discards the request entirely. The browser will eventually time out.
  • Action: Provides a menu of other actions, such as sending the request to other Burp tools.

To send your modified request to the server, click the Forward button.

After you forward the request, Burp will show the server's response in the same tab. You can forward this response back to the browser by clicking Forward again.

To avoid intercepting subsequent requests (like for a favicon), it's a good practice to turn off interception after you've finished with the request you care about. Click the "Intercept is on" button to toggle it back to "Intercept is off". This allows all other traffic to flow freely.

Observe the Server's Response to the Modified Request

In this step, you will observe the result of your action in both the browser and Burp Suite's history. This confirms that the server processed the modified data.

First, switch back to your web browser. The page, which was previously stuck loading, should now be fully loaded. Look at the content displayed on the page. It should read:

You searched for: dvds

This confirms that the server received and processed the modified parameter value (dvds), not the original one (books). You successfully tricked the server into displaying different content.

Next, go back to Burp Suite for a more detailed view. Click on the Proxy tab, and then the HTTP history sub-tab. This tab logs all requests and responses that have passed through the proxy. You should see an entry for GET /search?q=dvds. Click on it to see the full request you sent and the corresponding response the server returned, providing a complete record of the interaction.

This simple exercise demonstrates a powerful concept: never trust data coming from the client-side, as it can be easily manipulated by an attacker using a proxy tool like Burp Suite.

Summary

In this lab, you have learned the essential skill of modifying an HTTP request on the fly using Burp Proxy.

You successfully:

  • Enabled intercept mode in Burp Proxy.
  • Captured a live HTTP request from a browser.
  • Modified a URL parameter in the raw request view.
  • Forwarded the tampered request to the web server.
  • Observed that the server's response was based on your modified data.

This technique is a fundamental building block for web application security testing, enabling you to probe for a wide variety of vulnerabilities by manipulating client-server communications.