Introduction
Burp Suite is a powerful platform for performing security testing of web applications. One of its core components is the Burp Proxy, which acts as a man-in-the-middle between your browser and the target web server. This allows you to intercept, inspect, and modify the raw traffic passing in both directions.
While intercepting requests is a common task, intercepting and modifying responses is equally important for security testing. It allows you to test how the client-side application handles unexpected or manipulated data from the server.
In this lab, you will learn how to configure Burp Proxy to intercept server responses and modify the HTML content of a web page before it is displayed in your browser. We will use a simple local web server for this demonstration.
Navigate to Proxy > Options > Intercept Server Responses
In this step, you will configure Burp Suite to enable the interception of responses from the web server. By default, Burp Proxy only intercepts outgoing requests from the browser.
First, you need to launch Burp Suite. You can find it in the application menu or by searching for it.
Once Burp Suite is open:
- Click on the Proxy tab at the top of the window.
- Within the
Proxytab, click on the Options sub-tab. - Scroll down through the options until you find the section titled Intercept Server Responses.
This section contains the settings that control whether and how Burp Proxy intercepts incoming HTTP responses. You have now located the necessary configuration area for the next step.
Enable the 'Intercept responses based on the following rules' Checkbox
In this step, you will activate the response interception feature.
In the Intercept Server Responses section you located in the previous step, you will see a checkbox.
- Click the checkbox next to the label Intercept responses based on the following rules.
Once you check this box, Burp Proxy is configured to intercept server responses that match the rules defined below it. The default rule, Is a response to a request that was intercepted, is automatically added and is perfect for our needs. This rule tells Burp to only intercept a response if its corresponding request was also intercepted by the proxy. This prevents Burp from pausing on every single response, such as those for background images or scripts, and focuses only on the traffic you are actively inspecting.
Intercept a Request and Forward It
In this step, you will use Burp's built-in browser to make a request to our local web server and intercept it.
- Navigate to the Proxy > Intercept sub-tab.
- Ensure the button says Intercept is on. If it says "Intercept is off", click it to enable interception.
- Click the Open Browser button. A new Chromium browser window, pre-configured to use the Burp Proxy, will open.
- In the browser's address bar, type
http://127.0.0.1:8000and press Enter.
The browser will appear to be loading indefinitely. This is because Burp has intercepted the HTTP request. Switch back to the Burp Suite window. In the Proxy > Intercept tab, you will see the raw HTTP request:
GET / HTTP/1.1
Host: 127.0.0.1:8000
... (other headers)
This is the request from your browser to the local server. To allow it to proceed to the server, click the Forward button. After you forward the request, Burp will now wait to intercept the response coming back from the server.
Modify the HTML Body in the Intercepted Response
In this step, you will edit the content of the HTTP response before it is sent to the browser.
Because you enabled response interception and forwarded the request in the previous step, the Proxy > Intercept tab now holds the server's response. It will look something like this:
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.10.6
Date: ...
Content-type: text/html
Content-Length: ...
<h1>Welcome to the Original Page!</h1><p>This is the content you will modify.</p>
The main text area is editable. This is where you can modify the response on the fly.
- In the response body text area, find the line
<h1>Welcome to the Original Page!</h1>. - Change the text to
<h1>Welcome to the Modified Page!</h1>. - You can also change the paragraph text if you wish, for example, to
<p>This content has been changed by Burp Proxy.</p>.
You have now altered the server's response. It is still held by Burp Proxy and has not yet reached the browser.
Forward the Modified Response and Observe the Change in the Browser
In this final step, you will send the modified response to the browser and see the result.
The modified response is still waiting in the Proxy > Intercept tab.
- Click the Forward button one last time. This will release the response and send your modified version to the browser.
- Switch back to the Burp Browser window that was previously loading.
The page will now finish loading, but instead of the original content, it will display the text you entered. You should see:
Welcome to the Modified Page! This content has been changed by Burp Proxy.
Congratulations! You have successfully intercepted an HTTP response, modified its content in transit, and observed the change in the browser. This demonstrates a fundamental capability for web application security testing. You can now turn intercept off by clicking the "Intercept is on" button.
Summary
In this lab, you gained hands-on experience with a key feature of Burp Suite. You have learned how to:
- Configure Burp Proxy to intercept server responses, a feature that is disabled by default.
- Follow the workflow of intercepting a request, forwarding it, and then catching the corresponding response.
- Modify an HTTP response body in real-time before it reaches the browser.
- Observe the direct impact of the response modification on the rendered web page.
This technique is fundamental in web security for testing how a web application's front-end code handles unexpected or malicious data from the server, potentially uncovering vulnerabilities like Cross-Site Scripting (XSS) or broken access control.