When building a mobile app, several situations call for engineers to monitor the app's Application Programming Interface (API). One such situation is when engineers may want to test the app's performance and vulnerabilities. Burp Suite is a software from PortSwigger that allows you to monitor an app's API and to manipulate the requests that come in as well as the responses from the app.
Burp Suite software must run in the same network as the app. This, however, does not mean that anyone can use Burp Suite to hack any device within the network, because the device to be monitored must install the certificate provided by Burp Suite, and its proxy should be configured as accorded in the manual guide.
Burp Suite is a great network monitoring tool for testing and debugging – I use it everyday and cannot imagine my current workflow without it. What I lack is the ability to log application traffic for 24 hours a day and on devices I don't have access to (e.g. Clients' or beta testers' devices). I am developing a mobile application. I want to test this mobile application using BURP suite. I am new to testing using BURP Suite. I dont know how to do it. Please let me know if there is any webpage or forum for guidelines for using this BURP suite? Thanks in advance.
To use Burp for API monitoring, you will need a laptop with Burp Suite installed in it (you can download it here, preferably the community version) and a device (Android or iOS) where the app is installed. You need to ensure that both use the same internet network.
Configuring Burp Suite
For the configuration, open Burp Suite and click 'Next' until the following interface appears:
Click on the 'Proxy' tab, then navigate to 'Options' tab. Head to the section called 'Proxy Listeners' and then click the 'Add' button. A box called 'Add a New Proxy Listener' will pop up and show you a tab labelled 'Binding'.
- HackerSploit here back again with another video, in this video series we will be learning web application penetration testing from beginner to adva.
- Burp Suite from Portswigger is one of my favorite tools to use when performing a Web Penetration Test. The following is a step-by-step Burp Suite Tutorial. I will demonstrate how to properly configure and utilize many of Burp Suite's features. After reading this, you should be able to perform a thorough web penetration test.
- การส่งข้อมูลจาก mobile app ไป server-side โดยเราจะทดสอบการดักจับข้อมูลทั้ง 3 รูปแบบคือ 1. SSL/Cert pinning. การติดตั้ง Burp Suite Mobile Assistant.
In the box next to 'Bind to Port', type in a port number that is currently unused. Furthermore, for the 'Bind to Address' section, choose 'Specific Address' and select according to the network you are using. When all is done, click OK.
After the pop-up box closes, while still in the 'Options' tab, scroll down until you find a section called 'Intercept Client Requests' followed by a table of request interception rules. This is where you can add HTTP and HTTPS protocols.
Also read: Handling Multiple Datasources Using Repository Pattern
To add HTTP protocol, follow these steps:
- Click the 'Add' button, and a box called 'Add request interception rule' will pop up.
- For Boolean operator, choose 'Or'
- For Match Type, choose 'Protocol'
- For Match Relationship, choose 'Is HTTP'
- Click OK
Follow the same steps to add HTTPS protocol, only this time selecting 'Is HTTPS' for the Match Relationship.
After you have added the two protocols, view the table under 'Intercept Client Requests' again. Make sure that only these two protocols are ticked and the other rules are unticked.
Installing certificate in the Android/iOS device
To install Burp Suite certificate in your device, thereby allowing it to be remotely monitored by Burp Suite, firstly, you need to open the device's browser and type in the IP address of the laptop where your Burp Suite software is installed, followed by the port you had selected when configuring Burp Suite. Follow this format: [ip]:[port] (example: 192.168.8.100:8888).
After you click 'Go', a pop-up box will appear asking you to confirm that you have allowed it to open 'Setting'. Select 'Allow' and you will be directed to the PortSwigger CA configuration profile. Select 'Install' to obtain the certificate.
After this, you will need to set the proxy configuration to manual. To do this, while still in your device's Settings, go to Wifi and click on the 'i' (information) button next to the network you're using. Under HTTP Proxy section, choose 'Configure Proxy' and select 'Manual'. Then, click 'Save'.
Additional procedure:
If you're using iOS, the following steps should be taken:
After you have added the two protocols, view the table under 'Intercept Client Requests' again. Make sure that only these two protocols are ticked and the other rules are unticked.
Installing certificate in the Android/iOS device
To install Burp Suite certificate in your device, thereby allowing it to be remotely monitored by Burp Suite, firstly, you need to open the device's browser and type in the IP address of the laptop where your Burp Suite software is installed, followed by the port you had selected when configuring Burp Suite. Follow this format: [ip]:[port] (example: 192.168.8.100:8888).
After you click 'Go', a pop-up box will appear asking you to confirm that you have allowed it to open 'Setting'. Select 'Allow' and you will be directed to the PortSwigger CA configuration profile. Select 'Install' to obtain the certificate.
After this, you will need to set the proxy configuration to manual. To do this, while still in your device's Settings, go to Wifi and click on the 'i' (information) button next to the network you're using. Under HTTP Proxy section, choose 'Configure Proxy' and select 'Manual'. Then, click 'Save'.
Additional procedure:
If you're using iOS, the following steps should be taken:
- Still in your device's 'Settings' window, click on 'General'.
- Select 'About'
- Click on 'Certificate Trust Settings'
- Activate PortSwigger CA
Note: do not forget to turn it off after you have completed the API testing.
Monitoring API and manipulating Requests/Responses
After you have completed the installation of the certificate in your device, you can start the monitoring and manipulation processes. Go back to the Burp Suite software and select the 'Proxy' tab, followed by the 'Intercept' tab. Make sure that the Intercept button is activated. Once you open the application, you can start the interception process. The following picture demonstrates what happens when you manipulate a request from an application when searching for the keyword kereta dorong via the iPhone.
Burp Suite Mobile App Testing Tool
This is an effective method if you are testing an application whose server/response is 500x, 400x, and so on. On the contrary, it will be challenging should you need to collaborate with the backend team and request for the server to be shut down temporarily. You can experiment with this tutorial and adjust it according to your needs.
Burp Suite Mobile App Testing
Happy testing!
The latest tweets from @fnatic. Fnatic, occasionally stylized as fnatic and abbreviated as FNC, is a professional gaming organization with registered offices in the United Kingdom, Australia and the Netherlands. Fnatic is considered as a European team. Founded by Sam Mathews with Joris Van Laerhoven and Anne Mathews in 2004, and mainly operating out of their London offices, Fnatic has fielded numerous well known professional. Fnc lol. Fnatic is a professional esports organization consisting of players from around the world across a variety of games. On March 14, 2011, Fnatic entered the League of Legends scene with the acquisition of.
This article was originally published in Medium by our mobile engineer, Ashari Juang. Check our website to know more what Juang and team can do for your business!
