MASTG-TOOL-0077: Burp Suite

Burp Suite is an integrated platform for performing security testing mobile and web applications.

Its tools work together seamlessly to support the entire testing process, from initial mapping and analysis of attack surfaces to finding and exploiting security vulnerabilities. Burp Proxy operates as a web proxy server for Burp Suite, which is positioned as a Machine-in-the-Middle (MITM) between the browser and web servers. Burp Suite allows you to intercept, inspect, and modify incoming and outgoing raw HTTP traffic.

Setting up Burp to proxy your traffic is pretty straightforward. We assume that both your device and host computer are connected to a Wi-Fi network that permits client-to-client traffic.

PortSwigger provides good tutorials on setting up both Android as iOS devices to work with Burp:

• Configuring an Android Device to Work With Burp.
• Installing Burp's CA certificate to an Android device.
• Configuring an iOS Device to Work With Burp.
• Installing Burp's CA certificate to an iOS device.

Please refer to Setting Up an Interception Proxy (Android) and Setting up an Interception Proxy (iOS) for more information.

Techniques

MASTG-TECH-0125: Intercepting Xamarin Traffic MASTG-TECH-0120: Intercepting HTTP Traffic Using an Interception Proxy MASTG-TECH-0121: Intercepting Non-HTTP Traffic Using an Interception Proxy MASTG-TECH-0063: Setting up an Interception Proxy MASTG-TECH-0064: Bypassing Certificate Pinning MASTG-TECH-0109: Intercepting Flutter HTTPS Traffic MASTG-TECH-0011: Setting Up an Interception Proxy

Tests

MASTG-TEST-0054: Determining Whether Sensitive Data Is Shared with Third Parties MASTG-TEST-0065: Testing Data Encryption on the Network MASTG-TEST-0004: Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services MASTG-TEST-0019: Testing Data Encryption on the Network MASTG-TEST-0206: Undeclared PII in Network Traffic Capture