CyberSec Lab — Burp Suite

OBJECTIVES

Browse target with intercept ON

Modify a request parameter

Send a request to Repeater

Find and modify a hidden field

Decode and tamper a cookie

Intercept a file upload request

Identify an IDOR vulnerability

Submit the pentest report

🔀

Proxy

🔁

Repeater

🔓

Decoder

🌐

Browser

📖

Reference

📝

Notepad

📋

Report

PENTEST ENGAGEMENT — AUTHORISED

BURP SUITE — HTTP INTERCEPTION

TARGET: 10.10.16.10 — webserver.apexlab.local

SCENARIO

Nikto identified several interesting paths on 10.10.16.10. Now use Burp Suite's proxy to intercept live HTTP traffic, inspect and manipulate requests, and probe for application-level vulnerabilities that automated scanners cannot find — hidden fields, IDOR, parameter tampering, and cookie manipulation.

TARGET PATHS OF INTEREST

Path	Notes
/login.php	Authentication form
/profile.php	User profile — ?id= parameter
/upload.php	File upload functionality
/admin/	403 — investigate bypass
/api/user	API endpoint

HOW TO USE THIS LAB

Open the Browser and navigate to pages on the target
When Intercept is ON in the Proxy, requests are captured for you to inspect and modify before forwarding
Use Send to Repeater to send a captured request to Repeater for repeated manual testing
Use the Decoder to decode/encode cookies and parameters

PROXY — HTTP HISTORY & INTERCEPT

Intercept

HTTP History

Intercept is ON

No request intercepted

Response

Responses appear after forwarding a request.

REPEATER — MANUAL REQUEST TESTING

Tab 1

Request

Response

Response will appear here after clicking Send.

DECODER — ENCODE / DECODE

INPUT

OUTPUT

BROWSER — Proxied via Burp Suite

←

→

↺

http://10.10.16.10/

REFERENCE — BURP SUITE

CORE TOOLS

Proxy

Sits between browser and server. When Intercept is ON, every request is paused for you to inspect and modify before it reaches the server.

Repeater

Lets you manually resend modified HTTP requests. Essential for testing parameters, payloads, and auth bypass attempts.

Decoder

Encode/decode Base64, URL, HTML, Hex. Useful for analysing cookies, tokens, and encoded parameters.

PROXY WORKFLOW

1. Turn Intercept ON 2. Browse target in Browser 3. Request appears in Proxy 4. Inspect / modify request 5. Click Forward to send 6. Observe Response

COMMON TESTS

Parameter tampering

Change ?id=1 to ?id=2 to access another user's data (IDOR).

Hidden field manipulation

Forms often contain hidden fields like admin=false — change to admin=true.

Cookie manipulation

Decode cookie value, modify role/user field, re-encode and resend.

File upload bypass

Intercept upload request, change filename extension or Content-Type header.

HTTP METHODS

GET — retrieve resource POST — submit data PUT — upload/replace resource DELETE — delete resource OPTIONS — list allowed methods

USEFUL HEADERS

X-Forwarded-For: 127.0.0.1 X-Original-URL: /admin/ Referer: http://trusted.site/ User-Agent: Mozilla/5.0...

NOTEPAD — TESTING NOTES

PENTEST REPORT — BURP SUITE FINDINGS

VULNERABILITY FINDINGS

IDOR VULNERABLE PARAMETER

IDOR VULNERABLE ENDPOINT

HIDDEN FIELD FOUND

HIDDEN FIELD VALUE CHANGED TO

COOKIE & AUTH

COOKIE NAME

COOKIE ENCODING

COOKIE DECODED VALUE

UPLOAD BYPASS METHOD

IMPACT

HIGHEST SEVERITY FINDING

TOOL USED FOR MANUAL TESTING

Score: 0 / 8