Burp Proxy's intercept feature lets you intercept HTTP requests and responses sent between the browser and the target server. This enables you to study how the website behaves when you perform different actions.
The intercept feature lets you perform the following useful actions:
You can find the intercept feature on the Proxy > Intercept tab.
We recommend following the tutorial below to learn how to use Burp Proxy's intercept feature.
For more detailed information, please see the full documentation.
In this tutorial, you'll use Burp Proxy to intercept and modify a request to see how the server responds.
Open Burp's browser, and use it to access the following URL:
https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controlsClick Access the lab and log in to your PortSwigger account if prompted. This opens your own instance of a deliberately vulnerable shopping website.
Click My account and log in using the following credentials: wiener:peter.
Click Home, then view the details for the Lightweight "l33t" leather jacket.
In Burp, go to the Proxy > Intercept tab.
Make sure that Intercept is on.
In the browser, add the leather jacket to your cart.
In Burp, notice that the resulting POST /cart request is intercepted.
You may initially see a different request on the Proxy > Intercept tab if the browser is doing something else in the background. In this case, just click Forward until you see the POST /cart request as shown in the screenshot above.
In the request body, change the value of the price parameter to 1.
Click Forward to send the modified request to the server.
Switch interception off again. Subsequent requests will now pass through Burp Proxy uninterrupted, so you can browse the site as normal. Any HTTP requests the browser makes will still be captured on the Proxy > HTTP history tab.
In Burp's browser, click the basket icon in the upper-right corner to view your cart. Notice that the jacket has been added, but you have managed to change the price to just one cent and are able to complete the purchase.
There is no way to modify the price via the web interface. You were only able to make this change thanks to Burp Proxy.
You have now learned how to intercept, review, and manipulate HTTP traffic using Burp Proxy's intercept feature. To learn more, refer to the links below:
If you want to test different inputs in the same request, you can send the request to Burp Repeater. This lets you edit and resend the same request as many times as you like, without having to intercept it each time. For more information, refer to Getting started with Burp Repeater.
You can also practice using Proxy intercept and other Burp Suite features with the deliberately vulnerable "lab" websites on our Web Security Academy.