Don’t have Burpsuite ? Dev-Tools got you.
Burpsuite is a widely used web application penetration testing tool, powered by PortSwigger. It is built on Java. Burp allows you to intercept traffic analyze requests, and many more things. It has three versions as Community edition, Professional edition, and Enterprise edition. Each version has different functionalities.
When it comes to web application testing this tool is a lifesaver. But what if you don’t have burpsuite in your machine. Maybe you are not home, and you don’t have your laptop. Or maybe, you are not a web application tester, but you do interact with web applications a bit. So it would be disturbing to install Java and download Burpsuite, just to do some simple stuff.
That’s where developer tools come in handy. These developer tools can make our life much easier. These tools do a range of things, from inspecting currently-loaded HTML, CSS, and JavaScript to showing which assets the page has requested and how long they took to load.
So let me walk you through how we can use dev-tools instead of burpsuite to do some simple things. I am using Firefox as my browser but you can use Chrome or Edge if you prefer (shortcuts that I mention may vary).
Opening the Developer console
Right click on the web page and select Inspect Element or press Ctrl+shift+c on your keyboard (in Firefox). This will open up your developer console.
As you can see there are a lot of features here. I will focus on some useful options which might help you.
Analyzing requests.
Burpsuite allows intercept and analyze the traffic sending from your browser to the server using the a proxy.
As you can see burp intercepted the request. However our main objective is to see what kind of a request is sent to the server. Instead of using burp you can use dev-tools to do the same thing.
Go to the Network tab in your console and refresh the page (Ctrl+r).
Here you can see all the requests that is being sent. The first request is the main request and other ones are assets of the webpage such as images, CSS files e.t.c. We can filter them by clicking on to filter options provided above.
So if you click on the first request on top, you will see some thing like you saw before in the burp interceptor.
This is the exact same request you saw before. You can see not only the request but also the response sent back from the server. Here there are lot information to look at.
- In the Cookies section, you have all the cookies sent.
- In the Request section, you have all the parameters sent.
- You have the response body in the Response section.
- You can also look at the timings of the requests in the Timing section.
Repeating requests.
Burp allows you to change the request contents and send the requests again and again with Repeater (Note: you can edit the content with the intercept too).
We can also so with dev-tools. You can right click on the request that you want to resend and select Resend.
After I resent the request, a new row popped up. You can clarify that these two requests are same, by clicking on the request.
Some times we have to edit the request that was sent before and send it back. By this manner we will be able to identify the differences in the two responses.
For that you can right click in the request and select Edit and Resend.
Here we can edit the request headers and send the request. For example we can edit the User-Agent header.
After sending the edited request you can click on the sent request and confirm that the User-Agent header is different from other requests.
Not only headers, you can edit cookies, parameters too.
So these are some very basic stuff you can do with dev-tools. One thing to mention is that dev-tools can’t replace burpsuite. Ever!! Because burp has got many more advanced features than intercepting traffic.
There are many more things you can do with developer tools. If you are interested in learning more about dev-tools check these out.
Thank you !!!
