Ch 4: Environmental Setup and Traffic Interception

Source: Bug Bounty Bootcamp by Vickie Li (No Starch Press, 2021)

Use a Unix-based system. Kali Linux is recommended – it ships with Burp Suite, Gobuster, DirBuster, Wfuzz, and other tools. macOS also works fine.

Burp is a web proxy that sits between your browser and the server, intercepting and allowing modification of every HTTP/HTTPS request and response.

• Community – free; intruder is rate-limited; no scanner; no session saving
• Professional – paid; full intruder speed; active scanner; session saving; match-and-replace rules

1. Open Firefox > Preferences > General > Network Settings
2. Select Manual proxy configuration
3. HTTP Proxy: `127.0.0.1`, Port: `8080`, check “Also use this proxy for HTTPS”

Required to intercept HTTPS without certificate errors:

1. With Burp running, browse to `http://burp/` in Firefox
2. Download CA Certificate (top-right link)
3. Firefox > Preferences > Privacy & Security > View Certificates > Authorities > Import
4. Select the file, check “Trust this CA to identify websites”
5. Restart Firefox

Burp > Proxy > Intercept > click until it reads Intercept is on. Browse to any HTTPS site to confirm requests appear.

Proxy – captures all requests/responses. Modify before forwarding. Right-click to send to any other module.

Intruder – automated payload injection. Use for: brute-forcing passwords, iterating IDs for IDOR, fuzzing parameters.

1. Send to Intruder > Positions tab: highlight value, click Add
2. Payloads tab: paste list
3. Start attack, sort results by status/length

Repeater – manually replay and modify individual requests. Most-used for exploitation and bypass testing. Right-click any request > Send to Repeater.

Decoder – encode/decode base64, URL, HTML, hex. Use “Smart decode” when unsure of encoding.

Comparer – diff two requests or responses side by side. Useful for comparing auth vs. unauth responses.

Copy as curl – right-click any request > Copy as curl command. Paste into a report as PoC.

Organized notes are how you avoid repeating work and missing chains:

• Per-target folder – subfolders per feature (auth, uploads, API, payments)
• Record every weird behavior even if not immediately exploitable – revisit during chaining
• For each vuln class you study: theory, impact, steps to exploit, sample PoC code
• Tools: Obsidian (Markdown + graph view), Sublime Text, XMind for mind maps
• Back up to external drive or cloud regularly