Intercepting HTTP requests with Burp Suite

Burp Suite is one of the most widely used tools in web application security testing. At its core, it acts as a proxy between your browser and the target server, allowing you to intercept, inspect, and modify HTTP requests before they reach their destination.

What makes Burp Suite powerful

When you browse a website normally, your browser sends requests and receives responses without any intervention. Burp Suite sits in the middle of that conversation. Every form submission, every API call, every cookie — you can see it all, modify it, and forward it on.

This capability is invaluable for security testing because it reveals how an application actually handles data on the wire, not just what the UI shows you.

Finding a price manipulation vulnerability

To demonstrate this in practice, we tested an ecommerce website's checkout flow. The site displayed a delivery fee of approximately Rp 200,000 (around $20 AUD) during checkout.

Using Burp Suite's intercept feature, we captured the checkout request and examined the parameters being sent to the server. Among them was the delivery price — sent as a client-side value rather than being calculated server-side.

By modifying that parameter from Rp 200,000 to Rp 20 (about $0.02 AUD) and forwarding the request, the server accepted the modified price without any validation.

Why this matters

This type of vulnerability — trusting client-side data for pricing — is more common than you'd expect. It highlights a fundamental security principle: never trust user input. Price calculations, discounts, and fees should always be validated and computed on the server side.

Key takeaways for developers

• •Server-side validation is non-negotiable. Any value that affects business logic (prices, quantities, discounts) must be validated on the backend.
• •Don't rely on hidden form fields for sensitive data. If it's in the request, it can be modified.
• •Use integrity checks for critical parameters — signed tokens or server-side session storage.
• •Regular security testing with tools like Burp Suite can catch these issues before attackers do.

Note: This demonstration was conducted for educational purposes only. No actual transactions were completed.