SPRING 2026 · CTF WORKSHOP SERIES · PSU UNIVERSITY

Recon &
Web Proxies

Before any hacker attacks a system, they first gather information quietly. Using tools like web proxies, they can see and manipulate every request your browser sends without you noticing.

▶ Start Workshop Skip to Challenge →
SCROLL TO BEGIN
SECTION 02 · LEARNING OBJECTIVES

What You'll Learn

By the end of this workshop, you'll be able to perform reconnaissance, intercept live traffic, and manipulate HTTP requests like a pro.

01
Identify
Recognize reconnaissance techniques used in web security and understand how attackers map a target before touching it.
02
Intercept
Use Burp Suite as a web proxy to capture and analyze live HTTP requests flowing between browser and server.
03
Modify
Tamper with intercepted requests to test web application behavior and uncover hidden vulnerabilities.
SECTION 03 · CORE CONCEPTS

Core Concepts

Two foundational ideas underpin this entire workshop. Understand these deeply before moving on.

CONCEPT A
Reconnaissance (Recon)
The process of gathering information about a target before launching an attack. In web security, this includes identifying endpoints, parameters, technologies, and hidden functionalities.

What exactly are we looking for?

During recon, a security tester tries to build a complete picture of the target without triggering alarms. Think of it like a burglar walking past a house multiple times before deciding how to enter.

  • Endpoints - URLs the app responds to (e.g., /api/users, /admin/panel)
  • Parameters - Query strings or POST fields (?id=42, username=admin)
  • Technologies - What framework, server, or CMS is running (revealed by headers, cookies, HTML comments)
  • Hidden pages - Directories not linked publicly, often found via fuzzing tools like gobuster or ffuf

Passive vs Active Recon

Passive recon involves looking at publicly available info like Google, Shodan, or WHOIS without ever touching the target server.
Active recon means directly probing the target, which generates logs and can be detected.

CONCEPT B
Web Proxy
A middleman between the browser and the server that lets attackers or testers intercept, inspect, and modify HTTP/HTTPS requests and responses. Burp Suite is the industry-standard tool.

How does a proxy sit in the middle?

Normally: Browser → Server. With a proxy: Browser → Burp Suite → Server. The browser is configured to send all traffic through Burp running on 127.0.0.1:8080.

What can you actually do with it?

  • Read every HTTP request and response in plain text
  • Edit headers, cookies, POST body, URL parameters before forwarding
  • Replay requests as many times as you want
  • Automate fuzzing via the Intruder tool
  • Scan for vulnerabilities with the active scanner (Burp Pro)

What about HTTPS?

Burp Suite acts as a SSL/TLS terminator - it decrypts the traffic, lets you read or edit it, then re-encrypts before forwarding. This requires installing Burp's CA certificate in your browser so it trusts Burp as a valid authority.

Burp Suite - Proxy -> Intercept · Captured HTTP Request
1GET / HTTP/1.1
2Host: example.com
3User-Agent: Mozilla/5.0 (X11; Linux x86_64)
4Accept: text/html,application/xhtml+xml
5Accept-Language: en-US,en;q=0.5
6Accept-Encoding: gzip, deflate, br
7Connection: keep-alive
8Upgrade-Insecure-Requests: 1
9← This is what you see and can edit in Burp before forwarding
SECTION 04 · HOW IT WORKS

The 5-Step Process

Every web proxy engagement follows this repeatable workflow. Master it and you'll apply it to any target.

01
Perform Reconnaissance
MAP THE TARGET BEFORE YOU TOUCH IT
  • Identify website structure - page hierarchy, navigation, forms
  • Discover endpoints - URLs the app exposes (APIs, admin paths)
  • Collect information - tech stack, server headers, cookies

Browser DevTools

Press F12 -> Network tab. Every request and response is logged here. Look at headers for server software (Server: nginx/1.18), response codes, and cookies.

Gobuster / FFUF

These tools brute-force directories using wordlists. Example: gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

Wappalyzer

A browser extension that fingerprints the tech stack automatically - reveals CMS, frameworks, analytics tools.

02
Configure Web Proxy
POINT YOUR BROWSER AT BURP
  • Install Burp Suite Community Edition (free) from portswigger.net
  • Set browser proxy to 127.0.0.1:8080 (Manual HTTP proxy)
  • Enable interception - navigate to Proxy -> Intercept -> Intercept is ON

In Firefox:

  • Settings -> Network Settings -> Manual proxy configuration
  • HTTP Proxy: 127.0.0.1, Port: 8080
  • Check "Use this proxy for all protocols"

Install Burp CA Certificate (for HTTPS):

  • With Burp running, browse to http://burp in Firefox
  • Click "CA Certificate" to download it
  • Firefox -> Settings -> View Certificates -> Import
  • Check "Trust this CA to identify websites"

Tip: Use Burp's built-in browser

Burp Pro/Community ships with a Chromium browser that's pre-configured. Go to Proxy -> Open Browser - no manual setup needed.

03
Intercept Requests
SEE EXACTLY WHAT THE BROWSER SENDS
  • Capture HTTP requests as they leave the browser
  • View all headers - User-Agent, Cookie, Referer, Authorization
  • View parameters - URL query strings and POST body data

HTTP Request Structure

  • Request line: POST /login HTTP/1.1 - method, path, version
  • Headers: Key-value pairs like Cookie: session=abc123
  • Body: For POST requests, the actual form data: username=admin&password=1234

Key headers to watch

  • Cookie - session tokens; tampering here can hijack sessions
  • Authorization - Bearer tokens for APIs
  • X-Forwarded-For - sometimes used for IP-based access control
  • Referer - some apps use this to verify you came from a legitimate page
04
Modify Requests
CHANGE THE REQUEST BEFORE THE SERVER SEES IT
  • Edit any parameter - change role=user to role=admin
  • Replay the modified request using Burp's Repeater tab

Parameter tampering

Change ?id=5 to ?id=1 to access another user's data (IDOR vulnerability). Change price=99.99 to price=0.01 in a shopping cart request.

Cookie manipulation

If a cookie contains isAdmin=false, change it to isAdmin=true. Many poorly built apps trust cookie values directly.

Header injection

Add X-Forwarded-For: 127.0.0.1 to trick an app into thinking you're on localhost.

Burp Repeater

Right-click any request -> Send to Repeater (Ctrl+R). Now you can edit and resend it endlessly without re-navigating in the browser.

05
Identify Weak Points
LOOK FOR WHERE THE APP BREAKS
  • Look for error messages that reveal backend info (stack traces, SQL errors)
  • Test inputs with payloads and observe application behavior safely in the lab
  • Check if privilege escalation is possible by changing roles or IDs

IDOR (Insecure Direct Object Reference)

Accessing resources you shouldn't by changing an ID. e.g., /api/orders/1337 revealing another user's order.

Broken Authentication

Weak session tokens, no rate limiting on login, or session tokens not invalidated on logout.

Missing Access Controls

A non-admin can hit /admin/deleteUser just by guessing the URL. The server doesn't verify your role.

Information Disclosure

Error pages exposing server paths, internal IPs, database structure, or stack traces.

SECTION 05 · LIVE DEMO
DEMO.
Intercept and modify a request to example.com
TOOL
Burp Suite
BROWSER
Chrome / Firefox
TARGET
http://example.com
Follow along on your laptop. We will run through this together.
SECTION 06 · TROUBLESHOOTING

Common Pitfalls

When something doesn't work, check these first - in order.

SYMPTOM
No traffic in Burp Suite
CAUSEBrowser proxy is not configured correctly
FIXSet proxy to 127.0.0.1:8080 in browser network settings
SYMPTOM
HTTPS websites do not load
CAUSEBurp CA certificate is not installed in the browser
FIXBrowse to http://burp, download and trust the CA cert
SYMPTOM
Requests not being intercepted
CAUSEIntercept option is toggled off in Burp
FIXClick "Intercept is OFF" to toggle it ON in Proxy tab
SYMPTOM
Modified request has no effect
CAUSEIncorrect parameter name or value format
FIXDouble-check parameter names and re-examine the original request
SECTION 07 · POP QUIZ

Test Your Knowledge

Answer these questions to confirm you've grasped the core concepts before tackling the challenge.

YOUR SCORE
0 / 5
QUESTION 01 / 05
What is the primary purpose of reconnaissance in web security?
QUESTION 02 / 05
Which default address and port does Burp Suite listen on when acting as a proxy?
QUESTION 03 / 05
Why do HTTPS sites fail to load when Burp Suite is configured as a proxy but the CA certificate has not been installed?
QUESTION 04 / 05
You intercept a login POST request and see the body: username=alice&password=hunter2. What Burp Suite feature would you use to replay this request repeatedly with different password values?
QUESTION 05 / 05
Which of the following best describes an IDOR (Insecure Direct Object Reference) vulnerability?
SECTION 08 · YOUR CHALLENGE

Now Do It Yourself

Apply everything you've learned. This is the hands-on task you need to complete to finish the workshop.

⏱ 15 - 20 MIN ◉ BEGINNER
THE TASK
Use Burp Suite to intercept a login request from a website and modify the username or a parameter before sending it to the server.
SUCCESS CRITERION
Submit a screenshot showing the intercepted request alongside the modified response from the server. The screenshot should clearly show the parameter you changed and how the server responded differently.
HINTS
01
Make sure "Intercept is ON" in the Proxy tab before you attempt to log in.
02
Look for POST requests when submitting login forms - GET requests put parameters in the URL.
03
Modify a parameter in the body before clicking Forward. Try changing the username value.
SECTION 09 · GO DEEPER

Further Resources

You've completed the workshop. Here's where to go next to level up your skills.

01

OWASP Web Security Testing Guide

Official, detailed methodologies for testing web application security, including reconnaissance techniques and proxy usage. The definitive reference for professional web pentesters.

02

Burp Suite Documentation

Official guide covering all Burp Suite features: proxy, intercept, repeater, intruder, scanner, and request analysis. Start here for any Burp-specific questions.

03

PortSwigger Web Security Academy

Free, interactive labs with real-world vulnerability scenarios - SQL injection, XSS, CSRF, IDOR, and more. Hands-down the best free platform to practice web security skills.

Questions?
If you have questions, contact the PSU CTF 2026 WhatsApp group.
ACM/CYBERTECH @ PSU · SPRING 2026