What is Burp Suite?
Burp Suite is an intercepting proxy for web application testing. It sits between your browser and the target, letting you see, modify, and replay every HTTP request.
Think of it as a man-in-the-middle attack on yourself. Every request your browser sends passes through Burp first, where you can:
- Read the full request and response
- Modify parameters, headers, cookies before they reach the server
- Replay requests with different values
- Automate attacks like password brute-forcing
Burp Suite is to web testing what Nmap is to network scanning. You’ll use it on nearly every web application engagement.
How the Proxy Works
Normally, your browser talks directly to the server. With Burp running, traffic flows through a middleman.
Setting It Up
Burp’s proxy listens on 127.0.0.1:8080 by default. Configure your browser to route traffic through it:
- Open browser settings → Network/Proxy settings
- Set HTTP and HTTPS proxy to
127.0.0.1, port8080 - All traffic now flows through Burp
Burp also ships with its own built-in Chromium browser (click “Open Browser” in the Proxy tab) which is pre-configured. No setup needed.
Intercept Mode
When Intercept is on, Burp pauses every request and waits for you to:
- Forward - send the request as-is (or after modifying it)
- Drop - discard the request entirely
This is powerful for testing, but annoying when you’re just browsing. Turn Intercept off when you’re exploring, and turn it on when you want to catch a specific request.
If the page seems stuck loading, check if Intercept is on. This catches everyone at least once.
The Key Tools
Burp Suite has many features, but three matter most for penetration testing.
1. Proxy (HTTP History)
Even with Intercept off, Burp logs every request in the HTTP History tab.
Click any request to see:
- Left pane - the full HTTP request (method, headers, body)
- Right pane - the server’s response (status, headers, HTML/JSON)
This is your primary way of understanding how the application works. Watch what happens when you:
- Log in and log out
- Submit forms
- Navigate between pages
- Perform admin actions
The HTTP History is your map of the application. Every action the app takes is visible here.
2. Repeater
The Repeater lets you manually craft and resend requests.
Workflow:
- Find an interesting request in HTTP History
- Right-click → Send to Repeater (or
Ctrl+R) - Modify anything: URL, headers, body, cookies
- Click Send
- Read the response on the right
- Modify again, send again
This is your main tool for:
- Testing different parameter values
- Trying different HTTP methods
- Checking access control (change user IDs, tokens)
- Developing exploits incrementally
3. Intruder
The Intruder automates attacks by sending the same request many times with different values. It’s a brute-force engine.
Workflow:
- Find a login request in HTTP History
- Right-click → Send to Intruder (or
Ctrl+I) - Go to the Positions tab
- Click Clear to remove all markers
- Select the password value → click Add to mark it as the injection point
- Go to the Payloads tab
- Load a wordlist (paste values or load a file)
- Click Start Attack
Reading Intruder Results
Intruder fires one request per wordlist entry. The key is spotting the response that’s different.
Look for differences in:
- Status code - a
302among200s means a redirect (likely successful login) - Response length - a different length means different content was returned
- Response time - significantly slower/faster could indicate different server-side processing
Sort by Status or Length. The outlier is usually your answer.
Useful Tips
Scope
Set a target scope in the Target tab so Burp only captures traffic for the target domain. This filters out noise from other sites.
Decoder
Burp has a built-in Decoder tab for encoding/decoding:
- Base64
- URL encoding
- HTML encoding
- Hex
Useful when working with encoded payloads, tokens, or obfuscated data.
Site Map
The Target → Site map tab builds a tree of all discovered paths. As you browse and test, it fills in automatically. Great for seeing the full structure at a glance.
Proxying curl
You can send curl requests through Burp for inspection:
curl http://10.10.10.50/api/v1/login --proxy 127.0.0.1:8080The --proxy flag routes the request through Burp. Useful when you’re crafting API requests in the terminal but want to inspect them visually.
Community vs Pro
| Feature | Community (Free) | Pro (Paid) |
|---|---|---|
| Proxy | Full | Full |
| Repeater | Full | Full |
| Intruder | Throttled (slow) | Full speed |
| Scanner | No | Automated vuln scanning |
| Extensions | Limited | Full BApp Store |
The free Community Edition is enough for manual testing. Intruder is throttled (rate-limited) but still functional. Pro adds speed and automation.
Practice
The best way to learn Burp is to use it. Route all your traffic through it while working on any web box.
For structured Burp practice, PortSwigger’s Web Security Academy has free labs designed specifically to be solved with Burp Suite. They cover every web vulnerability type with hands-on challenges.
For hackable boxes that heavily involve web enumeration: