Tools & Scripts 18 June 2025 4 min read

Burp Suite Tutorial for Beginners: Web Application Penetration Testing

Burp Suite is the industry-standard tool for web application security testing. This beginner-friendly tutorial covers how to set up Burp Suite, intercept HTTP traffic, and use its core features for penetration testing.

What is Burp Suite?

Burp Suite is an integrated platform for performing security testing of web applications. It includes tools for intercepting traffic, scanning for vulnerabilities, and manipulating requests. The Community Edition is free, while the Professional Edition includes additional features like the vulnerability scanner.

Installing Burp Suite

Download Burp Suite from the official PortSwigger website. It is available for Windows, macOS, and Linux. Burp Suite requires Java, but the installer includes a bundled JRE.

Setting Up Your Browser

Burp Suite works as a proxy between your browser and the target application. You need to configure your browser to route traffic through Burp.

Default Proxy Settings

By default, Burp Suite listens on:

Address: 127.0.0.1
Port: 8080

Firefox Configuration (Recommended)

Firefox allows per-browser proxy settings, making it ideal for testing:

  1. Open Firefox Settings
  2. Search for “proxy”
  3. Click “Settings” under Network Settings
  4. Select “Manual proxy configuration”
  5. Enter HTTP Proxy: 127.0.0.1, Port: 8080
  6. Check “Also use this proxy for HTTPS”

Alternatively, use the FoxyProxy extension for easy proxy switching.

Installing the Burp CA Certificate

To intercept HTTPS traffic, you must install Burp’s CA certificate:

  1. With Burp running and proxy configured, visit http://burp
  2. Click “CA Certificate” to download cacert.der
  3. In Firefox: Settings > Privacy & Security > Certificates > View Certificates
  4. Import the certificate and trust it for identifying websites

The Proxy Tab

The Proxy tab is where you intercept and modify HTTP/HTTPS traffic in real-time.

Intercepting Requests

  1. Go to Proxy > Intercept
  2. Ensure “Intercept is on” is displayed
  3. Browse to a website in your configured browser
  4. The request will appear in Burp

Intercept Controls

  • Forward: Send the request to the server
  • Drop: Discard the request
  • Intercept is on/off: Toggle interception
  • Action: Send to other Burp tools

HTTP History

The HTTP history sub-tab shows all requests that have passed through the proxy, even when intercept is off. This is essential for reviewing application traffic.

Target Tab

The Target tab provides a site map of your target application.

Site Map

Shows a hierarchical view of all content discovered on target sites. As you browse, Burp automatically builds this map.

Scope

Define which hosts are in scope for your test. Right-click on a host and select “Add to scope”. This helps filter noise from other sites.

Repeater

Repeater allows you to manually modify and resend individual requests. This is perfect for testing vulnerabilities.

Using Repeater

  1. Right-click a request in Proxy or Target
  2. Select “Send to Repeater”
  3. Go to the Repeater tab
  4. Modify the request as needed
  5. Click “Send”
  6. Analyze the response

Repeater is invaluable for testing SQL injection, XSS, and other input-based vulnerabilities.

Intruder

Intruder is used for automated attacks like brute forcing, fuzzing, and parameter manipulation.

Attack Types

  • Sniper: Single payload set, one position at a time
  • Battering Ram: Same payload in all positions simultaneously
  • Pitchfork: Different payload sets, one item from each in parallel
  • Cluster Bomb: Different payload sets, all combinations

Setting Up an Attack

  1. Send a request to Intruder (right-click > Send to Intruder)
  2. Go to the Positions tab
  3. Click “Clear” to remove default markers
  4. Highlight the value you want to fuzz and click “Add”
  5. Go to the Payloads tab
  6. Select your payload type and add values
  7. Click “Start attack”

Common Use Cases

  • Password brute forcing
  • Username enumeration
  • Fuzzing parameters for vulnerabilities
  • Directory and file discovery
  • Testing for IDOR vulnerabilities

Decoder

Decoder encodes and decodes data in various formats:

  • URL encoding
  • HTML encoding
  • Base64
  • Hex
  • Hashing (MD5, SHA1, SHA256, etc.)

This is useful for decoding obfuscated parameters or encoding payloads to bypass filters.

Comparer

Comparer performs a visual diff between two pieces of data. Use it to:

  • Compare responses to identify differences
  • Spot subtle changes that indicate vulnerabilities
  • Analyze before/after states

Scanner (Professional Edition)

The Scanner automatically crawls and scans applications for vulnerabilities. While not available in the Community Edition, it is a powerful feature for professional testers.

Useful Keyboard Shortcuts

Ctrl+R    Send to Repeater
Ctrl+I    Send to Intruder
Ctrl+F    Forward intercepted request
Ctrl+D    Drop intercepted request
Ctrl+T    Toggle intercept on/off
Ctrl+Shift+T    New Repeater tab

Tips for Effective Testing

  1. Always set scope: Limit Burp to your target to reduce noise
  2. Use filters: Filter HTTP history by MIME type, status code, or search terms
  3. Save your project: Burp projects preserve all data between sessions
  4. Take notes: Use the comments feature to annotate interesting requests
  5. Learn the extensions: The BApp Store has many useful plugins

Summary

Burp Suite is essential for web application security testing. Start by mastering the Proxy and Repeater tools, then gradually explore Intruder for automated attacks. With practice, Burp Suite becomes an extension of your testing workflow.

Written by

Window Events

Leave a Reply

Your email address will not be published. Required fields are marked *