What is Burp Suite?
Burp Suite is the industry-standard toolkit for web application security testing. Created by PortSwigger, it's an integrated platform that allows security professionals to perform comprehensive security assessments of web applications.
Burp Suite acts as an intercepting proxy, sitting between your browser and the web application. This allows you to:
- Intercept and modify HTTP/HTTPS requests and responses in real-time
- Analyze application behavior and identify vulnerabilities
- Test for common web vulnerabilities like SQL injection, XSS, CSRF, and more
- Map application structure and enumerate hidden functionality
- Automate custom attacks with powerful tools like Intruder and Repeater
Web applications are the primary attack vector for modern cyber threats. Over 90% of applications have vulnerabilities, and web application attacks account for the majority of data breaches. Understanding how to test and secure web applications is essential for any security professional.
Burp Suite Editions
Burp Suite Community Edition (Free)
- Manual testing tools: Proxy, Repeater, Decoder, Comparer, Sequencer
- Limited Intruder functionality (throttled speed)
- No automated scanning
- Perfect for learning and manual testing
Burp Suite Professional ($399/year)
- All Community features plus automated vulnerability scanning
- Full-speed Intruder for automated attacks
- Advanced manual tools and extensions API
- Continuous scanning and issue tracking
- Essential for professional penetration testers
Download Burp Suite Community Edition from portswigger.net/burp/communitydownload to practice along with this training lab!
Core Tools Overview
1. Proxy
The heart of Burp Suite. The Proxy intercepts all traffic between your browser and target applications, allowing you to view and modify requests before they're sent.
- Intercept: Pause, inspect, and modify requests/responses in real-time
- HTTP History: View all captured traffic
- WebSockets History: Capture WebSocket messages
- Options: Configure proxy behavior, match/replace rules, and more
2. Repeater
Manually modify and resend individual HTTP requests to test how the application responds to different inputs. Essential for testing vulnerabilities.
- Edit requests and see responses immediately
- Great for testing SQL injection, XSS, authentication bypasses
- Compare multiple responses side-by-side
3. Intruder
Automate customized attacks by sending many variations of a request with different payloads. Perfect for fuzzing, brute-forcing, and parameter manipulation.
- Sniper, Battering Ram, Pitchfork, and Cluster Bomb attack types
- Built-in payload lists and generators
- Extract and analyze patterns in responses
- Note: Throttled in Community Edition
4. Decoder
Encode and decode data using common schemes like Base64, URL encoding, HTML entities, and more. Essential for analyzing encoded payloads.
- Smart decode automatically detects encoding
- Hash generation (MD5, SHA-1, SHA-256, etc.)
- Hex editor for binary data
5. Comparer
Compare two pieces of data (requests, responses, or any text) to identify differences. Useful for finding subtle changes in application behavior.
- Word-level and byte-level comparison
- Highlight differences visually
- Compare responses to detect anomalies
Setting Up Browser Proxy
To use Burp Suite, you need to configure your browser to route traffic through Burp's proxy.
Default Proxy Settings
Browser Configuration Steps
- Firefox (Recommended):
- Preferences → Network Settings → Manual proxy configuration
- HTTP Proxy: 127.0.0.1, Port: 8080
- Check "Also use this proxy for HTTPS"
- Chrome/Edge:
- Use FoxyProxy extension for easy switching
- Or system proxy settings (applies to all apps)
- Install Burp CA Certificate:
- With proxy configured, visit
http://burp - Download "CA Certificate"
- Import in browser settings to avoid SSL warnings
- With proxy configured, visit
Burp's CA certificate allows it to decrypt HTTPS traffic. This is necessary for testing but means Burp can see all your encrypted traffic. Only use Burp on test systems, and disable the proxy when not testing!
Intercepting and Modifying Requests
Basic Workflow
- Enable Intercept: Click "Intercept is on" in Proxy tab
- Browse Target Site: Navigate normally in your configured browser
- Request Appears: Burp pauses the request for your inspection
- Analyze/Modify: Edit any part of the request (headers, parameters, body)
- Forward or Drop: Send the modified request or discard it
- View Response: See how the application responds to your changes
Common Modifications
- Parameter Tampering: Change values like user IDs, prices, roles
- Adding Headers: Inject custom headers to test authentication
- Method Changes: Switch GET to POST or vice versa
- Removing Restrictions: Delete client-side validation parameters
- Injecting Payloads: Test for SQL injection, XSS, command injection
Right-click any request in Proxy → "Send to Repeater" for easier testing. Repeater lets you modify and resend requests multiple times without browsing through the site again.
HTTP Request/Response Structure
HTTP Request Format
Request Components:
- Request Line: Method (GET/POST/PUT/DELETE), Path, HTTP Version
- Headers: Metadata about the request (Host, User-Agent, Content-Type, Cookies, etc.)
- Body: Data sent with POST/PUT requests (form data, JSON, XML, etc.)
HTTP Response Format
Response Components:
- Status Line: HTTP version, status code (200, 404, 500, etc.), status text
- Headers: Response metadata (Content-Type, Set-Cookie, Cache-Control, etc.)
- Body: The actual content (HTML, JSON, images, etc.)
Common Web Vulnerabilities to Test For
1. SQL Injection
Injecting malicious SQL code into input fields to manipulate database queries.
2. Cross-Site Scripting (XSS)
Injecting malicious JavaScript that executes in other users' browsers.
3. Authentication Bypass
Manipulating parameters or cookies to access unauthorized accounts or elevated privileges.
4. Insecure Direct Object References (IDOR)
Accessing resources by manipulating predictable identifiers.
5. Command Injection
Injecting OS commands into application inputs that execute system commands.
6. XML External Entity (XXE)
Exploiting XML parsers to read files or perform SSRF attacks.
For each vulnerability type, use Burp to: 1) Identify input points, 2) Craft test payloads, 3) Send via Repeater, 4) Analyze responses for anomalies, 5) Confirm the vulnerability, 6) Assess impact.
Legal and Ethical Considerations
Using Burp Suite or any security testing tool against systems you don't own or have explicit written permission to test is ILLEGAL and can result in criminal prosecution under laws like the Computer Fraud and Abuse Act (CFAA) in the US and similar laws worldwide.
Legal Testing Scenarios
- Your Own Applications: Testing apps you developed or own
- Authorized Penetration Tests: With signed contracts and scope agreements
- Bug Bounty Programs: Following the program's rules and scope
- Authorized CTF/Lab Environments: HackTheBox, TryHackMe, DVWA, WebGoat, etc.
- Educational Labs: Like this training environment
Best Practices
- Get Written Permission: Always obtain signed authorization before testing
- Define Scope: Know exactly what systems, IP ranges, and attack types are allowed
- Respect Boundaries: Stay within the defined scope - don't test adjacent systems
- Avoid Damage: Don't perform denial-of-service attacks or destructive actions
- Report Responsibly: Disclose findings to the system owner privately and professionally
- Keep Evidence: Document your authorization in case of misunderstandings
Recommended Practice Environments
- DVWA: Damn Vulnerable Web Application (intentionally vulnerable app)
- WebGoat: OWASP's deliberately insecure application
- Juice Shop: Modern vulnerable web application
- PortSwigger Academy: Free labs from Burp Suite creators
- HackTheBox: Realistic vulnerable machines (paid/free)
- TryHackMe: Guided learning paths with vulnerable labs
As security professionals, we have a responsibility to improve security, not exploit it for personal gain or malicious purposes. Always act ethically, respect privacy, and use your skills to make systems more secure.
Next Steps
Now that you understand the basics, it's time to get hands-on!
- Explore the Proxy Lab: Practice intercepting and modifying simulated HTTP requests
- Complete the Challenges: Test your knowledge with 10 auto-graded exercises
- Reference Tab: Quick reference for HTTP methods, headers, and status codes
- Download Burp Suite: Install the Community Edition and practice on legal targets
- PortSwigger Academy: Free advanced training at portswigger.net/web-security
Head to the Proxy Lab tab to start intercepting requests, or jump straight to Challenges to test your skills!
Learning Mode
What Just Happened?
HTTP Methods
| Method | Purpose | Security Notes |
|---|---|---|
| GET | Retrieve data from server | Should be idempotent and safe (no side effects). Parameters in URL are logged. |
| POST | Submit data to server | Used for forms, file uploads. Body content not logged in URLs. |
| PUT | Update/replace resource | Often restricted to authenticated users. Test for IDOR vulnerabilities. |
| DELETE | Remove resource | Should require strong authorization. Test for privilege escalation. |
| PATCH | Partially update resource | Similar to PUT but for partial updates. Check access controls. |
| OPTIONS | Query supported methods | Can leak information about allowed operations. Check CORS headers. |
| HEAD | GET without response body | Returns only headers. Useful for testing without full download. |
Common HTTP Headers
HTTP Status Codes
| Code | Meaning | Security Implications |
|---|---|---|
| 200 OK | Request succeeded | Normal response. Analyze body for sensitive data leakage. |
| 301/302 Redirect | Resource moved | Check for open redirects, unvalidated redirects to external sites. |
| 400 Bad Request | Malformed request | Input validation triggered. Error messages may leak info. |
| 401 Unauthorized | Authentication required | Test for authentication bypass, weak credentials. |
| 403 Forbidden | Access denied | Authorization failed. Test for privilege escalation. |
| 404 Not Found | Resource doesn't exist | Enumerate valid vs invalid resources. Custom 404s may leak paths. |
| 500 Internal Error | Server error occurred | Often reveals stack traces, database errors, or sensitive info. |
| 503 Unavailable | Service temporarily down | Potential DoS vulnerability or maintenance window. |
Burp Suite Keyboard Shortcuts
Common Vulnerability Patterns
| Vulnerability | What to Look For | Test Payload |
|---|---|---|
| SQL Injection | User input in database queries | ' OR '1'='1' -- , 1' UNION SELECT NULL-- |
| XSS | Reflected/stored user input in HTML | <script>alert(1)</script>, <img src=x onerror=alert(1)> |
| IDOR | Numeric IDs in URLs/parameters | Increment/decrement ID values, try ID=1 (admin) |
| Authentication Bypass | Login forms, session cookies | admin:admin, SQL injection in username, cookie manipulation |
| CSRF | State-changing requests without tokens | Remove CSRF token, use token from different session |
| XXE | XML input processing | <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> |
| Command Injection | System commands with user input | ; ls -la, | whoami, `id`, $(cat /etc/passwd) |
| Path Traversal | File paths in parameters | ../../../etc/passwd, ..\..\windows\system32\config\sam |
Export Progress
Save your challenge progress and settings to continue later.
Import Progress
Load previously saved progress.
Reset Progress
Clear all challenge progress and start fresh.
Statistics
Learning Panel
Welcome to Burp Suite Training!
This interactive lab will teach you how to use Burp Suite to test web application security like a professional penetration tester.
Getting Started
Start with the Learn tab for fundamentals, then practice in the Proxy Lab!
Your Progress
Quick Actions
Try these scenarios:
Remember
Only test applications you own or have explicit written permission to test. Unauthorized testing is illegal!