logo

A Beginner’s Guide to Burp Suite

Cyfotok Admin

Thumbnail

A Beginner’s Guide to Burp Suite

TL;DR (If you’re in a hurry)

Burp Suite is a web security toolkit that sits between your browser and websites to let you observe and manipulate HTTP(S) traffic. Start with Burp’s built-in browser or point your browser to 

127.0.0.1:8080
, install Burp’s CA certificate to avoid TLS warnings, and explore Proxy → Repeater → Intruder in that order. Follow the quick numbered steps below to get useful results in 30 minutes.

Introduction — why Burp Suite and why now?

Imagine watching a cashier at a grocery store scan items without being able to check the price scanner. You'd want to see the scanner's output, maybe nudge a value to see what happens. Web apps are the scanner; Burp Suite is you leaning over the cashier — seeing the requests, the responses, and testing what happens when you change them.

In short: Burp helps you see and test what sits between your browser and the server. For developers, ops, and curious professionals, it’s an efficient way to find issues before attackers do.

What is Burp Suite? (Simple explanation)

Burp Suite is a desktop application (made by PortSwigger) that provides a collection of tools to test and manipulate web traffic:

  • Proxy — intercept and inspect browser → server traffic.
  • Repeater — modify a single request and re-send it repeatedly to observe responses. Great for testing inputs and tuning payloads.
  • Intruder — automated fuzzing/brute-forcing of parameters or inputs (Community edition has limits; Pro automates more).
  • Decoder, Comparer, Sequencer, Scanner (Pro) — utilities to decode, compare, and scan responses.

Burp comes as a Community (free) and Professional (paid) edition; the Pro edition adds automation, scanning, and many productivity features.

Getting started — step-by-step (what to do first)

1. Install Burp Suite (Community to try)

  • Download from PortSwigger (choose OS installer).
  • Launch Burp. The first time you'll see the Proxy and Intercept tabs. Burp provides its own browser preconfigured to work with the proxy — nice for beginners.

2. Check the proxy listener

By default Burp listens locally (e.g., 

127.0.0.1:8080
) — this is the address you point your browser to. If you're using an external browser, configure it to proxy via that address.

3. Install Burp’s CA certificate

To intercept HTTPS without browser warnings, import Burp’s CA certificate into your browser or use Burp’s embedded browser (recommended while learning).

4. Start intercepting

Turn Intercept ON in Proxy → Intercept, then browse. HTTP/HTTPS requests will pause so you can read and modify them.

The essential tools — what each one does (short)

Proxy (your eyes)

  • Intercept traffic, view headers, cookies, JSON and HTML.
  • Modify requests in-flight (e.g., change a 
    POST
    parameter to test validation).

Repeater (your laboratory)

  • Send a request, experiment with inputs, repeat quickly.
  • Ideal to test one idea repeatedly without involving the browser.

Intruder (your automation)

  • Use when you need many variations (e.g., fuzzing input fields, guessing IDs, password spraying).
  • Community edition can be slower / manual; Pro has faster, threaded options and payload sets.

Scanner (Pro only)

  • Automated vulnerability scanning and templated checks (not in Community).

Practical example — intercepting and testing a login form

  1. Open Burp → Proxy → Intercept → Intercept on.
  2. Point your browser to use 
    127.0.0.1:8080
    or open Burp's browser.
  3. Submit the login form in the browser. Burp pauses the request.
  4. Right-click → Send to Repeater. In Repeater, change the 
    username
    or 
    password
    field and click Send to observe server responses.
  5. If you suspect brute-force or enumeration, send the request to Intruder (careful — only against systems you own or are authorized to test).

Command-line tip (useful): point 

curl
through Burp to reproduce requests from terminal:

bash
# set proxy for the session (Linux/macOS)
export http_proxy=http://127.0.0.1:8080
export https_proxy=http://127.0.0.1:8080

# example POST to a login endpoint
curl -v -X POST https://example.com/login \
  -d "username=alice&password=secret" \
  -H "Content-Type: application/x-www-form-urlencoded"

This sends the request through Burp so you can capture it and then move it to Repeater or Intruder.

Hands-on code: small Python request to test via Burp

python
# save as test_via_burp.py
import requests

proxies = {
    "http": "http://127.0.0.1:8080",
    "https": "http://127.0.0.1:8080"
}

data = {"username": "alice", "password": "pass123"}
r = requests.post("https://example.com/login", data=data, proxies=proxies, verify=False)  # verify=False for demo only
print(r.status_code, r.headers.get("Content-Type"))
print(r.text[:400])

Note: 

verify=False
disables TLS verification — for real testing, import Burp's CA into your environment and remove 
verify=False
.

Practical tips & quick checklist (actionable steps you can do now)

  1. Install & use Burp’s embedded browser first. It saves time with proxy + certs.
  2. Set proxy to 
    127.0.0.1:8080
     (the default listener) if using an external browser. Verify the listener in Proxy Settings.
  3. Import the CA cert to avoid TLS errors — do this early.
  4. Practice with safe targets: use intentionally vulnerable labs (OWASP Juice Shop, PortSwigger Web Security Academy). Don’t test live targets without permission.
  5. Use Repeater for manual testing (tweak a request, observe; stepwise probing builds understanding).
  6. Be cautious with Intruder: it can generate lots of traffic. Use rate limits and explicit authorization.
  7. Use FoxyProxy or similar browser plugin to flip proxy settings quickly when you want to test only some browsing sessions.
  8. Document findings: take screenshots of requests/responses, save Repeater requests, and log the exact steps to reproduce.

Common beginner pitfalls (and how to avoid them)

  • TLS warnings everywhere. Fix: install Burp’s CA certificate or use Burp’s browser.
  • Proxy not receiving traffic. Fix: ensure browser is pointed to 127.0.0.1:8080 and listener is enabled.
  • Testing without permission. Fix: only test your systems or labs, get written authorization for anything else. (Legal + ethical requirement.)
  • Overwhelming the target with Intruder. Fix: throttle, use small payload lists and always respect rate limits.

Useful shortcuts & productivity hacks

  • Learn to send to Repeater/Intruder/Scanner from the right-click menu — it saves time.
  • Use match/replace rules (Proxy → Options) to automatically normalize or remove noisy headers (useful for repetitive testing).
  • Save project files and export issues if you plan to repeat tests later. Project files persist your proxy history, requests, and saved state.

Burp Community vs Professional — quick note

  • Community: excellent for learning, manual testing, and using Proxy/Repeater/Decoder.
  • Professional: adds automated scanner, faster Intruder, session handling, and many time-savers. Check PortSwigger docs and release notes to see new features and editions.

Conclusion — one action to take today

Pick a safe practice target (PortSwigger Web Security Academy or OWASP Juice Shop), install Burp Community, and follow steps 1–4 in Getting started above. Spend 30–60 minutes intercepting a simple form and experimenting in Repeater — you’ll learn more in an hour than reading a dozen posts.

Back to Posts