Every web application you use today, from banking portals to social media platforms, communicates through HTTP requests and responses. Understanding how to intercept, analyze, and manipulate this traffic is fundamental to web security testing. This Burp Suite tutorial walks you through the essential skills that penetration testers and bug bounty hunters use daily to find vulnerabilities before attackers do.
Burp Suite has become the industry standard for web application security testing, and for good reason. It sits between your browser and target applications, letting you see exactly what data flows back and forth. By the end of this guide, you will know how to set up Burp Suite, intercept traffic, modify requests, and use its core tools to test for common vulnerabilities.
What You Will Learn:
- Install and configure Burp Suite with your browser
- Intercept and modify HTTP/HTTPS traffic
- Use Repeater for manual vulnerability testing
- Understand Intruder for automated attacks
- Apply these skills ethically and legally
What Is Burp Suite and Why Learn It?
Burp Suite is an integrated platform for web application security testing developed by PortSwigger. Think of it as a Swiss Army knife for web security: it combines multiple tools into one interface, letting you intercept traffic, scan for vulnerabilities, and craft custom attacks against web applications.
The platform comes in three versions. The Community Edition is free and includes the core proxy, Repeater, Intruder (with rate limiting), and Decoder. The Professional Edition adds an automated vulnerability scanner, faster Intruder attacks, and additional features for around $449 per year. The Enterprise Edition targets organizations running large-scale automated scans.
For learning and most manual testing work, the Community Edition provides everything you need. Professional testers typically upgrade for the scanner and unrestricted Intruder speeds during client engagements.
Who Uses Burp Suite?
- Penetration testers: Use it during web application assessments to find and exploit vulnerabilities
- Bug bounty hunters: Rely on it to discover security flaws in programs from companies like Google, Microsoft, and thousands of others
- Security researchers: Analyze application behavior and develop proof-of-concept exploits
- Developers: Test their own applications for security issues before deployment
If you want to find vulnerabilities in web applications, Burp Suite is where you start. Our Web Attacks course covers the vulnerability classes you will be hunting for once you master the tools.
Burp Suite Tutorial: Installing and Setting Up Your Environment
Getting Burp Suite running requires a few configuration steps. The proxy needs to intercept your browser traffic, which means installing a certificate and configuring proxy settings. Here is the complete setup process.
Downloading Burp Suite
If you are running Kali Linux, Burp Suite Community Edition comes pre-installed. Launch it from the applications menu under "Web Application Analysis" or type burpsuite in your terminal.
For Windows or macOS, download the installer from the official PortSwigger download page. Run the installer and follow the prompts. Burp Suite requires Java, but the installer bundles its own JRE so you do not need to install Java separately.
First Launch Configuration
When you first open Burp Suite, you will see a project selection screen. For the Community Edition, choose "Temporary project" since persistent projects require the Professional version. Click "Next," then select "Use Burp defaults" for the configuration options. Click "Start Burp" to launch the main interface.
Configuring Your Browser with FoxyProxy
Burp Suite acts as a proxy server that your browser connects through. The easiest way to manage this is with the FoxyProxy browser extension, which lets you toggle proxy settings with one click.
- Install FoxyProxy for Firefox or Chrome from your browser's extension store
- Click the FoxyProxy icon and select "Options"
- Click "Add" to create a new proxy configuration
- Set the proxy IP to
127.0.0.1and port to8080 - Name it "Burp Suite" and save
- Click the FoxyProxy icon and select your new Burp Suite profile to enable it
Installing the Burp CA Certificate
Modern websites use HTTPS encryption. For Burp Suite to intercept this traffic, your browser needs to trust Burp's certificate authority. Without this step, you will see certificate errors on every HTTPS site.
- With Burp running and FoxyProxy enabled, navigate to
http://burpsuitein your browser - Click "CA Certificate" in the top right corner to download the certificate
- In Firefox: Go to Settings, search for "Certificates," click "View Certificates," select the Authorities tab, and import the downloaded certificate. Check "Trust this CA to identify websites."
- In Chrome: Go to Settings, search for "Certificates," click "Manage certificates," go to the Authorities tab, and import the certificate
Security note: Only install the Burp certificate in a browser you use exclusively for security testing. Using your main browser with the Burp certificate installed could expose your traffic if someone else gains access to your Burp installation.
Common Setup Issues
If you cannot connect to websites after enabling the proxy, verify Burp Suite is actually running and that the Proxy tab shows "Intercept is on" or "Intercept is off" (both states allow traffic, just with different behaviors). Check that FoxyProxy is set to your Burp profile, not "Direct" or another proxy.
Certificate errors after installing the CA certificate usually mean the certificate was not imported into the correct store. In Firefox, make sure you imported it under "Authorities," not "Your Certificates." Restart your browser after importing.
Understanding the Burp Suite Interface
Burp Suite organizes its tools into tabs across the top of the window. Each tab provides different functionality, and understanding the layout helps you work efficiently.
Dashboard
The Dashboard shows running tasks and issue activity. In the Professional Edition, this displays vulnerability scan progress and findings. For Community Edition users, it primarily shows event logs and task status.
Target
The Target tab maintains a site map of all URLs you have visited or that Burp has discovered. It organizes content hierarchically by host, showing directories, files, and their HTTP responses. Use the Scope subtab to define which hosts you are testing, which keeps your work focused and prevents accidentally testing out-of-scope systems.
Proxy
This is where most of your work happens. The Proxy tab contains the HTTP history showing every request your browser makes, the WebSocket history for real-time communications, and the intercept functionality for catching requests before they reach the server.
Key Tool Tabs
- Repeater: Manually modify and resend individual requests, essential for testing specific parameters
- Intruder: Automate attacks by inserting payloads into request parameters, useful for fuzzing and brute force
- Decoder: Encode and decode data in various formats like Base64, URL encoding, and HTML entities
- Comparer: Diff two responses to spot subtle differences that indicate vulnerabilities
Keyboard shortcuts: Press Ctrl+Shift+R to send a request to Repeater, Ctrl+Shift+I for Intruder. These shortcuts save significant time when testing multiple parameters. View all shortcuts under Help in the menu bar.
How to Intercept and Modify HTTP Traffic
Intercepting traffic is the core skill in web security testing. It lets you see exactly what your browser sends and what the server returns, then modify either side to test how the application handles unexpected input.
Understanding HTTP Requests and Responses
Before diving into interception, understand what you are looking at. An HTTP request contains a method (GET, POST, PUT, DELETE), a path, headers with metadata like cookies and content types, and optionally a body with form data or JSON. The response includes a status code (200 OK, 404 Not Found, 500 Server Error), headers, and the body containing HTML, JSON, or other content.
Enabling and Using Intercept
Navigate to the Proxy tab and click "Intercept is off" to toggle it on. Now when you browse a website with FoxyProxy enabled, each request pauses in Burp Suite before reaching the server. You will see the raw HTTP request in the intercept window.
From here you have several options:
- Forward: Send the request to the server as-is or after your modifications
- Drop: Discard the request entirely, preventing it from reaching the server
- Action: Send the request to other tools like Repeater or Intruder
Modifying Requests
With a request intercepted, you can edit any part of it directly in the window. Change parameter values, modify headers, or alter the request body. Click Forward to send your modified request to the server.
For example, if a request includes quantity=1 in a shopping cart, you might change it to quantity=-1 or quantity=999999 to test how the application handles unexpected values. This type of testing reveals input validation flaws that attackers exploit.
Practice these techniques safely in our XSS Playground where you can experiment without risk.
Working with HTTP History
Every request passing through the proxy appears in the HTTP history, regardless of whether intercept was enabled. This log becomes your reference during testing. Right-click any request to send it to Repeater, Intruder, or other tools. Use the filter bar to show only requests to specific hosts or containing certain parameters.
Using Burp Repeater for Manual Testing
Repeater is where you spend most of your time during manual testing. It lets you modify a request, send it, view the response, then tweak and repeat. This cycle of hypothesis, test, and observation is how you discover vulnerabilities.
Sending Requests to Repeater
Find an interesting request in your HTTP history or intercept window. Right-click and select "Send to Repeater" or press Ctrl+Shift+R. Switch to the Repeater tab to see your request ready for modification.
The Repeater Workflow
The Repeater interface shows your request on the left and the server response on the right. Edit the request, click "Send," and analyze what comes back. Each modification creates a numbered tab, letting you compare responses across multiple tests.
Start by understanding normal behavior. Send the original request unchanged and note the response. Then systematically modify parameters to test for vulnerabilities:
- Add a single quote to test for SQL injection:
id=1' - Insert script tags to test for XSS:
name=<script>alert(1)</script> - Change numeric IDs to access other users' data:
user_id=2instead ofuser_id=1 - Remove or modify authentication tokens to test access controls
Reading Responses for Clues
Vulnerabilities often reveal themselves through response differences. A SQL injection might cause a database error message. An XSS vulnerability might reflect your input in the HTML. An access control flaw might return data you should not see.
Compare response lengths, status codes, and content. A significant difference from the baseline often indicates interesting behavior worth investigating further.
Try testing for SQL injection vulnerabilities in our SQL injection lab using the techniques you just learned.
Pro tip: Use Ctrl+U in Repeater to URL-encode selected text. This is essential when your payload contains special characters that would break the request format.
Introduction to Burp Intruder
While Repeater handles manual testing, Intruder automates attacks by sending many variations of a request with different payloads. It excels at tasks like brute forcing login pages, fuzzing parameters for vulnerabilities, and enumerating valid values.
How Intruder Works
Send a request to Intruder (right-click, "Send to Intruder" or Ctrl+Shift+I). In the Positions tab, Burp Suite highlights potential injection points with section markers. You define which parts of the request should receive payloads and what payloads to use.
Attack Types Explained
- Sniper: Places each payload into one position at a time, cycling through all positions. Good for testing individual parameters.
- Battering Ram: Places the same payload into all positions simultaneously. Useful when the same value needs to appear in multiple places.
- Pitchfork: Uses multiple payload sets in parallel, one per position. Position 1 gets payload set 1, position 2 gets payload set 2, stepping through together.
- Cluster Bomb: Tests all combinations of payloads across all positions. Position 1 gets every payload in set 1 combined with every payload in set 2 for position 2.
Building Payload Lists
Switch to the Payloads tab to configure what values Intruder will inject. You can enter payloads manually, load them from a file, or use built-in generators for patterns like numbers or character variations.
For brute force attacks, you might load a wordlist of common passwords. For fuzzing, use special characters and injection strings. PortSwigger provides payload lists, and community resources like SecLists offer extensive collections for different attack scenarios.
Analyzing Results
After starting an attack, Intruder displays results in a table showing each request, its payload, status code, response length, and timing. Sort by length or status code to spot anomalies. A response significantly longer or shorter than others often indicates successful injection or an error worth investigating.
Test your Intruder skills against our authentication bypass lab where you can practice credential attacks safely.
Community Edition limitation: The free version throttles Intruder attacks to about one request per second. Professional Edition removes this limit, making Intruder practical for time-sensitive engagements. For learning, the throttled speed works fine.
Legal and Ethical Considerations
Critical warning: Using Burp Suite against systems without explicit authorization is illegal. Unauthorized access to computer systems is a criminal offense in virtually every jurisdiction, carrying penalties including fines and imprisonment. "I was just testing" is not a legal defense.
The techniques in this tutorial are powerful. They can find vulnerabilities that protect millions of users, or they can land you in prison if misused. The difference is authorization.
When You Can Legally Test
- Systems you own: Your own websites, applications, and infrastructure
- Authorized engagements: Penetration tests with written scope agreements
- Bug bounty programs: Companies that explicitly invite security testing, following their rules
- Practice labs: Intentionally vulnerable applications like DVWA, WebGoat, or HackerDNA labs
Bug Bounty Guidelines
If you test under bug bounty programs, read the rules carefully. Most programs specify which domains are in scope, what vulnerability types they accept, and what testing methods are prohibited. Violating program rules can get you banned or reported, even if you find valid vulnerabilities.
Document everything. Screenshot your findings, note timestamps, and keep records of your testing methodology. This protects you if questions arise about your activities.
Learn more about building an ethical security testing practice in our Ethical Hacking course.
Your Next Steps
You now have the foundation to use Burp Suite for web security testing. You can set up the proxy, intercept traffic, manually test with Repeater, and automate attacks with Intruder. These skills form the core workflow that professional penetration testers use daily.
The next step is practice. Install intentionally vulnerable applications like DVWA or WebGoat on a local machine, or use cloud-based labs that provide legal targets. The more requests you intercept and modify, the faster you develop intuition for spotting vulnerabilities.
For continued learning, the PortSwigger Web Security Academy offers free labs covering every major vulnerability class, integrated directly with Burp Suite.
Ready to practice what you learned? HackerDNA Labs provide hands-on challenges covering SQL injection, XSS, authentication flaws, and more. Each lab is a legal target where you can apply everything from this Burp Suite tutorial.