Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications.

Versions

Burp Suite Community Edition - Free version
Burp Suite Professional - Paid version with scanner
Burp Suite Enterprise - Automated scanning solution

Installation

# Download from https://portswigger.net/burp/communitydownload

# Java requirement
java -version

# Start Burp
java -jar burpsuite_community.jar

Proxy Setup

Browser Configuration

Firefox

Preferences → Network Settings → Manual proxy configuration
HTTP Proxy: 127.0.0.1
Port: 8080
Check "Also use this proxy for HTTPS"

FoxyProxy Extension

Install FoxyProxy
Add new proxy: 127.0.0.1:8080
Easy proxy switching

Certificate Installation

Browse to http://burp with proxy enabled
Download CA Certificate
Firefox: Settings → Privacy & Security → Certificates → Import
Trust certificate for identifying websites

Tools

Proxy

Intercept

Intercept is on/off - Toggle request interception
Forward - Send modified request
Drop - Discard request
Action - Additional options

HTTP History

View all captured requests/responses
Filter by status code, mime type, etc.
Send to other tools (Repeater, Intruder, etc.)

WebSockets History

Monitor WebSocket connections
Intercept WebSocket messages

Options

Proxy Listeners - Configure listening ports
Intercept Client Requests - Rules for interception
Intercept Server Responses - Response interception rules
Match and Replace - Automatic modifications

Repeater

Send - Execute request
Go - Execute (keyboard shortcut)
Cancel - Stop current request
< > - Navigate history

Useful Features:

Modify requests manually
Resend multiple times
Compare responses
Test for vulnerabilities

Intruder

Attack Types

Sniper - Single position, iterates through payloads
Battering Ram - Multiple positions, same payload
Pitchfork - Multiple positions, synchronized payloads
Cluster Bomb - Multiple positions, all combinations

Positions

Clear § - Remove payload markers
Add § - Mark payload position
Auto § - Automatically mark parameters

Payloads

Payload Sets - Configure payload lists
Payload Options - Add/load payloads
Payload Processing - Modify payloads before use
Payload Encoding - URL encoding options

Payload Types:

Simple list
Runtime file
Numbers (sequential/random)
Dates
Brute forcer
Null payloads
Character substitution
Case modification
Recursive grep

Examples

# Username enumeration
POST /login
username=§admin§&password=test

# Password brute force
POST /login
username=admin&password=§password§

# SQL injection
GET /page?id=§1§

# Parameter fuzzing
GET /api?param1=§value1§&param2=§value2§

Scanner (Professional Only)

Scan - Active scanning
Live Passive Crawl - Background scanning
Live Audit - Real-time testing

Scan Types:

Crawl and Audit
Crawl only
Audit selected items

Issue Activity:

View findings
False positives management
Issue details and remediation

Decoder

Encoding/Decoding:

URL
HTML
Base64
ASCII Hex
Hex
Octal
Binary
GZIP

Hashing:

SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
MD2
MD5

Comparer

Load data from:
- Paste
- File
- Request/response
Compare as:
- Words
- Bytes

Sequencer

Token Analysis:

Live capture
Manual load
Character-level analysis
Bit-level analysis
Randomness testing

Extender

BApp Store:

Additional tools and extensions
Community extensions
Custom extensions

Popular Extensions:

Autorize - Authorization testing
CSRF Token Tracker
JSON Web Tokens
SQLiPy - SQL injection
XSS Validator
Active Scan++
Backslash Powered Scanner
J2EEScan
.NET Beautifier
Additional Scanner Checks

Shortcuts

Ctrl+I - Send to Intruder
Ctrl+R - Send to Repeater
Ctrl+Shift+B - Base64 encode
Ctrl+Shift+U - URL encode
Ctrl+Z - Undo
Ctrl+Shift+Z - Redo
Ctrl+F - Find

Scope Configuration

Target → Scope → Add
- Include in scope: *.target.com
- Exclude from scope: *.google.com

Proxy → Options → Miscellaneous
- Show only in-scope items

Match and Replace

Proxy → Options → Match and Replace

Examples:
- Remove CSP headers
- Modify User-Agent
- Add custom headers
- Replace tokens

Session Handling

Project Options → Sessions → Session Handling Rules

Use cases:
- Automatic login
- Token refresh
- Cookie handling
- Custom macros

Collaborator

Use Cases:

Out-of-band interactions
Blind SSRF detection
Blind XSS
External service interactions

Burp menu → Burp Collaborator Client
- Generate payloads
- Poll for interactions
- View interaction details

Useful Workflows

Testing for SQL Injection

Intercept request
Send to Repeater
Add SQL payloads: ' OR '1'='1, ' --, '; DROP TABLE users--
Observe responses
Send to Intruder for automated testing

Finding XSS

Identify reflection points
Send to Intruder
Load XSS payloads
Check responses for unencoded payload
Verify in browser

Testing Authentication

Capture login request
Send to Intruder
Mark password field
Load password list
Analyze responses (status codes, length)

API Testing

Configure JSON/XML content type
Test parameter pollution
Test HTTP methods (PUT, DELETE, PATCH)
Test authentication bypass
Test rate limiting

Tips and Tricks

# Filter by MIME type in HTTP History
Proxy → HTTP History → Filter → MIME type

# Highlight interesting items
Right-click → Highlight → Choose color

# Compare requests/responses
Right-click → Send to Comparer

# Copy as curl command
Right-click → Copy as curl command

# Match/replace for testing
Remove security headers automatically

# Grep extraction
Extract tokens from responses

# Hot keys
Learn keyboard shortcuts for efficiency

Common Issues

Certificate Errors

Solution:
1. Install Burp CA certificate
2. Add security exception in browser
3. Disable SSL validation (testing only)

Invisible Proxy

Proxy → Options → Request Handling
- Support invisible proxying

HTTPS Interception

Proxy → Options → TLS Pass Through
- Add domains to bypass