Burp Suite

Web proxy for intercepting, modifying, and repeating HTTP requests.

Install: Download from portswigger.net/burp or run java -jar burpsuite.jar

Quick Start

1. Start Burp Suite

2. Proxy tab > Click Open Browser (pre-configured Chromium)

3. Browse target website - requests appear in Proxy > HTTP History

Proxy Setup

Pre-Configured Browser

Fastest method - click Open Browser in Proxy > Intercept tab.

Manual Firefox Setup

1. Install FoxyProxy

2. Add proxy: 127.0.0.1:8080

3. Install CA cert:

   • Browse to http://burp with proxy enabled

   • Click CA Certificate to download

   • Firefox: about:preferences#privacy > View Certificates > Authorities > Import

   • Check "Trust this CA to identify websites"

Change Proxy Port

Proxy > Proxy settings > Proxy listeners

Intercepting Requests

Enable/Disable Intercept

Proxy > Intercept tab > Click Intercept is on/off

Intercept Workflow

1. Enable intercept

2. Make request in browser

3. Request appears in Burp

4. Modify request as needed

5. Click Forward to send (or Drop to discard)

Intercept Responses

Proxy > Proxy settings > Response interception rules > Enable Intercept responses

Repeater

Send requests multiple times with modifications.

Usage

1. Find request in Proxy > HTTP History

2. Right-click > Send to Repeater (or Ctrl+R)

3. Go to Repeater tab (Ctrl+Shift+R)

4. Modify request

5. Click Send

6. View response

Tips

• Right-click > Change Request Method to toggle GET/POST

• Use Ctrl+U to URL-encode selected text

Intruder (Fuzzer)

Automate attacks with wordlists.

Setup

1. Send request to Intruder (Ctrl+I)

2. Positions tab: Select text, click Add § to mark injection points

3. Payloads tab: Load wordlist

Attack Types

Payload Options

Payload Processing

Add rules to modify payloads:

• Skip if matches regex - Filter payloads

• Add prefix/suffix - Append strings

• Encode - URL/Base64 encode

Filter Results

Settings > Grep - Match - Flag responses containing specific strings (e.g., 200 OK)

Note

⚠️ Free version limited to 1 request/second - Use ZAP Fuzzer or ffuf for speed

Match & Replace

Auto-modify requests/responses.

Setup

Proxy > Proxy settings > HTTP match and replace rules > Add

Common Uses

Decoder

Encode/decode data.

Access

Decoder tab or Burp Inspector (in Repeater/Proxy)

Supported Formats

• URL encoding

• Base64

• HTML entities

• Hex

• ASCII hex

• Gzip

Quick Encode

In Repeater: Select text > Right-click > Convert Selection > URL > URL-encode

Or: Select text > Ctrl+U

Scanner (Pro Only)

Target Scope

1. Target > Site map - View discovered paths

2. Right-click target > Add to scope

3. Target > Scope - View/edit scope

Crawl

Discover all pages/links:

1. Dashboard > New Scan

2. Select Crawl

3. Configure speed (Fastest/Normal)

4. Start scan

Passive Scan

Analyze responses without sending new requests:

• Right-click request > Do passive scan

• Finds: Missing headers, DOM XSS, info leaks

Active Scan

Full vulnerability scan:

• Right-click request > Do active scan

• Or: Dashboard > New Scan > Crawl and Audit

Tests: SQLi, XSS, Command Injection, Path Traversal, etc.

Reports

Target > Site map > Right-click target > Issue > Report issues for this host

Useful Extensions

Install from Extender > BApp Store

Keyboard Shortcuts

Proxy CLI Tools

With Proxychains

With cURL

With Metasploit

Tips

• Use Logger tab to see all traffic (including from scanner)

• Comparer tab for diff'ing responses

• Right-click requests to Copy as curl command

• Target > Site map shows full application structure

• Enable Unhide hidden form fields in Proxy > Proxy settings > Response modification rules