🔧 Burp Suite Essentials

Getting started with Burp Suite for web application penetration testing.

Initial Setup

Download Burp Suite from portswigger.net
Configure browser proxy: 127.0.0.1:8080
Install Burp's CA certificate for HTTPS interception
Use FoxyProxy browser extension for quick proxy toggling

Core Tools

Tool	Purpose	Key Use Case
Proxy	Intercept & modify HTTP/S traffic	Manipulate requests in real-time
Repeater	Resend modified requests	Testing payloads, fine-tuning attacks
Intruder	Automated payload delivery	Brute force, fuzzing, parameter enumeration
Scanner	Automated vulnerability scanning	Finding common vulns (Pro only)
Decoder	Encode/decode data	Base64, URL encoding, hex
Comparer	Diff two responses	Spotting differences in auth responses
Sequencer	Analyze token randomness	Session token entropy analysis

Proxy Workflow

1. Enable "Intercept" in Proxy tab
2. Browse target application in configured browser
3. Modify intercepted requests as needed
4. Forward or Drop requests
5. Review all traffic in "HTTP history"

Intruder Attack Types

Type	Description	Example
Sniper	One payload position at a time	Testing single parameter
Battering Ram	Same payload in all positions	Same value in multiple fields
Pitchfork	Parallel payloads	Username:password pairs
Cluster Bomb	All combinations	Brute force username + password

Useful Extensions (BApp Store)

Autorize — Automated authorization testing
Logger++ — Enhanced logging
Hackvertor — Advanced encoding/decoding
Active Scan++ — Enhanced scanning
JSON Web Tokens — JWT manipulation
Param Miner — Hidden parameter discovery
Turbo Intruder — High-speed payload delivery

Quick Tips

Use scope to limit traffic to target domain only
Save projects regularly — Burp can crash
Use match & replace rules to automate header injection
Learn keyboard shortcuts: Ctrl+R (send to Repeater), Ctrl+I (send to Intruder)
Use Collaborator for out-of-band testing (SSRF, blind XSS)