What Is Burp Suite?

Burp Suite, developed by PortSwigger, is the most widely used platform for web application security testing. At its core, it's an intercepting proxy — it sits between your browser and the target web application, giving you complete visibility and control over every HTTP/S request and response. But it's much more than a proxy.

The Community edition is free and covers most manual testing needs. Burp Suite Professional adds automated scanning, advanced intruder attack types, and other power-user features used by professional testers.

Setting Up Burp Suite

Getting started requires three setup steps:

  1. Configure your browser proxy: Point your browser to 127.0.0.1:8080 (Burp's default listener). Use FoxyProxy for Firefox to easily toggle the proxy on/off.
  2. Install the Burp CA certificate: Navigate to http://burpsuite while proxied and download the CA cert. Install it in your browser's certificate store so HTTPS traffic can be intercepted without errors.
  3. Set your scope: In the Target tab, right-click the target application and select "Add to scope." Enable scope restriction to avoid accidentally intercepting unrelated traffic.

Core Modules and How to Use Them

Proxy — The Foundation

The Proxy tab is where you intercept and modify requests in real time. Key workflow:

  • Enable intercept to pause requests before they're sent — modify parameters, headers, or cookies
  • Right-click any intercepted request to send it to other modules (Repeater, Intruder, Scanner)
  • HTTP history shows every request made — invaluable for understanding how an application works

Repeater — Manual Testing Powerhouse

Repeater lets you re-send individual requests with modifications and immediately see responses. It's ideal for:

  • Testing SQL injection payloads manually
  • Probing parameter behavior (what happens if you change a user ID to another user's ID?)
  • Confirming whether a vulnerability is real before automating it
  • Testing authentication bypass techniques

Intruder — Fuzzing and Brute-Force

Intruder automates parameterized attacks. You highlight injection points in a request and provide a payload list. Attack types:

Attack TypeUse Case
SniperSingle injection point — cycle through one payload list
Battering RamSame payload inserted into all injection points simultaneously
PitchforkMultiple lists, each applied to a corresponding injection point
Cluster BombAll combinations of multiple payload lists — for credential stuffing

Note: Community edition rate-limits Intruder significantly. For intensive fuzzing, consider ffuf or wfuzz instead.

Scanner (Pro) — Automated Vulnerability Detection

Burp's active scanner crawls the application and probes for known vulnerability classes including XSS, SQL injection, SSRF, XXE, and more. Always combine scanner results with manual testing — automated scanners have both false positives and false negatives.

Decoder and Comparer

Decoder handles encoding/decoding transformations (Base64, URL encoding, hex) and is useful for analyzing obfuscated parameters or tokens. Comparer does a visual diff between two responses — excellent for spotting subtle differences that indicate SQL injection or IDOR vulnerabilities.

Practical Workflow: Finding an IDOR

Insecure Direct Object Reference (IDOR) is one of the most common and impactful web vulnerabilities. Here's how to hunt for one with Burp:

  1. Browse the application normally while logged in, letting Burp capture all requests in HTTP history.
  2. Look for requests containing numeric or predictable IDs (e.g., /api/user/profile?id=1042).
  3. Send that request to Repeater.
  4. Change the ID to another value and observe the response — do you get another user's data?
  5. Use Intruder to automate checking a range of IDs and flag responses with different sizes.

Tips for Effective Use

  • Learn keyboard shortcuts — they dramatically speed up your workflow
  • Use Burp's built-in documentation and PortSwigger Web Security Academy (free) to practice in realistic labs
  • Install extensions from the BApp Store — AuthMatrix and Autorize are essential for access control testing
  • Always work within authorized scope — Burp is powerful enough to cause real damage to live systems

Conclusion

Burp Suite rewards investment. The deeper you go with its features, the more vulnerabilities you'll surface in web applications. Start with Proxy and Repeater for manual testing, add Intruder for fuzzing, and layer in extensions as your workflow matures. PortSwigger's free Web Security Academy is the best companion resource available.