Burp Suite — Web Application Security Testing

The industry-standard web app security testing platform with proxy, scanner, and intruder.

What is Burp Suite?

Burp Suite is the industry-standard integrated platform for web application security testing, developed by PortSwigger. At its core is an intercepting HTTP/S proxy that sits between your browser and the target, letting you inspect, modify, replay, and automate every request and response in real time. It is used by penetration testers, bug bounty hunters, and security engineers worldwide to discover vulnerabilities including SQL injection, XSS, IDOR, SSRF, authentication flaws, and business logic errors.

Burp Suite comes in three editions: Community (free, limited), Professional (paid, full-featured), and Enterprise (automated scanning at scale).

⚠ Legal Notice

Only use this tool on systems you own or have explicit written authorization to test. Unauthorized use is a criminal offense under Pakistan's PECA 2016 and similar laws worldwide.

Installation

# Burp Suite Community is pre-installed on Kali Linux
# Launch directly from the terminal:
burpsuite &

# Or install manually if missing
sudo apt update && sudo apt install burpsuite -y

# For the latest Pro version, download the installer from:
# https://portswigger.net/burp/releases

Core Modules

Proxy — Intercept and modify live HTTP/S traffic between browser and server
Repeater — Manually replay and tweak individual requests to test for vulnerabilities
Intruder — Automate customized attacks: fuzzing, brute-forcing, payload injection
Scanner — Automated vulnerability scanner (Pro only) for passive and active scanning
Decoder — Encode/decode data in Base64, URL, HTML, hex, and more
Comparer — Diff two requests or responses to spot subtle differences
Sequencer — Analyse randomness/entropy of session tokens
Logger — Full HTTP history log across all Burp tools

Basic Proxy Setup

# Default Burp proxy listener
# Host: 127.0.0.1
# Port: 8080

# Configure your browser to use this proxy, then:
# 1. Open Burp → Proxy → Intercept → turn Intercept ON
# 2. Browse target site — requests appear in Burp
# 3. Modify request → Forward or Drop

# Install Burp's CA certificate to intercept HTTPS:
# Browse to http://burpsuite (while proxy is active)
# Download and install the cert in your browser's trust store

# Useful keyboard shortcuts in Repeater / Intruder:
# Ctrl+R  → Send request to Repeater
# Ctrl+I  → Send request to Intruder
# Ctrl+U  → URL-encode selected text
# Ctrl+Shift+U → URL-decode selected text

Intruder Attack Types

Sniper — One payload set, cycles through each marked position one at a time
Battering Ram — One payload set, inserts the same value into all positions simultaneously
Pitchfork — Multiple payload sets, iterates through them in parallel (username + password combos)
Cluster Bomb — Multiple payload sets, tries every combination (full brute-force)

Common Use Cases

Authorized penetration testing of web applications
CTF (Capture The Flag) challenges involving web vulnerabilities
Bug bounty hunting — intercepting and manipulating API calls
Internal security audits of web portals and APIs

Tips & Best Practices

Use Burp's Target → Scope to restrict all tools to your authorized target — this prevents accidental testing of out-of-scope assets. In Intruder, always check the Grep — Match and Grep — Extract options to automatically flag interesting responses. The Community edition throttles Intruder attacks; use ffuf or wfuzz as faster alternatives for fuzzing when on a free license.

Practice on legal targets like TryHackMe, HackTheBox, PortSwigger Web Security Academy, or hackzia.site labs before using in live engagements.