Shipsafershipsafer.ai
Security Tools

Burp Suite Tutorial: Getting Started with Web Application Testing

Learn how to set up Burp Suite, configure the proxy, use Scanner, Intruder, and Repeater for practical web application security testing.

March 9, 20266 min readShipSafer Team

Burp Suite Tutorial: Getting Started with Web Application Testing

Burp Suite is the industry-standard toolkit for web application security testing. Whether you are a developer running quick checks on your own app or a penetration tester doing a full assessment, understanding Burp's core tools — proxy, scanner, intruder, and repeater — will dramatically improve the quality and speed of your testing. This guide walks through a practical setup and workflow using Burp Suite Community and Pro editions.

Setting Up the Proxy

The Burp proxy sits between your browser and the target application, intercepting every HTTP/S request and response. Getting this right is the foundation for everything else.

Step 1: Configure the listener. Open Burp, go to Proxy > Options, and confirm the listener is bound to 127.0.0.1:8080. You can change the port if 8080 is in use.

Step 2: Configure your browser. The cleanest approach is to use a dedicated browser profile or the built-in Burp browser (Chromium-based, pre-configured). For Firefox, go to Settings > Network Settings > Manual proxy, set HTTP Proxy to 127.0.0.1, port 8080, and check "Also use this proxy for HTTPS."

Step 3: Install the CA certificate. Navigate to http://burp in your proxied browser, download the CA certificate, and import it into your browser's certificate store. In Firefox: Preferences > Privacy & Security > Certificates > Import. Without this, HTTPS traffic will show SSL errors.

Step 4: Verify interception. Enable intercept under Proxy > Intercept, browse to your target, and confirm requests appear in the intercept queue. Use Forward to pass them through or Drop to block them.

For API testing, configure your HTTP client (Postman, curl, etc.) to use http://127.0.0.1:8080 as a proxy:

curl -x http://127.0.0.1:8080 --insecure https://api.example.com/v1/users

Using the Scanner (Pro)

Burp Scanner automates the discovery of common vulnerabilities including SQL injection, XSS, XXE, SSRF, and path traversal. It is available in Burp Suite Professional.

Crawl first, audit second. Right-click a target in the site map and choose Scan. In the scan configuration wizard, select a crawl strategy (default is fine for most apps) and audit checks. The "Audit checks — all insertions points" configuration is thorough but slow; "Audit checks — critical issues only" is faster for CI use cases.

Review the scan queue. Under Dashboard, you will see active tasks. Each issue found includes a confidence level (certain, firm, tentative) and severity (high, medium, low, info). Focus on "certain" and "high/medium" findings first.

Reducing false positives. Add the application to scope (Target > Scope) before scanning. Requests outside scope are ignored, which prevents noise and accidental testing of third-party services.

For teams, Burp's scan configurations can be exported as JSON and version-controlled, enabling consistent and repeatable scans across environments.

Repeater: Manual Verification and Exploitation

Repeater lets you send a single request repeatedly with manual modifications. It is the go-to tool for verifying a potential vulnerability and understanding its behavior.

Sending a request to Repeater. Right-click any request in the proxy history or site map and select Send to Repeater. The request appears under the Repeater tab.

Practical workflow:

  1. Identify a parameter you want to test (e.g., id=42 in a query string).
  2. Modify the value — try id=42' to probe for SQL injection, or id=../../../etc/passwd for path traversal.
  3. Click Send and inspect the response for error messages, unexpected data, or behavior changes.
  4. Iterate. Repeater maintains history per tab, so you can compare responses across modifications.

Repeater is also invaluable for replaying authenticated requests. If a token expires, update the Authorization header in Repeater and continue testing without re-capturing.

Intruder: Automated Parameter Fuzzing

Intruder automates sending many variations of a request, useful for brute-forcing login forms, enumerating IDs, or fuzzing parameters at scale.

Configuring an attack. Send a request to Intruder (Right-click > Send to Intruder). Under the Positions tab, Burp highlights injectable positions with § markers. Clear all markers, then select the parameter you want to fuzz and click Add §.

Attack types:

  • Sniper — one payload list, one position at a time. Best for single-parameter fuzzing.
  • Battering Ram — same payload inserted into all positions simultaneously. Useful for username/password fields that must match.
  • Pitchfork — parallel payload lists, one per position. For credential stuffing with known username:password pairs.
  • Cluster Bomb — all combinations of multiple payload lists. Useful for brute-force but generates large request volumes.

Payloads. Under the Payloads tab, choose a payload type. "Simple list" works for most cases — paste in a wordlist or load from a file. For numeric enumeration, use "Numbers" and set the range and step.

Note: Intruder is rate-limited in Community Edition. For heavy fuzzing, consider ffuf or wfuzz as complements.

Decoder and Comparer: Supporting Utilities

Decoder transforms data between encoding formats (Base64, URL, HTML, hex, gzip). Drag a value from a request into Decoder to rapidly decode multi-layer encoded values — common in token analysis and cookie inspection.

Comparer performs a diff between two requests or responses, highlighting changes. Send the "before" and "after" responses from Repeater to Comparer when testing access control: if changing a user ID returns different data, that is a broken object-level authorization finding.

Building a Practical Testing Workflow

A repeatable workflow for testing a web application with Burp:

  1. Define scope. Add the target domain/IP under Target > Scope. Enable "Show only in-scope items" in the site map.
  2. Passive crawl. Browse the application manually with Intercept off. Burp builds the site map passively.
  3. Active crawl (Pro). Run a crawler from the dashboard to discover hidden endpoints and parameters.
  4. Automated scan (Pro). Run the scanner against discovered content.
  5. Manual verification. For each finding, use Repeater to confirm exploitability.
  6. Parameter fuzzing. Use Intruder to test interesting parameters at scale.
  7. Authentication testing. Test session tokens for entropy, expiry, and fixation using Sequencer and Repeater.

Useful Extensions

Burp's BApp Store (Extensions tab) adds significant capability:

  • Logger++ — enhanced request logging with filtering, useful for long sessions.
  • Turbo Intruder — high-speed request sending, bypasses Community Edition rate limiting.
  • AuthMatrix — maps access control across multiple roles.
  • JS Miner — extracts endpoints and secrets from JavaScript files.
  • Param Miner — discovers hidden parameters via header and body guessing.

Install extensions under Extensions > BApp Store. Extensions written in Python require Jython, while Java extensions load natively.

Saving and Reporting

Save your work under Project > Save project (Pro) to preserve the full state including history, site map, and findings. For reports, go to Target > Site map, right-click the target, and select Generate report. Reports export as HTML or XML and include vulnerability details, evidence, and remediation recommendations.

For teams sharing findings, the XML export can feed into vulnerability management platforms or be parsed by custom scripts to populate issue trackers automatically.

Check Your Security Score — Free

See exactly how your domain scores on DMARC, TLS, HTTP headers, and 25+ other automated security checks in under 60 seconds.