Burp Suite: The Basics

beginner40 minWriteup

Learn the basics of Burp Suite

Learning Objectives

  • Set up Burp Suite
  • Intercept requests
  • Use repeater and intruder
  • Configure proxy

Burp Suite is the industry-standard web application security testing tool. Think of it as a Swiss Army knife for web hacking - it intercepts, modifies, and analyzes HTTP traffic between your browser and target servers.

Burp Suite Community Edition is free and sufficient for most CTFs and learning. The Professional version adds advanced scanning and faster Intruder attacks. This room covers the Community Edition.

Setup & Configuration

Browser Proxy Configuration

1
Launch Burp SuiteOpen Burp Suite and create a new temporary project
2
Check Proxy ListenerProxy → Options → Verify listener on 127.0.0.1:8080
3
Configure BrowserSet browser proxy to 127.0.0.1:8080 (or use FoxyProxy extension)
4
Install CA CertificateBrowse to http://burp, download CA cert, import to browser

FoxyProxy

Install the FoxyProxy browser extension to quickly toggle between Burp proxy and direct connection. Much faster than changing settings manually!
1606070;"># Firefox proxy settings:
2606070;"># Settings → Network Settings → Manual proxy configuration
3606070;"># HTTP Proxy: 127.0.0.1  Port: 8080
4606070;"># Check: Also use this proxy for HTTPS
5 
6606070;"># Installing Burp CA:
7606070;"># 1. With proxy enabled, visit http://burp
8606070;"># 2. Click "CA Certificate" to download
9606070;"># 3. Firefox: Settings → Certificates → Import
10606070;"># 4. Chrome: Settings → Security → Manage Certificates → Import

Proxy Tab

The Proxy tab is Burp's core feature - it intercepts all HTTP/HTTPS traffic for inspection and modification.

1606070;"># Intercept tab controls:
2606070;"># - Intercept is on/off: Toggle to pause/resume interception
3606070;"># - Forward: Send request to server
4606070;"># - Drop: Discard request
5606070;"># - Action: Send to other Burp tools
6 
7606070;"># HTTP history tab:
8606070;"># - Shows all requests that passed through proxy
9606070;"># - Filter by host, response code, MIME type
10606070;"># - Right-click to send to other tools
11 
12606070;"># WebSockets history:
13606070;"># - Captures WebSocket messages
14606070;"># - Useful for real-time applications
Keep "Intercept is off" when browsing normally to build up HTTP history. Turn it on when you want to modify specific requests.

Repeater

Repeater lets you manually modify and resend individual requests. It's your go-to tool for testing parameter manipulation.

1606070;"># How to use Repeater:
2606070;"># 1. Intercept a request or find it in HTTP history
3606070;"># 2. Right-click → Send to Repeater (Ctrl+R)
4606070;"># 3. Modify the request in the left panel
5606070;"># 4. Click "Send"
6606070;"># 5. View response in the right panel
7 
8606070;"># Common modifications:
9606070;"># - Change parameter values
10606070;"># - Add/remove headers
11606070;"># - Change HTTP method (GET → POST)
12606070;"># - Test SQL injection payloads
13606070;"># - Test XSS payloads

Multiple Tabs

Use numbered tabs in Repeater to compare different payload variations. Rename tabs (right-click → Rename) for organization.

Intruder

Intruder automates customized attacks against web applications. Perfect for brute forcing, fuzzing, and parameter manipulation.

1606070;"># Attack Types:
2 
3606070;"># 1. Sniper
4606070;"># - Single payload set
5606070;"># - Each position tested one at a time
6606070;"># - Good for: Testing one parameter with multiple values
7606070;"># Example: Testing usernames against single password
8 
9606070;"># 2. Battering Ram
10606070;"># - Single payload set
11606070;"># - Same payload in all positions simultaneously
12606070;"># - Good for: Testing same value in multiple fields
13606070;"># Example: Username and password fields with same wordlist
14 
15606070;"># 3. Pitchfork
16606070;"># - Multiple payload sets (one per position)
17606070;"># - Payloads used in parallel (1-1, 2-2, 3-3...)
18606070;"># - Good for: Known username:password combinations
19606070;"># Example: Credential stuffing
20 
21606070;"># 4. Cluster Bomb
22606070;"># - Multiple payload sets
23606070;"># - All combinations tested
24606070;"># - Good for: Brute forcing username AND password
25606070;"># Example: 100 users × 100 passwords = 10,000 requests
Intruder in Community Edition is rate-limited. For large wordlists, consider using tools like ffuf, wfuzz, or Hydra instead.

Using Intruder

1
Send RequestRight-click request → Send to Intruder (Ctrl+I)
2
Configure PositionsClear all positions, then highlight and "Add §" to mark injection points
3
Select Attack TypeChoose appropriate type based on your goal
4
Configure PayloadsAdd wordlist or payload options for each position
5
Start AttackClick "Start Attack" and analyze results
1606070;"># Example: Brute forcing login
2 
3606070;"># Original request:
4POST /login HTTP/1.1
5Host: target.com
6 
7username=admin&password=test
8 
9606070;"># After marking positions (Sniper for password):
10POST /login HTTP/1.1
11Host: target.com
12 
13username=admin&password=§test§
14 
15606070;"># Payload: rockyou.txt (or smaller wordlist)
16606070;"># Look for: Different response length or status code

Decoder

Decoder transforms data between various encoding formats. Essential for understanding and manipulating encoded data in requests.

1606070;"># Supported formats:
2606070;"># - URL encoding (%20, %3C, etc.)
3606070;"># - HTML encoding (<, >, etc.)
4606070;"># - Base64
5606070;"># - Hex
6606070;"># - ASCII Hex
7606070;"># - Gzip
8606070;"># - Various hashes (MD5, SHA, etc.)
9 
10606070;"># Example workflow:
11606070;"># 1. Paste encoded string: dGVzdA==
12606070;"># 2. Click "Decode as" → Base64
13606070;"># 3. Result: test
14 
15606070;"># Encoding example:
16606070;"># 1. Type: <script>alert(1)</script>
17606070;"># 2. Click "Encode as" → URL
18606070;"># 3. Result: %3Cscript%3Ealert%281%29%3C%2Fscript%3E

Smart Decode

Use "Smart Decode" to automatically detect and decode multiple encoding layers. Useful for complex encoded payloads.

Comparer

1606070;"># Comparer highlights differences between two items
2 
3606070;"># Use cases:
4606070;"># - Compare responses to find injection success indicators
5606070;"># - Compare before/after parameter changes
6606070;"># - Identify subtle differences in authentication responses
7 
8606070;"># How to use:
9606070;"># 1. Right-click response → Send to Comparer
10606070;"># 2. Send second response to Comparer
11606070;"># 3. Select both items and click "Words" or "Bytes"
12606070;"># 4. Differences are highlighted

Sequencer

Sequencer analyzes the randomness of tokens. Poor randomness in session tokens can lead to prediction attacks.

1606070;"># Usage:
2606070;"># 1. Intercept response containing session token
3606070;"># 2. Right-click → Send to Sequencer
4606070;"># 3. Configure token location
5606070;"># 4. Start live capture
6606070;"># 5. Collect 10,000+ samples
7606070;"># 6. Analyze results
8 
9606070;"># Results interpretation:
10606070;"># - Bits of entropy indicates randomness quality
11606070;"># - >64 bits is generally secure
12606070;"># - <32 bits may be predictable

Pro Tips

1606070;"># Keyboard shortcuts:
2606070;"># Ctrl+R - Send to Repeater
3606070;"># Ctrl+I - Send to Intruder
4606070;"># Ctrl+U - URL encode selection
5606070;"># Ctrl+Shift+U - URL decode selection
6 
7606070;"># Scope configuration:
8606070;"># Target → Scope → Add target
9606070;"># Useful for: Filtering to only target domains
10 
11606070;"># Match and Replace:
12606070;"># Proxy → Options → Match and Replace
13606070;"># Automatically modify requests/responses
14606070;"># Example: Auto-add custom header to all requests
15 
16606070;"># Response modification:
17606070;"># Proxy → Options → Response Modification
18606070;"># Enable "Unhide hidden form fields"
19606070;"># Enable "Remove all JavaScript"
20 
21606070;"># Session handling:
22606070;"># Project options → Sessions
23606070;"># Configure macros for authentication
24606070;"># Auto-login when session expires

Knowledge Check

Quick Quiz
Question 1 of 3

Which Intruder attack type tests all combinations of multiple payload sets?

Key Takeaways

  • Proxy intercepts and modifies HTTP traffic in real-time
  • Repeater is for manual request manipulation and testing
  • Intruder automates attacks (rate-limited in Community Edition)
  • Decoder handles encoding/decoding transformations
  • Install Burp's CA certificate to intercept HTTPS
  • Use FoxyProxy for quick proxy toggling