Burp Suite: Detailed Guide with Examples and Screenshots

byEngr. M.A. Rashid Rony
0

Professional Tutorial on Burp Suite: Detailed Guide with Examples and Screenshots


Introduction

Burp Suite is a leading platform for web application security testing, developed by PortSwigger. It serves as an integrated toolkit for penetration testers, bug bounty hunters, and security professionals to identify, analyze, and exploit vulnerabilities in web applications. This tutorial provides a comprehensive, professional guide to using Burp Suite, covering installation, configuration, key features, practical examples, and best practices. We focus on Burp Suite Professional Edition for its advanced capabilities, but notes are included for the Community Edition where applicable.

This guide draws from official PortSwigger documentation, community tutorials, and practical scenarios. For hands-on learning, use PortSwigger's Web Security Academy labs (free at https://portswigger.net/web-security).

Note on Screenshots: Screenshots are referenced from official sources and tutorials. You can view them by visiting the linked pages or searching for "Burp Suite [feature] screenshot" on reliable sites like PortSwigger.net or Medium.com.

Editions of Burp Suite

  • Community Edition: Free, includes basic tools like Proxy, Repeater, and Intruder (limited). Ideal for beginners.
  • Professional Edition: Paid (trial available), adds automated scanning, advanced extensions, and reporting.
  • Enterprise Edition: For organizations, focuses on automated, scalable scanning.

Download from https://portswigger.net/burp/releases.

System Requirements

  • OS: Windows, macOS, Linux (Kali Linux pre-installs it).
  • Java: JRE 8 or later.
  • RAM: 4GB minimum (8GB+ recommended for scans).
  • Disk: 1GB+.

Installation

Steps

  1. Download: Visit https://portswigger.net/burp/releases and select Professional or Community Edition for your OS.
  2. Install:
    • Run the installer (.exe for Windows, .dmg for macOS, .jar for Linux via java -jar burpsuite_community.jar).
    • Launch Burp Suite. Select "Temporary project" and "Use Burp defaults" for quick start.
    • For Professional, enter your license key (request trial at https://portswigger.net/burp/pro/trial).
  3. Verify: Open Burp Suite; you should see the Dashboard.

Example: On Kali Linux, update with sudo apt update && sudo apt install burpsuite.

Screenshot: For installation wizard, see PortSwigger's guide: https://portswigger.net/burp/documentation/desktop/getting-started/download-and-install (includes visual steps).

Configuring Burp Suite with Your Browser


To intercept traffic, set Burp as a proxy.

Steps for Proxy Setup

  1. In Burp: Go to Proxy > Options. Ensure listener is on 127.0.0.1:8080.
  2. In Browser (Firefox recommended for ease):
    • Install FoxyProxy extension.
    • Add proxy: Title "Burp", Host 127.0.0.1, Port 8080.
    • Enable it.
  3. For HTTPS: Download CA certificate from http://burp (with proxy on). Import to browser's trusted certificates.
    • Firefox: Settings > Privacy & Security > Certificates > Import.
    • Chrome: Settings > Privacy > Manage certificates > Import to Trusted Root.

Example: Browse to http://example.com; request appears in Proxy > HTTP history.

Screenshot: Proxy tab example from Medium tutorial: Visit https://medium.com/@uhabiba503/a-step-by-step-guide-to-using-burpsuite-for-web-application-security-testing-da9fae620270 for visual guide (shows Proxy Options tab).

Key Features

1. Proxy

Intercepts HTTP/S traffic.

  • Usage: Enable Intercept to pause requests. Modify and forward.
  • Example: Change a login POST request's username to test SQL injection: admin' OR '1'='1 --.
  • Screenshot: Intercept button toggled – see https://portswigger.net/burp/documentation/desktop/getting-started/proxy for images.

2. Spider/Crawler

Maps application structure.

  • Usage: Add URL to Target > Scope. Right-click > Spider this host.
  • Example: Crawl https://ginandjuice.shop to discover endpoints like /login.
  • Screenshot: Site map tree – referenced in TryHackMe walkthroughs (e.g., https://iritt.medium.com/burp-suite-the-basics-d9d838544547).

3. Intruder

Automates attacks like brute-force.

  • Usage: Send request from Proxy to Intruder. Set positions (§payload§). Load payload list (e.g., rockyou.txt). Start attack.
  • Example: Brute-force password: Position on password=§pass§, use wordlist. Analyze responses by length.
  • Screenshot: Attack results table – see PortSwigger video: https://www.youtube.com/watch?v=QiNLNDSLuJY (timestamp for Intruder demo).

4. Repeater

Manually resend modified requests.

  • Usage: Send request to Repeater. Edit and "Send".
  • Example: Test race condition: Send two requests quickly changing account balance.
  • Screenshot: Repeater tab with request/response – from https://portswigger.net/burp/documentation/desktop/tools/repeater (includes UI images).

5. Scanner (Professional Only)

Automated vulnerability detection.

  • Usage: Right-click target in Site Map > Actively scan this host.
  • Example: Scan for XSS: Inject <script>alert(1)</script>; Scanner flags it.
  • Screenshot: Scan results in Dashboard – see https://portswigger.net/burp/documentation/desktop/getting-started/running-your-first-scan.

6. Decoder

Encodes/decodes data.

  • Usage: Paste text, select format (e.g., Base64 decode).
  • Example: Decode cookie: dXNlcj1hZG1pbg== → "user=admin".

7. Collaborator

Tests out-of-band vulnerabilities.

  • Usage: Generate payload, inject, poll for interactions.
  • Example: Blind XSS: Inject Collaborator URL in form.

8. Extensions (BApps)

Extend functionality via BApp Store.

  • Example: Install "Active Scan++" for enhanced scanning.


Practical Example: Testing for SQL Injection

Use PortSwigger's lab: https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data.

  1. Setup: Proxy traffic to lab site.
  2. Intercept: Capture GET request for product list.
  3. Repeater: Modify to category=Gifts' OR 1=1--. Send; retrieves all products.
  4. Intruder: Fuzz for advanced payloads.
  5. Scanner: Run audit; confirms vulnerability.
  6. Report: Export issues from Dashboard.

Screenshot: SQL injection exploit in Repeater – refer to https://portswigger.net/burp/documentation/desktop/testing-workflow/input-validation/sql-injection/testing for visual example.

Best Practices and Tips

  • Legal Use: Test only authorized systems (e.g., labs, bug bounties).
  • Scope: Limit to target URLs to avoid noise.
  • Updates: Regularly update Burp for new features.
  • Learning: Complete Web Security Academy labs; watch videos like https://www.youtube.com/watch?v=mx7_5m8aL00 (5-hour guide).
  • Performance: Increase RAM allocation in burpsuite.bat for large scans.
  • Common Pitfalls: Ensure CA certificate is trusted to avoid SSL errors.

Conclusion

Burp Suite is indispensable for web security testing. Start with Community Edition, upgrade for automation. Practice in safe environments to master it. For more, explore PortSwigger's videos (https://portswigger.net/burp/pro/video-tutorials) and books like "Burp Suite Cookbook" (PDF available online).

References:

  • Official Docs: https://portswigger.net/burp/documentation
  • Tutorials: Medium articles, YouTube channels listed above.

Author: Engr. M A Rashid Rony
Date: September 6, 2025

 


Tags:

Post a Comment

Previous Post Next Post