You just inherited a web application full of endpoints, forms, and APIs. A previous assessment report says “all clear,” but your gut says otherwise. We see it every day: companies that paid for superficial tests and later find an SQL injection in production. Burp Suite isn’t magic—it’s the tool that turns your gut feeling into evidence. But if you only use it to intercept requests, you’re using 10% of its potential.
We, at Meteora Web, have integrated Burp Suite into security pipelines for clients handling sensitive data (healthcare, e-commerce, fintech). We come from accounting and ERP: we know that every unfixed vulnerability is a future cost. In this guide, we show you how to use Burp Suite not as a toy, but as a war machine for web penetration testing.
What is Burp Suite and why is it the de facto standard for web penetration testing?
Burp Suite is an interception proxy developed by PortSwigger. It sits between your browser and the target server, allowing you to analyze, modify, and replay every HTTP/HTTPS request. It’s not the only tool (ZAP is a valid open-source alternative), but its combination of Intruder, Repeater, Scanner, and Decoder makes it the tool of choice for professional penetration testers.
Why we at Meteora Web use it
We managed the ERP system of a clothing store: every accounting transaction had to be traceable. With Burp Suite it’s the same: every request is logged, every modification is documented. When a client asks us “Is my site safe?”, we start with a Burp test. We don’t trust words, only logs.
Sponsored Protocol
Immediate action: Download the free Community Edition from PortSwigger. If you work professionally, the Professional Edition (about €450/year) includes an automated scanner and project saving.
How to configure Burp Suite to intercept HTTPS traffic from a browser?
First, make your browser trust Burp’s CA certificate. Without this, HTTPS requests remain encrypted and invisible.
Step-by-step
- Open Burp Suite, go to Proxy > Options > Import/Export CA certificate and save the certificate.
- In your browser (Chrome/Firefox), import the certificate as a trusted Certificate Authority.
- In Burp, make sure Intercept is on (“Intercept is on”).
- Set your browser’s proxy to
127.0.0.1:8080(or the IP of the machine running Burp). - Visit an HTTPS site: you’ll see pending requests. Press Forward to let them pass.
Caution: If you use a normal browser for daily browsing, disable the proxy after the test. Better yet, use a separate browser (e.g., Firefox Portable) dedicated to pentesting.
Command line launch (Linux/macOS):
java -jar burpsuite_community.jarCommon mistake: Firefox uses separate proxy settings from the system. Set localhost:8080 for HTTP and HTTPS, disable “Proxy DNS when using SOCKS”.
Sponsored Protocol
How to use Burp Suite Intruder for brute force and fuzzing?
Intruder is the automation engine that lets you send hundreds or thousands of requests by varying parameters (payloads). It’s used for login testing, IDOR, injection, directory brute force, and more.
Setting up a basic attack
- Intercept a login request with parameters
usernameandpassword. - Right-click on the request > Send to Intruder.
- In the Positions tab, select the value to attack (e.g., the password field) and click Add §.
- Go to Payloads: load a wordlist (rockyou.txt, SecLists, etc.).
- In Settings, set Redirect handling and Threads (no more than 5 to avoid DoS).
- Click Start attack.
Result analysis: Look for differences in response length, status code, or error messages. We often filter by Length different from baseline.
Sample payload for fuzzing a REST endpoint:
../../etc/passwd
1' OR '1'='1
Warning: Do not run attacks on systems without written authorization. We at Meteora Web always emphasize: bridging the digital divide does not mean breaking the law, but training responsible professionals.
How to use Burp Suite Repeater for manual testing and vulnerability confirmation?
Repeater sends a single request multiple times, letting you manually modify parameters and see the response immediately. It’s perfect for confirming a finding after Intruder identifies a candidate.
Sponsored Protocol
Effective workflow
- From Proxy > HTTP history, right-click a request and choose Send to Repeater.
- In the Repeater tab, modify the payload (e.g.,
id=1' OR '1'='1). - Click Send. Compare the response with the original.
- If the response contains an SQL error or unexpected data, you have confirmation.
- Autorize: tests authorization of different roles (admin vs user) automatically. Essential for vertical IDOR.
- Logger++: logs all requests in a searchable format. Great for audits.
- Turbo Intruder: script complex attacks with Python. For high-speed fuzzing (watch rate limits).
- JSON Web Tokens: decode and modify JWT directly in Burp.
- ActiveScan++: extends the scanner with new checks for CSRF, XXE, etc.
- Go to Target > Site map, select a domain.
- Right-click > Scan.
- Choose Scan configuration: use “Crawl and audit” for a full test, or “Audit selected items” for a subset.
- Caution on insertion points: enable “Insertion points” for non-standard parameters (JSON, XML, headers).
- Start the scan and monitor results in Dashboard > Scan queue.
- Download and install Burp Suite Community from the official site.
- Configure the proxy on a dedicated browser and import the certificate.
- Run your first test: intercept a login request and try modifying a parameter with Repeater.
- Download a wordlist (Daniel Miessler’s SecLists) and run an Intruder attack on a search parameter.
- Read the official documentation: Burp Suite Documentation. Start with “Getting Started”.
Keyboard shortcuts: Ctrl+R (Windows/Linux) or Cmd+R (macOS) to send to Repeater quickly.
Real example: We tested an e-commerce site using a product_id GET parameter. With Repeater we changed the ID to product_id=1001 AND 1=1 and got data for unpublished products. Without Burp, those data would have remained exposed.
What are the essential extensions for Burp Suite?
Burp has an ecosystem of extensions (BApp Store) that extend its capabilities. We use several daily to speed up work.
Top extensions
How to install: Go to Extender > BApp Store, search and install. Restart Burp after installation.
Sponsored Protocol
How to automate scanning with the built-in scanner (Professional only)?
Burp Professional includes a scanner that automates crawling and testing for many common vulnerabilities (SQLi, XSS, SSRF, etc.). It’s powerful but must be used with care—it’s not a “magic button”.
Setting up a targeted scan
The scanner produces false positives. Verify every finding manually with Repeater or Intruder.
Professional tip: Do not run the scanner on production environments without a rate limit. We’ve seen servers go down from too many concurrent requests. Set Throttle to 100ms between requests.
How to use Decoder and Comparer for data analysis and differences?
The Decoder lets you decode/encode in base64, URL, hex, HTML, etc. The Comparer compares two requests or responses to spot minute differences (useful for timing attacks or error response variations).
Sponsored Protocol
Practical example (Decoder): You have a JWT token in base64. Paste it into Decoder, select “Base64 decode”, get the JSON payload. Modify the role from “user” to “admin”, re-encode in base64, and use Repeater to resend the request. If the server accepts, bingo: weak signature vulnerability.
Comparer: After an Intruder attack, select two responses with similar but different lengths and send them to Comparer. It shows the lines that differ, highlighting where the payload had an effect.
What to do now to start with Burp Suite?
We at Meteora Web have included Burp Suite in our security stack because it combines the precision of an accountant (traceability) with the power of a hacker. Penetration testing is not an option: it’s the certification that your software has no holes. If you want to go deeper, read our pillar guide on Ethical Hacking and Penetration Testing.