f in x
Burp Suite for Web Penetration Testing — Configuration, Interception, and Advanced Automation
> cd .. / HUB_EDITORIALE
Sicurezza Informatica

Burp Suite for Web Penetration Testing — Configuration, Interception, and Advanced Automation

[2026-07-04] Author: Ing. Calogero Bono
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

You just inherited a web application full of endpoints, forms, and APIs. A previous assessment report says “all clear,” but your gut says otherwise. We see it every day: companies that paid for superficial tests and later find an SQL injection in production. Burp Suite isn’t magic—it’s the tool that turns your gut feeling into evidence. But if you only use it to intercept requests, you’re using 10% of its potential.

We, at Meteora Web, have integrated Burp Suite into security pipelines for clients handling sensitive data (healthcare, e-commerce, fintech). We come from accounting and ERP: we know that every unfixed vulnerability is a future cost. In this guide, we show you how to use Burp Suite not as a toy, but as a war machine for web penetration testing.

What is Burp Suite and why is it the de facto standard for web penetration testing?

Burp Suite is an interception proxy developed by PortSwigger. It sits between your browser and the target server, allowing you to analyze, modify, and replay every HTTP/HTTPS request. It’s not the only tool (ZAP is a valid open-source alternative), but its combination of Intruder, Repeater, Scanner, and Decoder makes it the tool of choice for professional penetration testers.

Why we at Meteora Web use it

We managed the ERP system of a clothing store: every accounting transaction had to be traceable. With Burp Suite it’s the same: every request is logged, every modification is documented. When a client asks us “Is my site safe?”, we start with a Burp test. We don’t trust words, only logs.

Sponsored Protocol

Immediate action: Download the free Community Edition from PortSwigger. If you work professionally, the Professional Edition (about €450/year) includes an automated scanner and project saving.

How to configure Burp Suite to intercept HTTPS traffic from a browser?

First, make your browser trust Burp’s CA certificate. Without this, HTTPS requests remain encrypted and invisible.

Step-by-step

  1. Open Burp Suite, go to Proxy > Options > Import/Export CA certificate and save the certificate.
  2. In your browser (Chrome/Firefox), import the certificate as a trusted Certificate Authority.
  3. In Burp, make sure Intercept is on (“Intercept is on”).
  4. Set your browser’s proxy to 127.0.0.1:8080 (or the IP of the machine running Burp).
  5. Visit an HTTPS site: you’ll see pending requests. Press Forward to let them pass.

Caution: If you use a normal browser for daily browsing, disable the proxy after the test. Better yet, use a separate browser (e.g., Firefox Portable) dedicated to pentesting.

Command line launch (Linux/macOS):

java -jar burpsuite_community.jar

Common mistake: Firefox uses separate proxy settings from the system. Set localhost:8080 for HTTP and HTTPS, disable “Proxy DNS when using SOCKS”.

Sponsored Protocol

How to use Burp Suite Intruder for brute force and fuzzing?

Intruder is the automation engine that lets you send hundreds or thousands of requests by varying parameters (payloads). It’s used for login testing, IDOR, injection, directory brute force, and more.

Setting up a basic attack

  1. Intercept a login request with parameters username and password.
  2. Right-click on the request > Send to Intruder.
  3. In the Positions tab, select the value to attack (e.g., the password field) and click Add §.
  4. Go to Payloads: load a wordlist (rockyou.txt, SecLists, etc.).
  5. In Settings, set Redirect handling and Threads (no more than 5 to avoid DoS).
  6. Click Start attack.

Result analysis: Look for differences in response length, status code, or error messages. We often filter by Length different from baseline.

Sample payload for fuzzing a REST endpoint:

../../etc/passwd

1' OR '1'='1

Warning: Do not run attacks on systems without written authorization. We at Meteora Web always emphasize: bridging the digital divide does not mean breaking the law, but training responsible professionals.

How to use Burp Suite Repeater for manual testing and vulnerability confirmation?

Repeater sends a single request multiple times, letting you manually modify parameters and see the response immediately. It’s perfect for confirming a finding after Intruder identifies a candidate.

Sponsored Protocol

Effective workflow

  1. From Proxy > HTTP history, right-click a request and choose Send to Repeater.
  2. In the Repeater tab, modify the payload (e.g., id=1' OR '1'='1).
  3. Click Send. Compare the response with the original.
  4. If the response contains an SQL error or unexpected data, you have confirmation.
  5. Keyboard shortcuts: Ctrl+R (Windows/Linux) or Cmd+R (macOS) to send to Repeater quickly.

    Real example: We tested an e-commerce site using a product_id GET parameter. With Repeater we changed the ID to product_id=1001 AND 1=1 and got data for unpublished products. Without Burp, those data would have remained exposed.

    What are the essential extensions for Burp Suite?

    Burp has an ecosystem of extensions (BApp Store) that extend its capabilities. We use several daily to speed up work.

    Top extensions

    • Autorize: tests authorization of different roles (admin vs user) automatically. Essential for vertical IDOR.
    • Logger++: logs all requests in a searchable format. Great for audits.
    • Turbo Intruder: script complex attacks with Python. For high-speed fuzzing (watch rate limits).
    • JSON Web Tokens: decode and modify JWT directly in Burp.
    • ActiveScan++: extends the scanner with new checks for CSRF, XXE, etc.

    How to install: Go to Extender > BApp Store, search and install. Restart Burp after installation.

    Sponsored Protocol

    How to automate scanning with the built-in scanner (Professional only)?

    Burp Professional includes a scanner that automates crawling and testing for many common vulnerabilities (SQLi, XSS, SSRF, etc.). It’s powerful but must be used with care—it’s not a “magic button”.

    Setting up a targeted scan

    1. Go to Target > Site map, select a domain.
    2. Right-click > Scan.
    3. Choose Scan configuration: use “Crawl and audit” for a full test, or “Audit selected items” for a subset.
    4. Caution on insertion points: enable “Insertion points” for non-standard parameters (JSON, XML, headers).
    5. Start the scan and monitor results in Dashboard > Scan queue.

    The scanner produces false positives. Verify every finding manually with Repeater or Intruder.

    Professional tip: Do not run the scanner on production environments without a rate limit. We’ve seen servers go down from too many concurrent requests. Set Throttle to 100ms between requests.

    How to use Decoder and Comparer for data analysis and differences?

    The Decoder lets you decode/encode in base64, URL, hex, HTML, etc. The Comparer compares two requests or responses to spot minute differences (useful for timing attacks or error response variations).

    Sponsored Protocol

    Practical example (Decoder): You have a JWT token in base64. Paste it into Decoder, select “Base64 decode”, get the JSON payload. Modify the role from “user” to “admin”, re-encode in base64, and use Repeater to resend the request. If the server accepts, bingo: weak signature vulnerability.

    Comparer: After an Intruder attack, select two responses with similar but different lengths and send them to Comparer. It shows the lines that differ, highlighting where the payload had an effect.

    What to do now to start with Burp Suite?

    1. Download and install Burp Suite Community from the official site.
    2. Configure the proxy on a dedicated browser and import the certificate.
    3. Run your first test: intercept a login request and try modifying a parameter with Repeater.
    4. Download a wordlist (Daniel Miessler’s SecLists) and run an Intruder attack on a search parameter.
    5. Read the official documentation: Burp Suite Documentation. Start with “Getting Started”.

    We at Meteora Web have included Burp Suite in our security stack because it combines the precision of an accountant (traceability) with the power of a hacker. Penetration testing is not an option: it’s the certification that your software has no holes. If you want to go deeper, read our pillar guide on Ethical Hacking and Penetration Testing.

Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere informatico, fondatore di Meteora Web e Zenith OS. System administrator e progettista di piattaforme, app e CMS proprietari, con esperienza in sviluppo full-stack, marketing digitale ed ecosistema Google.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()