Post 10: Burp Suite for Web Pentesters
The Swiss Army Proxy for Recon, Exploitation, and Mastery
Burp Suite is the most powerful tool in a web pentester’s arsenal. Whether you’re performing recon, brute-forcing, exploiting injection points, or breaking session management — Burp is where it all happens.
This post is your complete guide to mastering Burp Suite from the ground up, including manual testing, automated fuzzing, and practical usage for OSCP/eCPPT and beyond.
Table of Contents
- What is Burp Suite?
- Setting It Up
- Proxy Module
- Target & Scope
- Repeater
- Intruder
- Decoder
- Comparer
- Logger
- Extensions (BApp Store)
- Workflow: From Recon to Exploitation
- Tips, Shortcuts, and Gotchas
- Practice Targets
1. What is Burp Suite?
Burp Suite is a man-in-the-middle proxy designed for web application security testing. It intercepts, modifies, and analyzes HTTP and HTTPS traffic between your browser and the target web server.
Versions:
- Community – Free, feature-limited (Intruder is slower, no automation)
- Professional – Paid, unlocks full power: Active Scanner, faster Intruder, search, project saves
- Enterprise – For automated enterprise scanning (not relevant to pentesters)
2. Setting It Up
Step 1: Configure Browser
Set your browser to use Burp as a proxy:
127.0.0.1:8080
Use Firefox with the FoxyProxy extension for easy switching.
Step 2: Import Burp Certificate
- Visit
http://burpsuite - Download the CA certificate
- Import into your browser as a trusted CA
This allows Burp to intercept HTTPS without SSL errors.
3. Proxy Module
The Proxy tab lets you:
- Intercept and modify live HTTP requests/responses
- View raw HTTP/HTTPS traffic
- Control exactly what gets intercepted
Common Usage:
- Intercept login requests to find parameters
- Modify cookies, headers, body data
- Drop or forward requests
Use the “Intercept is On” button to toggle real-time interception.
4. Target & Scope
Target Tab
- Shows site map of all pages, parameters, and file types encountered
- Automatically updates as you browse
Scope
Define your target:
- Only test domains/IPs you specify
- Prevent sending data to unintended apps
Example:
Include in scope: http://target.com
Use Filter > Show only in scope items during testing to reduce clutter.
5. Repeater
The Repeater tab is essential for manual exploitation.
You can:
- Resend modified requests
- Inject payloads
- Analyze changes in response
Common Uses:
- Test SQLi, XSS, command injection
- Modify cookies and tokens
- Replay requests with slight changes
- Observe response headers and HTML
Shortcut:
- Right-click → “Send to Repeater”
6. Intruder
Intruder is Burp’s automated fuzzing engine.
You can:
- Brute-force login forms
- Enumerate hidden directories
- Fuzz parameters
- Test for rate limiting, WAF evasion
Steps:
- Set the target request
- Define payload positions using
§markers - Load payloads from a wordlist (e.g.,
rockyou.txt) - Configure attack type:
- Sniper – One input at a time
- Battering Ram – Same payload for all positions
- Pitchfork – Parallel payloads
- Cluster Bomb – All combinations
Intruder shows status codes, response lengths, and response times to help you identify hits.
7. Decoder
Used to:
- Encode and decode base64, URL, HTML, hex, etc.
- Analyze obfuscated input/output
Example:
ZGF0YV9sZWFrZWRfdXNlcm5hbWU= → base64 decode → data_leaked_username
You can also hash strings (MD5, SHA1) and guess input formats.
8. Comparer
Great for spotting subtle differences in responses.
Use it to:
- Compare two server responses (before/after payload)
- Detect error-based injection indicators
- Analyze token changes or minor behavior changes
Workflow:
- Right-click → Send to Comparer
- Byte or word-level diff
9. Logger
Burp’s HTTP history is gold:
- View all requests/responses
- Filter by method, status code, content-type
- Replay anything with a double-click
Use it to track all traffic, discover endpoints, and identify app behavior under different inputs.
10. Extensions (BApp Store)
Burp Suite Pro allows extensions from the BApp Store.
Must-Have Extensions:
| Extension | Purpose |
|---|---|
| Autorize | Detects IDOR and auth bypasses |
| Active Scan++ | Enhances built-in scanner |
| Turbo Intruder | Blazing-fast bruteforcer |
| JWT Editor | Decode, edit, sign JWT tokens |
| Hackvertor | Converts and encodes payloads |
| Logger++ | Advanced logging and filtering |
| Param Miner | Finds hidden and undocumented params |
11. Workflow: Recon to Exploitation
Recon:
- Enable Proxy and browse app manually
- Set Target Scope
- Use Site Map to find interesting parameters
- Run passive scans if using Burp Pro
Manual Testing:
- Use Repeater to test:
- SQLi, XSS, LFI, command injection
- Cookie and header manipulation
- Use Decoder to inspect responses
Brute Force / Fuzz:
- Send login or search to Intruder
- Load wordlists and analyze results
- Highlight anomalies by comparing length/status
Exploitation:
- Inject payloads in Repeater
- Chain with other vulnerabilities
- Use Comparer to monitor behavior differences
12. Tips, Shortcuts, and Gotchas
| Shortcut | Action |
|---|---|
| Ctrl + Shift + H | HTTP history |
| Ctrl + I | Toggle interception |
| Ctrl + R | Send to Repeater |
| Ctrl + J | Send to Intruder |
Gotchas:
- Don’t forget to set scope to avoid testing irrelevant domains
- Use Filters to reduce noise
- Always save your project before closing
- Community Edition’s Intruder is rate-limited — use Repeater for manual brute-force if needed
13. Practice Targets
- PortSwigger Web Security Academy – Burp labs built by the tool’s creators
- TryHackMe – Burp Fundamentals, Burp Labs, Web Exploitation rooms
- HackTheBox – Most boxes require Burp for web apps
- DVWA, bWAPP, WebGoat – Great for local testing
What You Should Be Able to Do with Burp:
- Capture and manipulate login requests
- Fuzz parameters and headers for vulnerabilities
- Modify tokens and cookies to bypass auth
- Replay and tamper with requests for injection testing
- Analyze the entire app’s attack surface
Coming Up Next
Post 11: Common Web Exploits in OSCP/eCPPT Exams
We’ll review:
- The most likely vulnerabilities to appear
- What tools to use
- How to chain them into full compromise
L