If there is one tool that appears on virtually every web application penetration test, every bug bounty write-up, and every web security curriculum, it is Burp Suite. Developed by PortSwigger, Burp Suite functions as an intercepting proxy that sits between your browser and a web server, giving you complete visibility and control over every HTTP and HTTPS request in real time. Whether you are learning ethical hacking, preparing for a bug bounty program, or auditing a web application for a client, understanding Burp Suite is non-negotiable.
Specifically, this guide walks through Burp Suite from the ground up.You will learn what each core tool does, how to configure the proxy on Kali Linux or Windows, and how to apply those tools against real web vulnerabilities, including a practical SQL injection demo and tips for testing OWASP Top 10 categories. Best of all, the Community Edition is free and covers everything in this article.
What Is Burp Suite?
Burp Suite is an integrated web security testing platform built by PortSwigger. At its core, it acts as an HTTP/HTTPS intercept proxy, a man-in-the-middle between your browser and the target web server. As a result, every request your browser sends and every response it receives can be paused, inspected, modified, or replayed. For security professionals, this visibility is the foundation of almost every web app attack and defense workflow.
Furthermore, the platform ships with a suite of specialized tools around that proxy core: a manual request editor called Repeater, an automated fuzzer called Intruder, a vulnerability scanner (Pro edition), an encoder/decoder, and a comparison utility. Together, therefore, they cover the full lifecycle of web application security testing, from passive reconnaissance through active exploitation.
| Quick Recap |
| • Burp Suite is an intercepting proxy for HTTP/HTTPS traffic between browser and server. |
| • Core free tools: Proxy, Repeater, Intruder, Decoder, Comparer. |
| • Used in penetration testing, bug bounty research, and ethical hacking labs. |
| • Community Edition is free; Professional Edition adds automated scanning and no throttling. |
Burp Suite Community vs Pro vs Enterprise, Which Do You Need?
PortSwigger offers three tiers. For most learners and independent security researchers, the Community Edition covers everything covered in this guide. Here is how the editions compare:
| Feature | Community (Free) | Professional (~$449/yr) | Enterprise |
| Intercept Proxy | Yes | Yes | Yes |
| Repeater | Yes | Yes | Yes |
| Intruder (speed) | Throttled | Unlimited | Unlimited |
| Automated Scanner | No | Yes | Yes |
| Save Projects | No | Yes | Yes |
| Extensions (BApp Store) | Limited | Full | Full |
| Target Audience | Learners / CTF | Pentesters / Bug Hunters | Enterprise CI/CD |
However, the Community Edition is deliberately throttled on Intruder attacks — this is intentional. Therefore, if you need full-speed brute force or automated scanning, the Professional Edition at approximately $449/year is the standard choice in commercial engagements. You can find the download and full pricing on the official PortSwigger website.
| Value Insight The throttling in Intruder Community is frustrating but not a dealbreaker for learning. Use Hydra or ffuf for speed-critical brute force tasks. Reserve Burp Intruder for understanding payload positioning and response analysis, that skill transfers directly to the Pro edition without any relearning. |
How to Install Burp Suite
Installing Burp Suite on Kali Linux
Kali Linux ships with Burp Suite Community Edition pre-installed. You can launch it directly from the application menu under Web Application Analysis, or from the terminal:
| burpsuite |
If it is not installed, run:
| sudo apt update && sudo apt install burpsuite -y |
Installing on Windows or macOS
Head to the PortSwigger download page and grab the installer for your OS. The Windows and macOS installers are standard executables, run them and follow the setup wizard. Notably, Burp Suite requires Java, but the installer bundles it, so no separate JRE installation is needed on modern versions.
First-Time Setup: Configuring the Browser Proxy
On first launch, select Temporary Project and click Start Burp. The default proxy listener is set to 127.0.0.1 on port 8080. You can verify this under Proxy > Options.
Burp Suite includes a built-in Chromium browser (accessible via Proxy > Open Browser) that is pre-configured to route traffic through Burp. This is the easiest way to get started and requires no manual browser configuration. For Firefox, install the FoxyProxy extension and create a new proxy entry pointing to 127.0.0.1:8080.
In addition, for HTTPS interception, you also need to install the Burp CA certificate in your browser. Navigate to http://burpsuite in the Burp browser or http://127.0.0.1:8080 in Firefox, download the CA cert, and import it into the browser’s certificate trust store. Otherwise, HTTPS requests will fail entirely.
Burp Suite Core Features Explained
Proxy, Intercepting HTTP Requests
The Proxy is the heart of Burp Suite. With Intercept turned on, every HTTP/HTTPS request from the browser is paused before reaching the server. You can read the full request in Raw, Pretty, or Hex format, modify any field, headers, cookies, body parameters, and then forward it or drop it entirely.
With Intercept turned off, Burp behaves as a silent observer: traffic flows normally, but every request and response is logged in the HTTP History tab. In practice, this passive logging mode is often more practical — you browse the target normally first, then use HTTP History to review what was captured and identify interesting endpoints to investigate further.
A practical example: intercepting the McDonald’s mobile app on an Android phone shows that the app sends detailed JSON payloads to api.mcd.com containing device type, location, and menu requests. Burp captures all of this without the app knowing, this is exactly the technique used by security researchers performing mobile app security reviews. Consequently, setting up mobile interception requires installing the Burp CA certificate on the device and configuring the device’s Wi-Fi proxy to point to your Burp listener IP and port..
Repeater, Manual Request Testing
Repeater lets you send saved requests to the server manually, modify them, and compare responses side by side. Right-click any request in the Proxy HTTP History and choose Send to Repeater (or press Ctrl+R). You can then edit headers, change parameter values, switch request methods from GET to POST, and send repeatedly without going back through the browser.
This is the primary tool for manual vulnerability testing. When checking for SQL injection, you can send the same endpoint dozens of times with different payloads without reloading the web page each time. The response pane on the right shows raw HTML, headers, and status codes so you can identify behavioral differences across payloads.
Intruder, Automated Fuzzing and Brute Force
Intruder automates the delivery of payloads to one or more positions within a request. You mark the positions you want to fuzz with the position markers (highlighted in Burp as §value§), load a payload list, and launch the attack. Intruder then iterates through every payload, sends the modified request, and records the response for each.
Attack types include Sniper (one payload position at a time), Battering Ram (same payload to all positions simultaneously), Pitchfork (paired payloads across multiple positions), and Cluster Bomb (all combinations across multiple positions). Cluster Bomb is the most powerful but generates the most requests.
In the Community Edition, Intruder attacks are throttled to approximately one request per second. For brute-forcing login forms, this is too slow. As a result, many practitioners use Intruder for understanding payload positioning and testing logic flaws, then switch to faster tools like Hydra or Turbo Intruder for speed-critical attacks.
.
Scanner (Pro Only), Automated Vulnerability Detection
The automated scanner in the Professional Edition crawls the target and probes for a wide range of vulnerabilities including SQL injection, XSS, SSRF, and XXE. It produces a severity-ranked report that serves as a starting point for manual verification. The Community Edition does not include the scanner, all vulnerability discovery in the free version is manual.
Decoder and Comparer
Decoder is a utility for encoding and decoding data in common formats: URL encoding, Base64, HTML entities, hex, and gzip. It is particularly useful when testing parameters that encode payloads before sending. You can layer multiple encoding transformations to simulate double-encoded injection payloads.
Comparer takes two pieces of data, typically two HTTP responses, and highlights the differences byte by byte or word by word. This is useful for detecting subtle behavioral differences between two requests, for example comparing the response when login succeeds versus fails to identify timing attacks or information leakage.
Burp Suite Practical Tutorial: SQL Injection Step by Step
To see these tools in action, consider a standard SQL injection test. Using DVWA (Damn Vulnerable Web Application) as the practice target — a deliberately insecure PHP application commonly used in security labs — here is how the Proxy and Repeater work together.
This workflow is representative of how a real web app test would proceed, with DVWA replaced by a scoped application under an active authorized engagement.
Setting Up the Environment
- Launch Burp Suite and open the built-in browser or configure Firefox with FoxyProxy pointing to 127.0.0.1:8080.
- Turn on Intercept in the Proxy tab.
- Navigate to the DVWA SQL Injection page and submit a test input, such as the value 1 in the user ID field.
Capturing and Sending the Request
- At this point, Burp Suite captures the request before it reaches the server. The raw request shows the GET parameter ?id=1&Submit=Submit.
- Right-click the captured request and choose Send to Repeater (Ctrl+R).
Injecting the Payload in Repeater
- In Repeater, change the id parameter to: 1′ OR ‘1’=’1 — a classic SQL injection payload that makes the WHERE clause always evaluate to true.
- If the application is not sanitizing input, consequently the response returns all rows from the users table rather than just the record matching id=1. First names, last names, and other user data appear in the raw HTML response.
- Meanwhile, each variation is sent directly from Repeater without needing to reload the browser. Go further and append a UNION SELECT to enumerate database table names or column structure.
How This Bypasses Login Forms
This is the same technique that allows a SQL injection to bypass login forms entirely. If the login query transforms into SELECT * FROM users WHERE email=’a’ OR 1=1–‘ AND password=’anything’, the double-dash comments out the password check and the query returns the first row in the database, typically the admin account. Burp Suite intercepts the POST request containing the email and password fields, and the attacker modifies the email value directly in the raw request before forwarding it.
For a deeper understanding of why these SQL patterns work at the database level, the OWASP Top 10 vulnerabilities guide covers SQL injection (A03: Injection) alongside the other nine critical vulnerability categories that Burp Suite is most commonly used to test.
Burp Suite for OWASP Top 10 Testing
Burp Suite is the standard tool for testing the majority of OWASP Top 10 vulnerability categories. Here is how each category maps to Burp Suite features:
| OWASP Category | Primary Burp Feature | Testing Approach |
| A01: Broken Access Control | Proxy + Repeater | Modify user roles or object IDs in intercepted requests; test horizontal and vertical privilege escalation |
| A02: Cryptographic Failures | Proxy + Decoder | Capture sensitive data in transit; check for cleartext transmission or weak encoding |
| A03: Injection (SQL, XSS) | Repeater + Intruder | Send crafted payloads manually via Repeater; automate fuzzing with Intruder |
| A05: Security Misconfiguration | Proxy HTTP History | Review response headers for missing security headers (CSP, HSTS, X-Frame-Options) |
| A07: Auth Failures | Intruder | Brute-force login forms; test session token entropy with Sequencer |
| A08: Data Integrity Failures | Proxy + Decoder | Intercept and modify serialized objects; test JWT manipulation |
| A10: SSRF | Repeater | Modify URL parameters to point to internal services; observe response differences |
In most cases, the workflow follows the same pattern: browse the application with Intercept off to build HTTP History, identify interesting endpoints, send them to Repeater, and begin manual modification. The complete web application penetration testing methodology covers how Burp integrates into a full engagement from reconnaissance through reporting.
Using Burp Suite to Intercept Mobile App Traffic
Burp Suite is not limited to browser traffic. With the right configuration, you can intercept traffic from Android and iOS applications running on a device connected to the same Wi-Fi network as your Burp machine.
The setup requires two steps. First, configure a new Proxy listener in Burp Suite under Proxy > Options that binds to the interface IP of your laptop on the local network (not just 127.0.0.1). Second, configure the mobile device’s Wi-Fi proxy settings to point to that IP and port 8080. Finally, install the Burp CA certificate on the device to enable HTTPS decryption.
Important limitation: many modern apps implement certificate pinning, which explicitly rejects certificates from untrusted CAs, including the Burp CA. In that case, bypassing certificate pinning requires additional techniques such as rooting the Android device and installing the certificate in the system trust store, or using Frida to patch the pinning check at runtime. Not all applications will be interceptable with a basic setup.
For applications that do not pin certificates, the interception is transparent. The app sends its API calls, Burp captures every request and response, and you have full visibility into what data the application transmits, including third-party analytics calls to services the user may not be aware of.
Burp Suite Tips and Tricks for Beginners
Use Target Scope to Reduce Noise
Without a defined scope, Burp captures every request from every tab in the browser, including background requests to CDNs, analytics platforms, and advertising networks. Define your target scope under Target > Scope and then enable the ‘Drop all out-of-scope requests’ option in Proxy > Options. This keeps HTTP History clean and ensures Intercept only triggers for your actual target.
URL-Encode Payloads in Repeater
When sending injection payloads via Repeater, characters like single quotes, spaces, and hash symbols need to be URL-encoded to be interpreted correctly by the server. Right-click the selected payload text in Repeater and choose Convert Selection > URL Encode. Alternatively, enable the ‘URL-encode as you type’ option. Failure to encode is one of the most common reasons injection payloads fail in Repeater tests.
Keyboard Shortcuts Worth Memorizing
- Ctrl+R, Send request to Repeater
- Ctrl+I, Send request to Intruder
- Ctrl+Space, Send request in Repeater
- Ctrl+U / Ctrl+Shift+U, URL encode / decode selected text
- Ctrl+Z, Undo edits in request editor
Useful Extensions from the BApp Store
The BApp Store (Extender > BApp Store) provides community-built extensions that expand Burp’s capabilities. Key ones for beginners and intermediate users:
- Autorize, Automatically tests for broken access control by replaying requests with reduced privileges.
- Logger++, Provides advanced logging and filtering of HTTP history beyond Burp’s default view.
- Turbo Intruder, A high-speed alternative to the built-in Intruder, written as a Python script inside Burp. Removes the Community Edition throttle for sending speed.
- JSON Web Tokens, Decodes, edits, and re-signs JWT tokens directly in the request editor.
For hands-on practice with these techniques, PortSwigger offers a completely free learning platform called Web Security Academy, it contains interactive labs for every major vulnerability class, all designed to be solved with Burp Suite. It is one of the best free resources in the field.
| Value Insight Most beginners spend all their time in Proxy and ignore Repeater for weeks. That is backwards. Proxy is for capturing; Repeater is where the actual testing happens. Get comfortable in Repeater first, it is where 80% of manual web testing time is spent. Once you understand the request-response cycle there, Intruder and Scanner become much easier to use effectively. |
Community Edition vs Professional: What Actually Matters
The most common question beginners ask is whether they need to pay for the Professional Edition. The honest answer depends on what you are trying to accomplish. For learning, CTFs, DVWA practice, and early bug bounty work, the Community Edition covers every technique in this guide. The Proxy, Repeater, Intruder (even throttled), Decoder, and Comparer are all available for free.
The Professional Edition becomes worth the investment when speed matters. Intruder at full speed can iterate through a 10,000-entry wordlist in minutes rather than hours. The automated scanner surfaces vulnerabilities you might miss in a time-boxed engagement. And saved projects are critical for real client work where you cannot lose your capture history.
There is a middle path: use Turbo Intruder (a free BApp Store extension) to bypass the throttle on Intruder in Community Edition. This closes the speed gap significantly without requiring a paid license, though it requires writing a simple Python request script rather than using the GUI.
The broader question of which tools belong in a pentester’s toolkit, and how Burp Suite fits alongside Nmap, Metasploit, and OWASP ZAP, is covered in the complete penetration testing tools guide which benchmarks and compares the full stack of tools used in real engagements.
Frequently Asked Questions
Is Burp Suite free to use?
Yes. The Community Edition is completely free and covers the core features: Proxy, Repeater, Intruder (throttled), Decoder, and Comparer. It is available from portswigger.net with no trial period. The Professional Edition (~$449/year) adds the automated scanner, full-speed Intruder, and project saving.
How do I use Burp Suite with Kali Linux?
Burp Suite is pre-installed on Kali Linux and can be launched from the application menu under Web Application Analysis or by typing ‘burpsuite’ in the terminal. Configure the browser to use the proxy at 127.0.0.1:8080 and install the Burp CA certificate for HTTPS interception. The built-in Chromium browser in Burp’s Proxy tab is pre-configured and the easiest starting point.
What is the difference between Burp Suite and OWASP ZAP?
Both are intercepting proxies, but they differ in focus. Burp Suite is the industry standard for manual and semi-automated web app testing, with a more refined UI for manual testing workflows. OWASP ZAP is fully open source (Burp Community is free but not open source) and offers a more automated scanning experience. Most professional pentesters use Burp Suite. ZAP is a solid alternative for teams with budget constraints and suits developers integrating security scanning into CI/CD pipelines.
Can Burp Suite intercept mobile app traffic?
Yes, with additional setup. The mobile device must be on the same Wi-Fi network as the Burp machine, the device’s Wi-Fi proxy must be pointed to the Burp listener IP and port, and the Burp CA certificate must be installed on the device. This works for most HTTP/HTTPS traffic but will fail against apps that implement certificate pinning.
What is Burp Suite used for in bug bounty hunting?
In bug bounty programs, Burp Suite is used to intercept and analyze API calls, test input fields for injection vulnerabilities, replay and modify requests to test access controls, and identify information disclosures in response headers or body content. The Proxy HTTP History is particularly valuable for understanding the full request map of a web application during reconnaissance.
Is Burp Suite legal to use?
Burp Suite is a legitimate security testing tool. Using it on systems, applications, or networks you do not own or do not have explicit written permission to test is illegal under computer fraud laws in most jurisdictions. It is legal and encouraged for use on practice environments (DVWA, HackTheBox, TryHackMe), your own applications, and targets within an active bug bounty program scope.
Final Thoughts
Burp Suite grows with you. On day one you are intercepting a single login request. A few months in, you are chaining Repeater sessions, mapping full API surfaces through HTTP History, and writing Turbo Intruder scripts for targeted fuzzing. The Community Edition is enough to get through everything in this guide — set up DVWA in Docker, configure the proxy, and spend an afternoon on SQL injection and access control testing hands-on. That repetition builds instinct faster than any course.
Where to Go From Here
Once Burp feels comfortable, the natural next step is understanding how it fits into a complete web application penetration testing workflow — from reconnaissance and scoping through exploitation and reporting. Moreover, pairing your Burp skills with a solid grasp of the OWASP Top 10 pays off quickly, because knowing what a vulnerability looks like in a response is what separates effective testing from random fuzzing.
| ⚠️ Legal & Ethical Disclaimer Burp Suite and the techniques covered in this guide are intended strictly for authorized security testing, ethical hacking practice on dedicated lab environments (such as DVWA, HackTheBox, or TryHackMe), and legitimate bug bounty research within defined program scope. Never intercept, test, or modify traffic on systems, applications, or networks you do not own or have explicit written permission to test. Unauthorized interception of network traffic may violate computer fraud and cybercrime laws in your jurisdiction. Always operate within the rules of engagement. |