Burp Suite: Web Security Testing

The standard for web application security.

Web SecurityWebSecurityHTTP

Master the intersection of manual and automated techniques for securing web applications.

TOOL EXPLAINER: BURP SUITE

How to find hidden holes in websites.

Burp Suite is a program that acts like a middleman. It catches secret messages between your computer and a website, letting you read, change, and test them to see if the website is safe.

The Core Idea: The Proxy

Normally, your web browser talks directly to a website. But with Burp Suite turned on, everything stops in the middle first.

Your Browser

Sends a request (like "Log me in")

Burp Suite

The Middleman. Catches the request so you can change it.

The Website

Receives the (maybe changed) request

What Are We Actually Looking At?

When you click a button on a website, you don't see the real message being sent. It happens invisibly. Burp Suite makes the invisible visible.

This hidden message is called an HTTP Request. It is just plain text with rules. If we can change this text before the website sees it, we might be able to trick the website.

RAW_HTTP_REQUEST.txt

POST /buy-item HTTP/1.1
Host: onlineshop.com
User-Agent: Mozilla/5.0
Cookie: session_id=12345

item_id=99&price=100.00

A Real Example: The $1 TV

How do security testers use this? Let's pretend you are buying a TV that costs $100. Here is how you test if the shop is safe.

Click Buy

You click "Buy TV for $100" on the website. Your browser tries to send this price to the server.

Stop & Change

Burp Suite stops the message. You look at the code and see price=100. You delete the "100" and type "1".

Send It

You tell Burp Suite to send the changed message to the website. If the website is built badly, it will say "Success! You bought a TV for $1." This is called a vulnerability.

What Bugs Are We Looking For?

Security testers use Burp Suite to find three main types of huge mistakes in websites.

SQL Injection

This is when you type computer code into a normal search box. If the website doesn't block it, your code sneaks into their database and can steal all the passwords.

Cross-Site Scripting (XSS)

This happens when you hide an evil script in a comment or a message. When another user reads your comment, the hidden script runs on their computer and steals their login.

Broken Logins

This is when the door to the website is locked, but the hinges are broken. Testers use Burp to see if they can bypass the password screen entirely by changing hidden values.

Inside the Toolbox

Burp Suite isn't just one tool; it is a whole box of tools. Here are the four you will use the most.

1. Proxy

The Pause Button. This stops web traffic so you can read it and edit it before letting it go.

2. Repeater

The Do-Over. It lets you take one single message and send it over and over again, tweaking one small word each time to see what happens.

3. Intruder

The Guesser. You give it a list of 10,000 common passwords, and it fires them at the website super fast to see if any of them work.

4. Scanner

The Robot. This is an automatic tool that clicks every link on a website by itself and tells you if it finds obvious holes.

How to get started right now

You don't need to be a master hacker to start looking around. You can start today for free.

Step 1 Download the "Community Edition" (it is free).
Step 2 Open the program and click "Start Burp".
Step 3 Click the "Proxy" tab, then click "Open Browser". This opens a special, pre-setup web browser.
Step 4 Go to a website in that special browser, and watch the secret messages appear in Burp Suite!

Rule #1: Stay Out of Trouble

Do Not Test Without Permission

Using Burp Suite on a website without asking the owner is like testing the locks on your neighbor's house. It is illegal.

How to stay safe: Target Scope

Burp Suite has a setting called Target Scope. You type the exact name of the website you are allowed to test (like test-site.com).

If you set the Scope, Burp will ignore traffic from other websites, so you do not accidentally hack Facebook or Google while working.

The Command Center: Dashboard

When you open Burp Suite, the first thing you see is the Dashboard. It shows you the health of your testing session.

Tasks

1. Live passive crawl Running

2. Automated audit Paused

Issue Activity

High: SQL Injection found
Medium: Hidden directory
Low: Missing security header

Unscrambling Secrets: Decoder

Websites do not always send plain text. Sometimes they scramble the data so it safely travels across the internet.

Burp's Decoder tool works like a magic ring. You paste in the scrambled gibberish, and tell it to unscramble it into normal words.

INPUT (Scrambled) cGFzc3dvcmQxMjM=

OUTPUT (Unscrambled) password123

Spot the Difference: Comparer

Imagine looking at two huge blocks of code. They look identical, but one logs you in as a regular user, and the other logs you in as an Admin. How do you find the tiny difference?

Use the Comparer.

Request A (User)

POST /login HTTP/1.1

Host: site.com

role=guest

Request B (Admin)

POST /login HTTP/1.1

Host: site.com

role=admin

Supercharge It: The BApp Store

Just like your phone has an App Store to add new features, Burp Suite has the BApp Store. These are mini-tools created by other hackers to make Burp even better.

JSON Web Tokens

A tool that specifically looks at login tokens and tries to break them.

Retire.js

Looks at the website's code and tells you if they are using old, dangerous software.

AuthMatrix

Helps you test if User A can secretly see User B's private messages.

The Magic Certificate (Fixing the Error)

When you first start using Burp as a middleman, secure websites (HTTPS) will panic and show a big red warning: "Your connection is not private."

This is because the website knows there is a middleman! To fix this, you have to tell your browser: "It's okay, I put the middleman there on purpose."

You do this by downloading Burp's "CA Certificate" and installing it in your browser settings. Once you do that, the errors go away!

Browser
Warning

Spying on Phone Apps

Burp Suite isn't just for laptops. Phone apps talk to websites all the time, completely invisibly.

You can connect your iPhone or Android to the same Wi-Fi as your computer, and tell your phone to send all its data through Burp Suite.

This lets you catch secrets that mobile games or shopping apps are trying to hide from you!

Free vs. Paid

Community Edition

$0 (Free Forever)

Everything you need to learn.

Proxy, Repeater, and Decoder included.

Intruder (The Guesser) is very slow.

NO automatic Scanner. You must find bugs manually.

Professional Edition

Paid (For real jobs)

Automatic Web Vulnerability Scanner.

Intruder runs as fast as your computer can handle.

Advanced search features.

Ability to save projects and come back later.

The Simple Dictionary

When reading about Burp Suite, you will hear weird words. Here is what they actually mean.

Payload

The actual "hacker code" or fake password you are sending to the website.

Endpoint

The specific web address you are testing (like site.com/login or site.com/buy).

Parameter

The blank spaces the website asks you to fill out. (Like your username, price, or search word).

Drop

A button in Burp Suite that deletes a message completely, so the website never receives it.

Your Testing Checklist

Follow this order every time you test a new website.

Set the Scope: Tell Burp exactly which website you are allowed to test.
Turn off Proxy Intercept: Let the traffic flow normally first.
Click everything: Walk through the website like a normal user to build a map.
Find interesting actions: Look for logins, shopping carts, or comment boxes.
Send to Repeater: Send those interesting actions to the Repeater tool to start changing the hidden rules.

Burp Suite: Web Security Testing

Your Browser

Burp Suite

The Website

Click Buy

Stop & Change

Send It

1. Proxy

2. Repeater

3. Intruder

4. Scanner

Community Edition

Professional Edition

More in this series

Web Security

Networking

OSINT

Wireless

Cryptography

Forensics

Security