What Is Burp Suite?
Burp Suite, developed by PortSwigger, is the de facto standard platform for web application penetration testing. It functions primarily as an intercepting proxy — sitting between your browser and the target server, allowing you to inspect, modify, and replay HTTP/S requests in real time.
It's available in a free Community Edition and a paid Professional Edition. The Community Edition is fully functional for learning and manual testing, making it the ideal starting point.
Core Components of Burp Suite
- Proxy: The heart of Burp. Intercepts all browser traffic so you can inspect and manipulate requests before they're sent.
- Repeater: Replay individual HTTP requests with modifications — perfect for manually testing injection points.
- Intruder: Automates customized attacks like brute forcing, fuzzing, and payload injection across request parameters.
- Scanner (Pro only): Automated vulnerability scanning that detects issues like XSS, SQLi, and open redirects.
- Decoder: Encodes and decodes data in formats like Base64, URL encoding, HTML entities, and hex.
- Comparer: Performs visual diffs between two requests or responses — useful for identifying subtle differences.
Setting Up Burp Suite: Step-by-Step
Step 1: Download and Install
Download the Community Edition from portswigger.net/burp. It runs on Windows, macOS, and Linux. Java is bundled with the installer, so no separate JDK is needed.
Step 2: Configure Your Browser
Burp listens on 127.0.0.1:8080 by default. Configure your browser's proxy settings to route traffic through this address. Using Firefox with the FoxyProxy extension makes toggling the proxy on and off effortless.
Step 3: Install the Burp CA Certificate
To intercept HTTPS traffic without browser warnings, navigate to http://burpsuite while proxied through Burp, download the CA certificate, and install it into your browser's trusted certificate store. This is a critical step — without it, Burp can't decrypt TLS traffic.
Step 4: Intercept Your First Request
Enable interception under Proxy → Intercept → Intercept is on. Browse to a target (use a legal practice environment like DVWA or PortSwigger Web Academy). Burp will pause every request, displaying full headers and body for your inspection. Click Forward to send it on, or Drop to discard it.
Your First Manual Test: Finding a Reflected XSS
- Find a search box or any input field on your target application.
- Intercept the form submission in Burp Proxy.
- Send the request to Repeater (Ctrl+R).
- Modify the parameter value to a simple XSS payload:
<script>alert(1)</script> - Click Send and inspect the response. If your payload appears unescaped in the HTML, you've found a reflected XSS.
Burp Suite Community vs. Professional
| Feature | Community | Professional |
|---|---|---|
| Intercepting Proxy | ✅ | ✅ |
| Repeater | ✅ | ✅ |
| Intruder (throttled) | ⚠️ Slow | ✅ Full speed |
| Automated Scanner | ❌ | ✅ |
| Project Save/Load | ❌ | ✅ |
| Price | Free | Paid (annual license) |
Where to Practice Legally
- PortSwigger Web Security Academy: Free labs purpose-built for Burp Suite practice, covering every major vulnerability class.
- DVWA (Damn Vulnerable Web Application): A self-hosted intentionally vulnerable PHP application.
- HackTheBox / TryHackMe: Online platforms with realistic web application challenges.
Final Verdict
Burp Suite Community Edition is genuinely one of the most powerful free security tools available. For anyone serious about web application security — whether pursuing a career in pen testing or building more secure applications — mastering Burp Suite is non-negotiable. Start with the Proxy and Repeater, and build from there.