Appearance
Burp Suite Cheat Sheet
Overview
Burp Suite is the industry-leading web application security testing platform developed by PortSwigger, providing comprehensive tools and capabilities for identifying, analyzing, and exploiting security vulnerabilities in web applications and APIs. As the de facto standard for web application penetration testing, Burp Suite combines automated scanning capabilities with powerful manual testing tools, enabling security professionals to conduct thorough assessments of modern web applications, REST APIs, GraphQL endpoints, and complex single-page applications. The platform's modular architecture and extensible framework make it suitable for both automated security testing workflows and detailed manual security research.
The core strength of Burp Suite lies in its integrated approach to web application security testing, combining multiple specialized tools within a unified interface that facilitates comprehensive security assessments. The platform includes an intercepting proxy for traffic analysis and manipulation, a web vulnerability scanner for automated discovery of security issues, an intruder tool for customized attacks and fuzzing, a repeater for manual request manipulation, and a sequencer for analyzing session token randomness. This integrated toolset enables security professionals to perform complete security assessments from initial reconnaissance through detailed vulnerability exploitation and validation.
Burp Suite's advanced features include sophisticated session handling capabilities, custom extension development through its API, integration with CI/CD pipelines for DevSecOps workflows, and comprehensive reporting capabilities for technical and executive audiences. The platform supports modern web technologies including JavaScript-heavy applications, WebSocket communications, HTTP/2 protocol, and complex authentication mechanisms. With its active community of security researchers, extensive documentation, and continuous innovation in web application security testing methodologies, Burp Suite remains the cornerstone tool for web application security professionals worldwide.
Installation
Burp Suite Community Edition
Installing Burp Suite Community Edition:
bash
# Download from PortSwigger website
# https://portswigger.net/burp/communitydownload
# Linux Installation
# Download JAR file
wget https://portswigger.net/burp/releases/download?product=community&version=latest&type=jar -O burpsuite_community.jar
# Install Java (if not already installed)
sudo apt update
sudo apt install -y openjdk-11-jdk
# Verify Java installation
java -version
# Run Burp Suite
java -jar burpsuite_community.jar
# Create desktop shortcut
cat > ~/Desktop/BurpSuite.desktop << 'EOF'
[Desktop Entry]
Version=1.0
Type=Application
Name=Burp Suite Community
Comment=Web Application Security Testing
Exec=java -jar /path/to/burpsuite_community.jar
Icon=/path/to/burp-icon.png
Terminal=false
Categories=Development;Security;
EOF
chmod +x ~/Desktop/BurpSuite.desktop
# Windows Installation
# Download installer from PortSwigger
# Run installer as Administrator
# Follow installation wizard
# Launch from Start Menu or Desktop
# macOS Installation
# Download DMG file
# Mount DMG and drag to Applications
# Launch from Applications folderBurp Suite Professional
Installing Burp Suite Professional:
bash
# Purchase license from PortSwigger
# Download Professional edition
# Linux Installation
wget https://portswigger.net/burp/releases/download?product=pro&version=latest&type=jar -O burpsuite_pro.jar
# Run with license
java -jar burpsuite_pro.jar
# Enter license key when prompted
# License format: XXXX-XXXX-XXXX-XXXX
# Increase memory allocation for large applications
java -Xmx4g -jar burpsuite_pro.jar
# Run with custom JVM options
java -Xmx8g -XX:+UseG1GC -jar burpsuite_pro.jar
# Create startup script
cat > ~/bin/burp-pro.sh << 'EOF'
#!/bin/bash
java -Xmx8g -XX:+UseG1GC -jar /opt/burpsuite/burpsuite_pro.jar "$@"
EOF
chmod +x ~/bin/burp-pro.shDocker Installation
Running Burp Suite in Docker:
bash
# Create Dockerfile for Burp Suite
cat > Dockerfile.burp << 'EOF'
FROM openjdk:11-jre-slim
# Install dependencies
RUN apt-get update && apt-get install -y \
wget \
xvfb \
x11vnc \
fluxbox \
&& rm -rf /var/lib/apt/lists/*
# Download Burp Suite Community
RUN wget -O /opt/burpsuite_community.jar \
"https://portswigger.net/burp/releases/download?product=community&version=latest&type=jar"
# Create startup script
RUN echo '#!/bin/bash\nXvfb :1 -screen 0 1024x768x16 &\nexport DISPLAY=:1\nfluxbox &\nx11vnc -display :1 -nopw -listen localhost -xkb &\njava -jar /opt/burpsuite_community.jar' > /start.sh
RUN chmod +x /start.sh
EXPOSE 5900 8080
CMD ["/start.sh"]
EOF
# Build Docker image
docker build -f Dockerfile.burp -t burpsuite .
# Run Burp Suite in Docker
docker run -d --name burpsuite \
-p 5900:5900 \
-p 8080:8080 \
-v $(pwd)/burp-data:/root/.BurpSuite \
burpsuite
# Access via VNC
# Connect to localhost:5900 with VNC clientBrowser Configuration
Configuring browsers to work with Burp Suite:
bash
# Firefox Configuration
# 1. Open Firefox
# 2. Go to Settings > Network Settings
# 3. Configure Manual proxy:
# - HTTP Proxy: 127.0.0.1, Port: 8080
# - Use this proxy server for all protocols: checked
# 4. Install Burp CA certificate:
# - Navigate to http://burp
# - Download CA Certificate
# - Import in Firefox Certificate Manager
# Chrome Configuration
# Launch Chrome with proxy settings
google-chrome --proxy-server=127.0.0.1:8080 --ignore-certificate-errors
# Create Chrome profile for Burp
google-chrome --user-data-dir=/tmp/chrome-burp --proxy-server=127.0.0.1:8080
# Install CA certificate in Chrome
# 1. Navigate to http://burp
# 2. Download CA Certificate
# 3. Go to Chrome Settings > Privacy and Security > Security
# 4. Manage certificates > Authorities > Import
# 5. Select downloaded certificate
# FoxyProxy Extension (Recommended)
# Install FoxyProxy extension
# Configure proxy:
# - Title: Burp Suite
# - Proxy Type: HTTP
# - IP: 127.0.0.1
# - Port: 8080Basic Usage
Proxy Configuration
Setting up and using the Burp Proxy:
bash
# Start Burp Suite
java -jar burpsuite_community.jar
# Proxy Tab Configuration
# 1. Go to Proxy > Options
# 2. Proxy Listeners:
# - Interface: 127.0.0.1:8080 (default)
# - Add additional listeners if needed
# 3. Intercept Client Requests: On/Off
# 4. Intercept Server Responses: On/Off
# Basic Proxy Usage
# 1. Configure browser to use Burp proxy
# 2. Navigate to target application
# 3. Observe requests in Proxy > HTTP history
# 4. Intercept and modify requests as needed
# Certificate Installation
# 1. With proxy configured, navigate to http://burp
# 2. Click "CA Certificate" to download
# 3. Install in browser certificate store
# 4. Trust for identifying websites
# Scope Configuration
# 1. Go to Target > Scope
# 2. Add target URLs to scope
# 3. Configure proxy to only show in-scope items
# 4. Use scope to focus testing effortsTarget Analysis
Analyzing target applications:
bash
# Site Map Building
# 1. Browse target application normally
# 2. Observe site map building in Target tab
# 3. Review discovered content and parameters
# 4. Identify attack surface
# Content Discovery
# 1. Right-click on target in site map
# 2. Select "Spider this host"
# 3. Configure spider options
# 4. Review discovered content
# Parameter Analysis
# 1. Review Params tab in Target
# 2. Identify all parameters used
# 3. Note parameter types and contexts
# 4. Plan parameter-based attacks
# Technology Identification
# 1. Review HTTP headers in proxy history
# 2. Identify server technologies
# 3. Note framework and language indicators
# 4. Research known vulnerabilitiesManual Testing
Performing manual security testing:
bash
# Request Manipulation with Repeater
# 1. Send interesting requests to Repeater
# 2. Modify parameters, headers, and body
# 3. Analyze responses for vulnerabilities
# 4. Test different attack payloads
# SQL Injection Testing
# 1. Identify database parameters
# 2. Test with SQL injection payloads:
# - ' OR '1'='1
# - '; DROP TABLE users; --
# - UNION SELECT 1,2,3--
# 3. Analyze error messages and responses
# 4. Exploit confirmed vulnerabilities
# XSS Testing
# 1. Identify reflection points
# 2. Test with XSS payloads:
# - <script>alert('XSS')</script>
# - "><script>alert(document.cookie)</script>
# - javascript:alert('XSS')
# 3. Test in different contexts (HTML, JavaScript, CSS)
# 4. Bypass filters and encoding
# Authentication Testing
# 1. Analyze login mechanisms
# 2. Test for weak passwords
# 3. Check session management
# 4. Test for privilege escalationAdvanced Features
Automated Scanning
Using Burp Scanner (Professional only):
bash
# Active Scanning
# 1. Right-click on target in site map
# 2. Select "Actively scan this host"
# 3. Configure scan settings:
# - Scan speed: Fast/Normal/Thorough
# - Scan accuracy: Minimize false positives/Normal/Minimize false negatives
# 4. Monitor scan progress in Scanner tab
# Passive Scanning
# 1. Passive scanning runs automatically
# 2. Review issues in Scanner > Issues
# 3. Analyze issue details and evidence
# 4. Verify findings manually
# Custom Scan Configurations
# 1. Go to Scanner > Options
# 2. Configure attack insertion points
# 3. Customize payload sets
# 4. Set scan optimization options
# Live Scanning
# 1. Enable live passive scanning
# 2. Configure live active scanning
# 3. Set scan queue management
# 4. Monitor real-time resultsIntruder Attacks
Using Burp Intruder for automated attacks:
bash
# Sniper Attack
# 1. Send request to Intruder
# 2. Set single payload position
# 3. Configure payload set (wordlist)
# 4. Launch attack and analyze results
# Battering Ram Attack
# 1. Set multiple payload positions
# 2. Use same payload for all positions
# 3. Useful for testing same value everywhere
# 4. Analyze response variations
# Pitchfork Attack
# 1. Set multiple payload positions
# 2. Use different payload sets
# 3. Iterate through payloads in parallel
# 4. Test related parameter combinations
# Cluster Bomb Attack
# 1. Set multiple payload positions
# 2. Test all combinations of payloads
# 3. Comprehensive but time-consuming
# 4. Useful for credential brute forcing
# Custom Payloads
# 1. Create custom wordlists
# 2. Use payload processing rules
# 3. Configure payload encoding
# 4. Set grep extraction rulesSession Handling
Managing complex session handling:
bash
# Session Handling Rules
# 1. Go to Project Options > Sessions
# 2. Create session handling rules
# 3. Configure rule actions:
# - Use cookies from Burp's cookie jar
# - Run macro
# - Check session is valid
# 4. Set rule scope and conditions
# Macros for Authentication
# 1. Record login sequence as macro
# 2. Configure macro to extract session tokens
# 3. Use macro in session handling rules
# 4. Automatically maintain authentication
# Cookie Management
# 1. Review cookies in Proxy > Options > Sessions
# 2. Configure cookie scope and handling
# 3. Manage session fixation issues
# 4. Test cookie security attributes
# CSRF Token Handling
# 1. Identify CSRF token parameters
# 2. Create macro to extract tokens
# 3. Configure automatic token updates
# 4. Test CSRF protection effectivenessExtensions and Customization
Extending Burp Suite functionality:
bash
# BApp Store Extensions
# 1. Go to Extender > BApp Store
# 2. Browse available extensions
# 3. Install useful extensions:
# - Logger++
# - Autorize
# - Param Miner
# - Turbo Intruder
# - Active Scan++
# Manual Extension Installation
# 1. Download extension JAR/Python file
# 2. Go to Extender > Extensions
# 3. Click Add and select file
# 4. Configure extension settings
# Custom Extension Development
# 1. Use Burp Extender API
# 2. Develop in Java, Python, or Ruby
# 3. Implement required interfaces
# 4. Test and debug extensions
# Popular Extensions
# Logger++: Enhanced logging and filtering
# Autorize: Authorization testing
# Param Miner: Parameter discovery
# Turbo Intruder: High-speed attacks
# Collaborator Everywhere: SSRF testingAutomation Scripts
Burp Suite API Automation
python
#!/usr/bin/env python3
# Burp Suite API automation script
import requests
import json
import time
import base64
import urllib3
from urllib.parse import urljoin
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class BurpSuiteAPI:
def __init__(self, api_url="http://127.0.0.1:1337", api_key=None):
self.api_url = api_url.rstrip('/')
self.api_key = api_key
self.session = requests.Session()
self.session.verify = False
if api_key:
self.session.headers.update({'X-API-Key': api_key})
def get_proxy_history(self):
"""Get proxy history"""
try:
response = self.session.get(f"{self.api_url}/burp/proxy/history")
if response.status_code == 200:
return response.json()
else:
print(f"Error getting proxy history: {response.status_code}")
return None
except Exception as e:
print(f"Exception getting proxy history: {e}")
return None
def send_to_repeater(self, request_data):
"""Send request to Repeater"""
try:
response = self.session.post(
f"{self.api_url}/burp/repeater/send",
json=request_data
)
if response.status_code == 200:
return response.json()
else:
print(f"Error sending to repeater: {response.status_code}")
return None
except Exception as e:
print(f"Exception sending to repeater: {e}")
return None
def start_active_scan(self, target_url, scan_config=None):
"""Start active scan"""
scan_data = {
'urls': [target_url]
}
if scan_config:
scan_data.update(scan_config)
try:
response = self.session.post(
f"{self.api_url}/burp/scanner/scans/active",
json=scan_data
)
if response.status_code == 201:
return response.json()
else:
print(f"Error starting scan: {response.status_code}")
return None
except Exception as e:
print(f"Exception starting scan: {e}")
return None
def get_scan_status(self, scan_id):
"""Get scan status"""
try:
response = self.session.get(f"{self.api_url}/burp/scanner/scans/{scan_id}")
if response.status_code == 200:
return response.json()
else:
print(f"Error getting scan status: {response.status_code}")
return None
except Exception as e:
print(f"Exception getting scan status: {e}")
return None
def get_scan_issues(self, scan_id=None):
"""Get scan issues"""
url = f"{self.api_url}/burp/scanner/issues"
if scan_id:
url += f"?scan_id={scan_id}"
try:
response = self.session.get(url)
if response.status_code == 200:
return response.json()
else:
print(f"Error getting scan issues: {response.status_code}")
return None
except Exception as e:
print(f"Exception getting scan issues: {e}")
return None
def generate_report(self, report_config):
"""Generate scan report"""
try:
response = self.session.post(
f"{self.api_url}/burp/report",
json=report_config
)
if response.status_code == 200:
return response.content
else:
print(f"Error generating report: {response.status_code}")
return None
except Exception as e:
print(f"Exception generating report: {e}")
return None
def run_intruder_attack(self, attack_config):
"""Run Intruder attack"""
try:
response = self.session.post(
f"{self.api_url}/burp/intruder/attack",
json=attack_config
)
if response.status_code == 200:
return response.json()
else:
print(f"Error running intruder attack: {response.status_code}")
return None
except Exception as e:
print(f"Exception running intruder attack: {e}")
return None
# Automated Web Application Testing
class WebAppTester:
def __init__(self, burp_api):
self.burp = burp_api
self.results = {}
def discover_application(self, target_url):
"""Discover application structure"""
print(f"Discovering application: {target_url}")
# Start with basic crawling
scan_config = {
'scan_configurations': ['crawl_and_audit'],
'application_logins': [],
'resource_pool': 'default'
}
scan_result = self.burp.start_active_scan(target_url, scan_config)
if scan_result:
scan_id = scan_result['scan_id']
print(f"Started discovery scan: {scan_id}")
return scan_id
return None
def wait_for_scan_completion(self, scan_id, max_wait=3600):
"""Wait for scan to complete"""
start_time = time.time()
while time.time() - start_time < max_wait:
status = self.burp.get_scan_status(scan_id)
if status:
scan_status = status.get('scan_status', 'unknown')
print(f"Scan {scan_id} status: {scan_status}")
if scan_status == 'finished':
return True
elif scan_status == 'failed':
print(f"Scan {scan_id} failed")
return False
time.sleep(30) # Check every 30 seconds
print(f"Scan {scan_id} did not complete within {max_wait} seconds")
return False
def analyze_vulnerabilities(self, scan_id=None):
"""Analyze discovered vulnerabilities"""
print("Analyzing vulnerabilities...")
issues = self.burp.get_scan_issues(scan_id)
if not issues:
print("No issues found")
return {}
vulnerability_summary = {}
for issue in issues:
severity = issue.get('severity', 'Unknown')
issue_type = issue.get('issue_type', 'Unknown')
if severity not in vulnerability_summary:
vulnerability_summary[severity] = {}
if issue_type not in vulnerability_summary[severity]:
vulnerability_summary[severity][issue_type] = 0
vulnerability_summary[severity][issue_type] += 1
return vulnerability_summary
def test_authentication(self, login_url, credentials):
"""Test authentication mechanisms"""
print(f"Testing authentication at: {login_url}")
# Test weak passwords
weak_passwords = ['password', '123456', 'admin', 'test', 'guest']
for username, password in credentials:
for weak_pass in weak_passwords:
# Create intruder attack for password testing
attack_config = {
'base_request': {
'url': login_url,
'method': 'POST',
'headers': {'Content-Type': 'application/x-www-form-urlencoded'},
'body': f'username={username}&password={weak_pass}'
},
'attack_type': 'sniper',
'payload_sets': [weak_passwords]
}
result = self.burp.run_intruder_attack(attack_config)
if result:
print(f"Tested {username}:{weak_pass}")
def generate_comprehensive_report(self, scan_id, output_file):
"""Generate comprehensive security report"""
print(f"Generating report: {output_file}")
report_config = {
'scan_id': scan_id,
'report_type': 'HTML',
'include_false_positives': False,
'include_request_response': True
}
report_data = self.burp.generate_report(report_config)
if report_data:
with open(output_file, 'wb') as f:
f.write(report_data)
print(f"Report saved: {output_file}")
return True
return False
def run_comprehensive_test(self, target_url, output_dir="/tmp/burp_results"):
"""Run comprehensive web application test"""
print(f"Starting comprehensive test of: {target_url}")
# Create output directory
import os
os.makedirs(output_dir, exist_ok=True)
# Step 1: Discovery
scan_id = self.discover_application(target_url)
if not scan_id:
print("Failed to start discovery scan")
return False
# Step 2: Wait for completion
if not self.wait_for_scan_completion(scan_id):
print("Scan did not complete successfully")
return False
# Step 3: Analyze results
vulnerabilities = self.analyze_vulnerabilities(scan_id)
# Step 4: Generate report
report_file = os.path.join(output_dir, f"burp_report_{scan_id}.html")
self.generate_comprehensive_report(scan_id, report_file)
# Step 5: Summary
print("\n=== Test Summary ===")
print(f"Target: {target_url}")
print(f"Scan ID: {scan_id}")
print(f"Report: {report_file}")
print("\nVulnerabilities by Severity:")
for severity, issues in vulnerabilities.items():
print(f" {severity}:")
for issue_type, count in issues.items():
print(f" {issue_type}: {count}")
return True
# Usage example
def main():
import argparse
parser = argparse.ArgumentParser(description='Burp Suite Automation')
parser.add_argument('--target', required=True, help='Target URL')
parser.add_argument('--api-url', default='http://127.0.0.1:1337', help='Burp API URL')
parser.add_argument('--api-key', help='Burp API key')
parser.add_argument('--output', default='/tmp/burp_results', help='Output directory')
args = parser.parse_args()
# Initialize Burp API
burp_api = BurpSuiteAPI(args.api_url, args.api_key)
# Initialize tester
tester = WebAppTester(burp_api)
# Run comprehensive test
success = tester.run_comprehensive_test(args.target, args.output)
if success:
print("Comprehensive test completed successfully")
else:
print("Comprehensive test failed")
if __name__ == "__main__":
main()Integration Examples
CI/CD Integration
yaml
# Jenkins Pipeline for Burp Suite Integration
pipeline {
agent any
environment {
BURP_API_URL = 'http://burp-server:1337'
BURP_API_KEY = credentials('burp-api-key')
TARGET_URL = 'https://staging.example.com'
}
stages {
stage('Deploy Application') {
steps {
// Deploy application to staging
sh 'deploy-to-staging.sh'
}
}
stage('Security Scan') {
steps {
script {
// Start Burp scan
def scanResult = sh(
script: """
python3 burp_automation.py \
--target ${TARGET_URL} \
--api-url ${BURP_API_URL} \
--api-key ${BURP_API_KEY} \
--output ./burp-results
""",
returnStatus: true
)
if (scanResult != 0) {
error("Burp scan failed")
}
}
}
}
stage('Process Results') {
steps {
// Archive scan results
archiveArtifacts artifacts: 'burp-results/**/*', fingerprint: true
// Publish security report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'burp-results',
reportFiles: '*.html',
reportName: 'Burp Security Report'
])
// Check for critical vulnerabilities
script {
def criticalVulns = sh(
script: "grep -c 'High\\|Critical' burp-results/*.html || true",
returnStdout: true
).trim()
if (criticalVulns.toInteger() > 0) {
currentBuild.result = 'UNSTABLE'
echo "Found ${criticalVulns} critical/high vulnerabilities"
}
}
}
}
}
post {
always {
// Clean up
sh 'rm -rf burp-results'
}
failure {
// Send notification
emailext (
subject: "Security Scan Failed: ${env.JOB_NAME} - ${env.BUILD_NUMBER}",
body: "Security scan failed for ${TARGET_URL}. Check console output for details.",
to: "${env.SECURITY_TEAM_EMAIL}"
)
}
}
}Troubleshooting
Common Issues
Proxy Connection Issues:
bash
# Check Burp proxy listener
# Go to Proxy > Options > Proxy Listeners
# Verify 127.0.0.1:8080 is running
# Test proxy connectivity
curl -x 127.0.0.1:8080 http://example.com
# Check browser proxy settings
# Verify proxy configuration in browser
# Test with simple HTTP site first
# Certificate issues
# Reinstall Burp CA certificate
# Clear browser certificate cache
# Check certificate trust settingsPerformance Issues:
bash
# Increase Java heap size
java -Xmx4g -jar burpsuite_pro.jar
# Optimize Burp settings
# Reduce proxy history size
# Limit active scan threads
# Disable unnecessary extensions
# Database optimization
# Clear project data regularly
# Use temporary projects for large scans
# Monitor disk space usageScanner Issues:
bash
# Check scan configuration
# Verify target scope settings
# Review scan insertion points
# Check authentication settings
# Monitor scan progress
# Review scan queue status
# Check for scan errors
# Verify network connectivityPerformance Optimization
Optimizing Burp Suite performance:
bash
# JVM Optimization
java -Xmx8g -XX:+UseG1GC -XX:MaxGCPauseMillis=100 -jar burpsuite_pro.jar
# Burp Configuration
# Project Options > Misc:
# - Automatic project backup: Disabled for performance
# - Temporary files location: Fast SSD
# - Memory usage: Optimize for large projects
# Scanner Optimization
# Scanner > Options:
# - Scan speed: Adjust based on target
# - Concurrent scan threads: 10-20
# - Insertion point types: Limit as needed
# Proxy Optimization
# Proxy > Options:
# - History size: Limit to reasonable number
# - Automatic response modification: Minimal
# - Match and replace rules: Optimize regexSecurity Considerations
Operational Security
Testing Authorization:
- Only test applications you own or have explicit permission to test
- Obtain proper authorization before conducting security assessments
- Document testing scope and limitations
- Respect rate limiting and avoid causing service disruption
- Implement proper access controls for Burp projects and data
Data Protection:
- Encrypt Burp project files containing sensitive data
- Implement secure data retention policies for scan results
- Control access to vulnerability data and reports
- Secure transmission of scan results and findings
- Regular backup and recovery procedures for critical data
Compliance and Governance
Testing Procedures:
- Implement standardized testing methodologies
- Document all testing activities for compliance purposes
- Regular review of testing procedures and findings
- Compliance with organizational security policies
- Integration with vulnerability management workflows