Burp Suite Tutorial
Beginner · ⏱ 25 min read · Bug Bounty & Offensive Security
Master Burp Suite — the web hacker's Swiss Army knife.
Burp Suite by PortSwigger is the industry-standard web application security testing toolkit used by penetration testers, bug bounty hunters, and AppSec teams worldwide.
Prerequisites
- Basic understanding of HTTP/HTTPS
- A target application (use PortSwigger Web Security Academy labs)
- Java 17+ installed
Installation & Setup
Download Burp Suite Community Edition from portswigger.net. Install the CA certificate in your browser to intercept HTTPS traffic.
Configure Browser Proxy
Set your browser proxy to 127.0.0.1:8080. Install the Burp CA certificate from http://burpsuite.
Proxy & Intercepting Traffic
The Proxy tab intercepts HTTP/S requests between your browser and the target, letting you inspect and modify them in real time.
Intercept vs Passthrough
Toggle Intercept On/Off. When on, every request pauses for review. When off, traffic flows but is logged in HTTP History.
Target Scope & Site Map
Define your target scope to focus Burp on specific domains. The Site Map builds a tree of all discovered content.
Scanner (Pro Feature)
Burp Scanner automatically crawls and audits your target for OWASP Top 10 vulnerabilities.
Interpreting Scan Results
Results are rated by confidence and severity. Always manually verify High/Certain findings.
Intruder – Automated Attacks
Intruder lets you automate brute forcing, fuzzing parameters, and enumerating endpoints.
Repeater – Manual Testing
Manually modify and resend individual requests. Essential for testing SQLi, XSS, and business logic flaws.
Extensions (BApp Store)
Extend Burp with Logger++, Autorize, Param Miner, Active Scan++, and Turbo Intruder.
Real-World Bug Bounty Workflow
1) Set scope. 2) Passively spider. 3) Run active scan. 4) Manually test in Repeater. 5) Fuzz with Intruder. 6) Document findings.
Frequently Asked Questions
Is Burp Suite free?
Community Edition is free but limited. Professional costs ~$449/year and is essential for serious testing.
Best alternative?
OWASP ZAP (free, open-source) and Caido (modern, fast) are top alternatives.
Can I use it for bug bounties?
Absolutely — most top hunters use Burp Pro with custom extensions.