Burp Suite Essentials: Web Application Pentesting Workflow

What Is Burp Suite?

Burp Suite by PortSwigger is the industry-standard tool for web application security testing. It acts as a proxy between your browser and the target application, letting you intercept, inspect, and modify HTTP requests in real time.

The Community Edition is free and covers most testing needs. The Professional Edition (~$450/yr) adds the automated scanner, advanced Intruder, and more.

Setup — Proxy Configuration

Step 1: Install Burp Suite

# Download from: https://portswigger.net/burp/communitydownload
# Available for Windows, macOS, and Linux
# Requires Java (bundled with installer)

Step 2: Configure Browser Proxy

# Burp listens on 127.0.0.1:8080 by default
# Option A: Use FoxyProxy browser extension (recommended)
#   - Add proxy: 127.0.0.1:8080
#   - Toggle on/off easily

# Option B: System proxy settings
#   - Set HTTP/HTTPS proxy to 127.0.0.1:8080

# Option C: Use Burp's embedded browser (easiest)
#   - Click "Open browser" in Proxy tab

Step 3: Install CA Certificate

# Navigate to http://burp in your proxied browser
# Download the CA certificate
# Install it as a trusted root CA in your browser/system
# This allows Burp to intercept HTTPS traffic

The Core Tools

1. Proxy — Intercept and Modify Requests

The foundation of Burp. Every request your browser makes passes through the proxy, where you can inspect and modify it.

# Typical workflow:
# 1. Enable "Intercept is on" in Proxy tab
# 2. Browse the target application
# 3. Each request pauses for your review
# 4. Modify parameters, headers, or body
# 5. Click "Forward" to send (or "Drop" to cancel)

# Key areas to modify:
# - Cookies (session tokens)
# - POST body parameters
# - Authorization headers
# - Hidden form fields
# - Content-Type headers

2. Repeater — Manual Request Testing

Send a request to Repeater (Ctrl+R) to modify and resend it as many times as you want without re-browsing.

# Use Repeater for:
# - Testing SQL injection payloads manually
# - Modifying authorization tokens (IDOR testing)
# - Testing different Content-Types
# - Comparing responses to different inputs

# Example: Testing for SQL injection
# Original: POST /login  body: username=admin&password=test
# Modified: POST /login  body: username=admin' OR '1'='1' --&password=x

3. Intruder — Automated Attacks

Automate sending many requests with different payloads — for fuzzing, brute-forcing, and parameter testing.

# Attack types:
# Sniper     — One payload position at a time (for targeted testing)
# Battering Ram — Same payload in all positions (for credential stuffing)
# Pitchfork  — Parallel payloads (username list + password list, paired)
# Cluster Bomb — All combinations (username list × password list)

# Common uses:
# - Directory/file brute-forcing
# - Username enumeration (compare response lengths)
# - Fuzzing parameters for injection
# - Testing rate limiting

4. Scanner (Pro Only) — Automated Vulnerability Detection

# The scanner crawls the application and tests for:
# - SQL injection
# - Cross-site scripting (XSS)
# - OS command injection
# - Directory traversal
# - XML external entity (XXE)
# - Server-side request forgery (SSRF)
# - And many more...

# Scan types:
# - Passive scan: Analyzes traffic as it passes through the proxy
# - Active scan: Sends attack payloads to test for vulnerabilities

5. Decoder — Encode/Decode Data

# Decode/encode between formats:
# Base64 ↔ Plaintext
# URL encoding ↔ Plaintext
# HTML entities ↔ Plaintext
# Hex ↔ ASCII
# Hashing (MD5, SHA-1, SHA-256)

# Essential for:
# - Decoding JWT tokens
# - Understanding obfuscated parameters
# - Crafting encoded payloads

6. Comparer — Diff Two Responses

# Compare two HTTP responses to spot differences:
# - Find different responses for valid vs. invalid usernames
# - Detect subtle changes in error messages
# - Compare authenticated vs. unauthenticated responses

Essential Pentesting Workflow

Phase 1: Map the Application

1. Set scope in Target tab (add target domain)
2. Browse every page, click every link, submit every form
3. Review the Site Map — it shows all discovered endpoints
4. Check for hidden parameters, API endpoints, admin panels

Phase 2: Authentication Testing

1. Test login with SQL injection: admin' --, ' OR '1'='1
2. Check for username enumeration (different error messages)
3. Test password brute-force resistance (use Intruder)
4. Check session management (token randomness, expiry, HttpOnly flag)

Phase 3: Authorization Testing (IDOR)

1. Login as User A, capture requests with resource IDs
2. Change IDs to access User B's resources
3. Test horizontal escalation: GET /api/users/123 → GET /api/users/456
4. Test vertical escalation: regular user accessing admin endpoints

Phase 4: Injection Testing

1. Test every input for SQL injection (Repeater)
2. Test for XSS in reflected parameters
3. Test for command injection in fields that interact with the OS
4. Test for SSRF in URL/webhook fields

Must-Have Burp Extensions

Extension	Purpose
Autorize	Automated authorization testing (IDOR detection)
Logger++	Enhanced request/response logging with filtering
Param Miner	Discover hidden parameters and headers
Active Scan++	Additional active scan checks
JWT Editor	Decode, edit, and forge JWT tokens
Turbo Intruder	High-speed Intruder for race conditions
Hackvertor	Advanced encoding/decoding for payload crafting

Pro Tips

• Use Scope! — Set your target scope immediately to avoid scanning third-party domains
• Save your project — Burp project files preserve all your work for later analysis
• Learn keyboard shortcuts — Ctrl+R (send to Repeater), Ctrl+I (send to Intruder), Ctrl+Space (forward intercepted request)
• Check the HTTP history — Not just intercepted requests. Review all traffic for hidden API calls made by JavaScript.
• Match and replace — Use Proxy settings to auto-replace values (e.g., always inject your JWT, always remove CSP headers)

Key Takeaways

• Burp Suite is the Swiss Army knife of web security testing — learn it thoroughly
• Start with Proxy + Repeater — they handle 80% of manual testing
• The Community Edition is more than enough for learning and most assessments
• Always set scope and get written authorization before testing
• Extensions like Autorize and Param Miner automate the tedious parts
• Practice on PortSwigger Web Security Academy — it's built by the same company