Burp Suite for Beginners: The Complete Guide to Web Vulnerability Testing
Burp Suite is the most widely used web application security testing platform in the world. Every serious bug bounty hunter, penetration tester, and web security researcher uses it daily. This complete Burp Suite guide for beginners takes you from installation through your first real vulnerability finds — covering every tool in the Community Edition in practical, hands-on detail.
.jpg "Burp Suite for Beginners: The Complete Guide to Web Vulnerability Testing")
Table of Contents
- What Is Burp Suite and Why Does Every Security Researcher Use It?
- Installing Burp Suite Community Edition
- Setting Up the Proxy: Intercepting Your First Request
- The Core Tools: Proxy, Repeater, Intruder, Decoder, and Comparer
- Finding Real Vulnerabilities with Burp Suite
- Common Mistakes Beginners Make with Burp Suite
- Building a Professional Testing Workflow
- Frequently Asked Questions
- Conclusion
What Is Burp Suite and Why Does Every Security Researcher Use It?
Burp Suite, developed by PortSwigger, is an integrated platform for web application security testing. At its core, it works as an intercepting proxy — it sits between your browser and the web server, allowing you to capture, inspect, and modify every HTTP and HTTPS request your browser makes before it reaches its destination. This seemingly simple capability is the foundation of nearly all web vulnerability testing, because almost every web vulnerability exists at the HTTP layer: SQL injection passes through it, XSS reflects through it, IDOR relies on it, and authentication flaws are exposed by manipulating it.
What distinguishes Burp Suite from simpler tools like curl or browser developer tools is the suite of integrated features built around that proxy. The Repeater tool lets you modify and resend any captured request repeatedly without touching the browser. The Intruder tool automates the process of sending thousands of modified requests — essential for brute force testing and fuzzing. The Decoder translates between encoding formats instantly. The Target site map builds a complete picture of the application's structure as you browse through it. Together, these tools provide a complete workflow for identifying, confirming, and documenting web vulnerabilities.
Burp Suite Community Edition is free. The Professional edition adds an automated scanner, Burp Collaborator for detecting out-of-band vulnerabilities, and additional Intruder attack types — but the Community Edition is fully capable of finding real vulnerabilities and is what most practitioners start with. This guide covers the Community Edition exclusively.
One important note before continuing: Burp Suite must only be used against web applications you own, applications you have explicit written permission to test, or dedicated practice platforms such as PortSwigger Web Security Academy, DVWA, or bWAPP. Using it against real websites without authorisation is illegal regardless of intent.
Installing Burp Suite Community Edition
Burp Suite runs on Java and is available for Linux, macOS, and Windows. On Kali Linux, it comes pre-installed — if you are on Kali, skip to the proxy setup section. For all other systems, visit portswigger.net, navigate to Burp Suite Community Edition, and download the installer for your platform.
Linux Installation
# If on Kali Linux — already installed, just launch:
burpsuite
# On Ubuntu/Debian — download the JAR and run:
sudo apt install default-jdk
java -jar burpsuite_community_*.jar
# Or install via snap:
sudo snap install burpsuite-community-editionFirst Launch Configuration
On first launch, Burp Suite asks you to select a project type. Select "Temporary project" — Community Edition does not support saved projects. When prompted for configuration, choose "Use Burp defaults." Burp will open to the Dashboard tab. You will not need the scanner (Pro only), so focus on the Proxy tab.
Setting Up the Proxy: Intercepting Your First Request
The proxy is the heart of Burp Suite. Everything else depends on it working correctly. The setup requires two steps: configuring Burp's listener, and configuring your browser to route traffic through it.
Step 1: Verify the Proxy Listener
In Burp Suite, go to Proxy > Options. Under Proxy Listeners, you should see a listener running on 127.0.0.1:8080. If not, click Add, set the interface to 127.0.0.1:8080, and click OK. The running checkbox should be ticked.
Step 2: Configure Firefox to Use the Proxy
PortSwigger officially recommends using Firefox for Burp Suite testing. In Firefox, go to Settings > General > Network Settings > Manual proxy configuration. Set HTTP Proxy to 127.0.0.1 and Port to 8080. Tick "Also use this proxy for HTTPS." Click OK.
Step 3: Install Burp's CA Certificate
Without this step, Firefox will block HTTPS traffic with a certificate error. With Burp's proxy active and interception off, navigate to http://burp in Firefox. Click "CA Certificate" to download burp.der. In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates > Import. Import burp.der and tick both trust checkboxes. Burp can now intercept HTTPS traffic.
Step 4: Intercept Your First Request
# In Burp: Proxy > Intercept > ensure "Intercept is on" is shown
# In Firefox: navigate to any website
# Burp captures the request before it reaches the server
# You will see something like:
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 ...
Accept: text/html,application/xhtml+xml...
Cookie: session=abc123...
# Click "Forward" to allow the request through
# Click "Drop" to discard it
# Right-click > Send to Repeater to experiment with itFor most testing sessions, you will keep Intercept off and use the HTTP History tab instead. HTTP History passively logs every request without blocking them, giving you a complete record of everything your browser sent and received that you can examine at any time.
The Core Tools: Proxy, Repeater, Intruder, Decoder, and Comparer
Repeater — Your Most-Used Tool
Repeater is where most vulnerability confirmation happens. It lets you take any request from HTTP History, modify it however you want, and send it repeatedly — observing the server's response to each variation. To send a request to Repeater, right-click it in HTTP History and select "Send to Repeater." In the Repeater tab, you will see the raw request on the left and the server's response on the right. Modify any part of the request — headers, parameters, the request body — and click Send.
# Example: Testing for SQL injection in a login form
# Original request captured:
POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
username=admin&password=test123
# Modified in Repeater to test SQL injection:
username=admin'--+&password=anything
# If the response logs you in, the application is injectable
# If you get a database error, injection is confirmed
# Test for XSS in a search field:
# Original: GET /search?q=laptop HTTP/1.1
# Modified: GET /search?q=<script>alert(1)</script> HTTP/1.1
# Check if the payload appears unencoded in the response bodyIntruder — Automated Testing at Scale
Intruder automates the process of sending many modified versions of a request. The Community Edition throttles Intruder to one request per second — enough for learning, but frustrating for large-scale brute force. To use Intruder, send a request to it by right-clicking in HTTP History. In the Positions tab, Burp automatically marks injectable positions with § symbols. You can clear these and manually add your own by selecting text and clicking "Add §."
# Common Intruder use cases:
# 1. Credential stuffing / brute force login:
# Position: password=§test123§
# Payload: Simple list — load rockyou.txt or a custom wordlist
# Attack type: Sniper (one payload position, one list)
# 2. IDOR enumeration — finding other users' data:
# Original: GET /api/user/1042/profile
# Position: GET /api/user/§1042§/profile
# Payload: Numbers — range 1000 to 1100
# Look for responses with different Content-Length values
# 3. Header fuzzing:
# Add a custom header position and fuzz with a known bypass list
# X-Forwarded-For: §127.0.0.1§Decoder — Encoding and Decoding on the Fly
Web applications use encoding constantly — URL encoding, Base64, HTML entities, hex. Decoder lets you convert between any of these formats instantly. Paste any encoded string, select the encoding type from the dropdown, and Decoder reveals the underlying value. This is essential for understanding obfuscated parameters, JWT payloads, serialised objects, and cookie values that contain encoded data.
# Paste into Decoder:
dXNlcm5hbWU6YWRtaW4=
# Decode as: Base64
# Result: username:admin
# Another example:
%3Cscript%3Ealert(1)%3C%2Fscript%3E
# Decode as: URL
# Result: <script>alert(1)</script>Target Site Map — Understanding the Application's Structure
As you browse a target application with Burp's proxy active, the Target tab builds a complete site map — every URL, endpoint, parameter, and response it has observed. This passive reconnaissance is invaluable for identifying endpoints that might not be linked from the application's visible interface: admin panels, API endpoints, backup files, and configuration pages that are accessible but not publicly advertised.
Finding Real Vulnerabilities with Burp Suite
Finding SQL Injection
Browse the target application with Burp's proxy running and HTTP History capturing everything. Look for requests that include user-supplied input passed as parameters — search fields, login forms, URL parameters like ?id=42, and filter dropdowns. Send each suspicious request to Repeater and add a single quote to the parameter value. An SQL error in the response, an unexpected empty result, or a change in the application's behaviour confirms injection.
# Step 1: Find a parameter — e.g. GET /products?category=electronics
# Step 2: Send to Repeater
# Step 3: Test with a quote: GET /products?category=electronics'
# Step 4: If error, test UNION injection:
GET /products?category=electronics' UNION SELECT NULL,NULL,NULL--+
# Increment NULLs until no error = column count confirmed
# Step 5: Extract data:
GET /products?category=electronics' UNION SELECT username,password,NULL FROM users--+Finding XSS
XSS appears wherever user input is reflected back into the page. In HTTP History, filter for requests that contain parameters, then use Repeater to test each one. Your baseline payload is <script>alert(1)</script>. If the response contains the payload unencoded, the script will execute. If the application filters angle brackets, test event handlers: " onmouseover="alert(1). Check the response carefully in Burp's Render tab to confirm execution.
Finding IDOR
IDOR is Burp Suite's most straightforward finding. Browse the application as a normal user. When you see a numeric ID in a request — /account/profile/1042, ?order_id=8871 — send it to Repeater and change the number. If you receive another user's data, you have confirmed an IDOR. Create two accounts and use their IDs to test cross-account access systematically.
Testing Authentication
Capture the login request in HTTP History. Send it to Intruder for brute force testing. Check whether failed login responses include timing differences that could indicate valid usernames. Look for session tokens in cookies — paste them into Decoder and examine whether they encode predictable information. Check the Set-Cookie response header for missing HttpOnly, Secure, and SameSite attributes.
Common Mistakes Beginners Make with Burp Suite
Not installing the CA certificate properly. Without the CA certificate, Burp cannot intercept HTTPS, which accounts for almost every real web application. This is the single most common setup mistake. If you see certificate errors in Firefox while using Burp, the certificate is not correctly installed.
Using Intercept for everything. Keeping Intercept turned on while browsing creates friction and misses the benefit of HTTP History. Turn Intercept off for passive reconnaissance and normal browsing, and only turn it on when you want to modify a specific request before it leaves your machine.
Ignoring response headers. New users focus entirely on the response body and miss critical information in response headers: Set-Cookie attributes, Content-Security-Policy configurations, X-Frame-Options, and server version disclosures that all appear in headers rather than in the visible page content.
Not using the site map for reconnaissance. Manually visiting every page of a target before testing it is the slowest approach. Let Burp build the site map while you browse, then spend time reviewing it for endpoints you did not visit directly — these are often where the most interesting vulnerabilities hide.
Skipping the bWAPP practice environment. Burp Suite skills develop through repetition against real applications. Our bWAPP walkthrough covers the full setup and exploitation workflow with Burp Suite as the primary tool throughout.
Building a Professional Testing Workflow
Experienced testers follow a consistent workflow rather than testing randomly. The sequence below mirrors the methodology used in professional penetration testing engagements and bug bounty hunting.
Phase 1 — Passive reconnaissance. Browse the entire application with Burp's proxy running and Intercept off. Click every link, submit every form, use every feature. Let Burp build the site map. Examine the Target tab for unexpected endpoints, API calls, and parameters you did not interact with directly.
Phase 2 — Parameter identification. Review HTTP History and filter for POST requests and GET requests with parameters. Every parameter is a potential injection point. Note which parameters appear in SQL-like contexts (filters, searches, lookups), which are reflected in responses (potential XSS), and which reference object IDs (potential IDOR).
Phase 3 — Active testing. For each parameter of interest, send the request to Repeater and test systematically. Start with confirmation payloads before attempting exploitation. Document every finding with the exact request, the exact response, and the impact.
Phase 4 — Authentication and session analysis. Examine every cookie and authentication token using Decoder. Test rate limiting on login forms with Intruder. Attempt to access authenticated endpoints without a session cookie.
Phase 5 — Reporting. For each confirmed vulnerability, write a complete reproduction case: the vulnerable request, the payload used, the evidence of exploitation, and the remediation recommendation. The habit of writing reports in bWAPP transfers directly to professional submissions.
From here, the natural next step is PortSwigger's free Web Security Academy, which provides structured labs covering every major vulnerability class using Burp Suite as the assumed tool throughout. Combined with the hands-on practice covered in our bWAPP walkthrough and the network reconnaissance skills from our Nmap guide, Burp Suite completes the core toolkit for web security work.
Frequently Asked Questions
Is Burp Suite Community Edition good enough for bug bounty hunting?
Yes. The Community Edition is fully capable of finding real vulnerabilities across every major vulnerability class — SQL injection, XSS, IDOR, CSRF, broken authentication, and more. The primary limitation is Intruder's rate throttle, which makes large-scale brute force slow. For most bug bounty work, which focuses on manual testing and logical vulnerabilities rather than brute force, Community Edition is genuinely sufficient.
Can I use Burp Suite on Windows?
Yes. Burp Suite runs on Windows, macOS, and Linux. The functionality is identical across platforms. The setup process — installing the CA certificate, configuring the browser proxy — is the same on all platforms.
What is the difference between Burp Suite Community and Professional?
The Professional edition adds an automated web vulnerability scanner, Burp Collaborator for detecting out-of-band vulnerabilities like blind SSRF and blind XXE, unlimited Intruder request speed, and project saving. Community Edition has no scanner, throttled Intruder, and no project saving. For learning and manual bug bounty work, Community Edition is adequate. Professional is worth the cost for full-time penetration testers.
How do I test HTTPS sites with Burp Suite?
You need to install Burp's CA certificate in your browser. With Burp's proxy running, navigate to http://burp in Firefox, download the CA certificate, then import it into Firefox's certificate manager under Settings > Privacy & Security > Certificates. Once installed, Burp can intercept and decrypt HTTPS traffic transparently.
Is it legal to use Burp Suite?
Burp Suite itself is legal software. What you use it against determines legality. Using Burp against websites or applications you do not own, or do not have explicit written permission to test, is illegal under computer fraud laws in virtually every jurisdiction. Always use it against systems you own, approved practice platforms like bWAPP or DVWA, or as part of an authorised security engagement.
Conclusion
Burp Suite is not just a tool — it is a methodology. Practitioners who understand how HTTP works at the level Burp exposes it develop an analytical instinct that makes every web application they encounter legible in ways that browser-only testers cannot match. Every parameter becomes a question. Every response becomes evidence. Every session token becomes data worth examining.
The Community Edition gives you everything you need to develop that instinct. Start with the proxy and HTTP History. Get comfortable with Repeater before touching Intruder. Test against bWAPP and DVWA before approaching real targets. Build the habit of documenting every finding with full reproduction steps.
The skills you develop in Burp Suite are directly applicable to professional penetration testing, bug bounty programmes, and secure software development. No other single tool provides as complete a window into web application behaviour — which is precisely why it is the first thing every web security professional installs.
Share this guide with someone beginning their web security journey, bookmark it as a reference as you work through each tool, and explore the rest of Verxio for comprehensive coverage of ethical hacking tools, Linux fundamentals, and cybersecurity career development.
