Burp Suite: Web Application Security Testing Guide

What Is Burp Suite and Why Does It Matter?

Burp Suite is the industry-standard platform for web application security testing, developed by PortSwigger and used by over 70,000 organisations worldwide, according to PortSwigger’s official site. OWASP’s Testing Guide references Burp Suite as a primary tool for manual and automated web application security assessment.

Burp Suite is an integrated platform for performing security testing of web applications. It works as an intercepting proxy — sitting between your browser and the target web application — allowing you to inspect, modify, and replay every HTTP/HTTPS request and response. It combines automated scanning with manual testing tools, making it the go-to platform for web application penetration testers and security analysts.

If you are new to web security testing, think of Burp Suite as a window into every conversation your browser has with a website. Normally that conversation happens invisibly. Burp Suite makes it visible, editable, and testable.

The first time I intercepted a login request in Burp Suite and saw my username and password sitting right there in the HTTP POST body, something clicked. All those lectures about “data in transit” and “encryption at rest” suddenly had a physical shape. I could see the actual form fields, the cookies, the session tokens — everything the browser was sending behind the scenes. Coming from real estate where I dealt with contracts and client data every day, the idea that sensitive information just flies across the network in readable text was genuinely alarming. That moment is when web security stopped being theoretical for me.

How Does Burp Suite Fit Into Web Application Testing?

Web applications are the most common attack surface in modern organisations. According to Verizon’s 2024 Data Breach Investigations Report, web application attacks are involved in over 25% of all breaches. Understanding how to test web applications is a core skill for any cybersecurity professional.

Burp Suite is the tool that ties the OWASP Testing Guide methodology together. Each phase of a web application security assessment maps to specific Burp Suite capabilities:

Assessment Phase	Burp Suite Tool	What You Do
Reconnaissance	Target / Site Map	Map the application structure, discover pages, endpoints, and parameters
Input testing	Repeater	Manually craft and send modified requests to test how the application handles unexpected input
Automated scanning	Scanner (Pro only)	Automatically test for common vulnerabilities like SQL injection and XSS
Brute force testing	Intruder	Automate repeated requests with varying payloads to test authentication and input validation
Encoding/decoding	Decoder	Encode and decode data in various formats (Base64, URL encoding, HTML entities)
Token analysis	Sequencer	Analyse the randomness and predictability of session tokens and other values

Burp Suite Web Testing Workflow

How a web application security test flows through Burp Suite's core tools

Configure Proxy

Step 1

Set browser proxy to 127.0.0.1:8080

Install Burp CA certificate

Enable HTTPS interception

Map the Application

Step 2

Browse the target application

Burp builds site map automatically

Identify endpoints and parameters

Analyse Traffic

Step 3

Review requests in Proxy history

Identify interesting parameters

Note authentication mechanisms

Test & Exploit

Step 4

Send requests to Repeater

Modify parameters manually

Use Intruder for automated testing

Report Findings

Step 5

Document vulnerabilities

Include request/response evidence

Rate severity using CVSS

Idle

Community Edition vs Professional Edition

Burp Suite comes in two main editions. As a beginner, you will start with Community Edition and it will serve you well for learning.

Feature	Community Edition (Free)	Professional Edition (~$449 USD/year)
Intercepting Proxy	Full access	Full access
Repeater	Full access	Full access
Decoder	Full access	Full access
Intruder	Throttled (very slow)	Full speed
Scanner	Not available	Full automated scanning
Sequencer	Full access	Full access
Save/restore projects	Not available	Full project management
Extensions (BApp Store)	Limited	Full access

Community Edition is enough for learning. You can intercept traffic, use Repeater for manual testing, and practise with the OWASP Juice Shop and other vulnerable applications. Professional Edition becomes valuable when you are doing real assessments and need the automated scanner and full-speed Intruder.

How Do You Set Up Burp Suite?

Step 1: Download and Install

Download Burp Suite Community Edition from portswigger.net. It is available for Windows, macOS, and Linux. The installer includes its own JRE (Java Runtime Environment), so you do not need to install Java separately.

Step 2: Configure Your Browser Proxy

Burp Suite listens on 127.0.0.1:8080 by default. You need to configure your browser to route traffic through this address.

Recommended approach: Use Firefox with the FoxyProxy extension. This lets you toggle the proxy on and off without changing your system settings.

Install FoxyProxy in Firefox
Add a new proxy: Host 127.0.0.1, Port 8080
Enable the proxy when you want to use Burp Suite, disable it when you are done

Step 3: Install the Burp CA Certificate

To intercept HTTPS traffic, Burp Suite generates its own TLS certificates. Your browser needs to trust Burp’s Certificate Authority (CA).

With the proxy enabled, navigate to http://burp in your browser
Click “CA Certificate” to download the certificate file
In Firefox: Settings → Privacy & Security → View Certificates → Import → select the downloaded certificate → trust it for identifying websites

Step 4: Verify the Setup

Start Burp Suite and go to the Proxy tab
Ensure “Intercept is on” is toggled on
In your proxied browser, navigate to any website
The request should appear in Burp Suite’s Proxy → Intercept tab
Click “Forward” to send the request to the server, or “Drop” to block it

What Are the Core Burp Suite Tools?

Proxy — The Foundation

The Proxy is where everything begins. It captures every HTTP/HTTPS request and response between your browser and the target application. You can:

Intercept individual requests before they reach the server
Modify parameters, headers, cookies, and body content on the fly
Forward or drop requests to test how the application responds
Review history of all requests and responses in the HTTP History tab

Practical example: Intercepting a login request lets you see how credentials are transmitted — are they in the body? A query string? Are they encrypted? Is there a CSRF token? This is the kind of visibility that makes web vulnerabilities tangible.

Repeater — Manual Testing Workhorse

Repeater lets you take any request from the Proxy history, modify it, and resend it as many times as you like. This is where most manual testing happens.

Common uses:

Testing for SQL injection by modifying input parameters
Testing for cross-site scripting (XSS) by injecting script tags
Testing access controls by changing user IDs or session tokens
Testing how the application handles unexpected input (special characters, long strings, null bytes)

Workflow: Right-click a request in Proxy History → “Send to Repeater” → modify the request → click “Send” → analyse the response.

Intruder — Automated Attack Tool

Intruder automates sending multiple requests with varying payloads. It is used for brute force attacks, parameter fuzzing, and enumeration.

Four attack types:

Sniper — Tests one payload position at a time (most common for single-parameter testing)
Battering Ram — Uses the same payload in all positions simultaneously
Pitchfork — Uses different payload lists for each position (useful for username/password pairs)
Cluster Bomb — Tests all combinations of payloads across all positions (generates the most requests)

Community Edition limitation: Intruder is heavily throttled in the free version. Requests are rate-limited, making it impractical for large wordlists. For learning purposes, use small payload lists (10-20 entries) to understand the concept.

Decoder — Encoding and Decoding

Decoder converts data between different encoding formats. Web applications frequently use:

Base64 encoding for tokens and API keys
URL encoding for special characters in URLs
HTML encoding for rendering special characters in pages
Hex encoding for binary data

Practical example: You intercept a cookie value that looks like dXNlcj1hZG1pbg==. Paste it into Decoder, decode as Base64, and discover it says user=admin. Now you know the application stores user roles in a client-side cookie — a serious vulnerability.

Sequencer — Token Analysis

Sequencer analyses the randomness of session tokens, CSRF tokens, and other security-critical values. If tokens are predictable, an attacker could guess valid session tokens and hijack user accounts.

How it works: Capture a large sample of tokens (at least 100), feed them to Sequencer, and it calculates entropy and randomness metrics. Low entropy means the tokens are predictable.

How Do You Test for OWASP Top 10 Vulnerabilities?

The OWASP Top 10 is the industry-standard awareness document for web application security risks. According to OWASP, these represent the most critical security risks to web applications. Burp Suite can test for most of them.

OWASP Top 10 Category	How Burp Suite Helps
A01: Broken Access Control	Use Repeater to modify user IDs, roles, and endpoints to test whether access controls are enforced
A02: Cryptographic Failures	Proxy reveals whether sensitive data is transmitted without encryption or with weak algorithms
A03: Injection	Repeater and Intruder test SQL injection, command injection, and other injection flaws
A07: Cross-Site Scripting (XSS)	Repeater tests reflected and stored XSS by injecting script payloads into parameters
A08: Software & Data Integrity	Proxy reveals insecure deserialisation and unsigned data in transit
A09: Security Logging Failures	Manual testing reveals whether the application logs suspicious activity

Practice Target: OWASP Juice Shop

OWASP Juice Shop is a deliberately vulnerable web application designed for security training. It is the recommended practice target for Burp Suite beginners.

# Run OWASP Juice Shop with Docker
docker pull bkimminich/juice-shop
docker run -d -p 3000:3000 bkimminich/juice-shop
# Access at http://localhost:3000

With Juice Shop running and Burp Suite proxying your traffic, you can practise:

Intercepting login requests and testing for SQL injection
Finding hidden API endpoints in the site map
Testing for XSS in search fields and user input
Analysing session tokens with Sequencer

Web application testing is a core skill on the PenTest+ exam and in real security assessments. I use the study tracker to map each OWASP Top 10 category to hands-on lab exercises.

Career Roadmap & Study TrackerAvailable Now

Step-by-step roadmap with study tracker worksheets and certification decision framework.

Get the Guide → $27

What Are the Limitations of Burp Suite?

Burp Suite is a web application testing tool, not a network scanner or endpoint protection solution. It operates at the HTTP/HTTPS layer and does not test infrastructure-level vulnerabilities like open ports or misconfigured firewalls.

Community Edition has real limitations. The throttled Intruder and missing Scanner mean you cannot do full automated assessments. For learning and manual testing, Community Edition is fine. For professional work, most testers use Professional Edition.

Automated scanning does not replace manual testing. Even the Professional Edition’s scanner misses business logic flaws, access control issues, and complex multi-step vulnerabilities. The scanner finds the low-hanging fruit; manual testing with Repeater finds the critical issues.

Legal considerations are essential. Only test web applications you own or have explicit written authorisation to test. Unauthorised web application testing is illegal under Australia’s Criminal Code Act 1995 and equivalent legislation worldwide. Many organisations provide bug bounty programmes with explicit scope — test within those boundaries.

Summary and Key Takeaways

Burp Suite is the industry-standard web application security testing platform — used by penetration testers, security analysts, and bug bounty hunters worldwide.
Start with Community Edition. The Proxy, Repeater, Decoder, and Sequencer are all fully functional in the free version. That is enough for learning.
The Proxy is the foundation. Everything in Burp Suite starts with intercepting and analysing HTTP traffic between your browser and the target.
Repeater is where most manual testing happens. Send requests, modify parameters, analyse responses — this is the core skill of web application testing.
Practise with OWASP Juice Shop or similar deliberately vulnerable applications. Never test against applications you do not own or have permission to test.
Burp Suite tests web applications, not infrastructure. Pair it with Nmap for network-level testing and vulnerability scanners for comprehensive assessments.
The OWASP Top 10 provides the testing framework. Use it as your checklist when assessing any web application.

Legal reminder: Only test web applications you own or have explicit written authorisation to test. Unauthorised testing is illegal in most jurisdictions including under Australia’s Criminal Code Act 1995.

Technical details verified in March 2026 against PortSwigger’s official Burp Suite documentation (portswigger.net), OWASP Testing Guide v4.2, and OWASP Top 10 (2021 edition).

Frequently Asked Questions

Is Burp Suite free?

Burp Suite Community Edition is free and includes the Proxy, Repeater, Decoder, and Sequencer. The Professional Edition costs approximately $449 USD per year and adds an automated scanner, full-speed Intruder, and project management features.

Do I need Burp Suite Professional to learn web security?

No. Community Edition is sufficient for learning web application security testing. The Proxy and Repeater tools — where most manual testing happens — are fully functional in the free version. Professional Edition becomes valuable when you do real assessments and need the automated scanner.

Is Burp Suite legal to use?

Burp Suite itself is legal to download and use. However, using it to test web applications you do not own or do not have explicit written authorisation to test is illegal in most jurisdictions. Always test only against your own applications, deliberately vulnerable targets like OWASP Juice Shop, or within the scope of authorised bug bounty programmes.

What is an intercepting proxy?

An intercepting proxy sits between your browser and a web server, capturing all HTTP/HTTPS traffic passing between them. It lets you view, modify, and replay requests and responses. Burp Suite's intercepting proxy is the foundation of its entire web application testing workflow.

Can Burp Suite test HTTPS traffic?

Yes. After installing Burp Suite's CA certificate in your browser, it can intercept and display HTTPS traffic in readable form. Burp Suite performs a man-in-the-middle operation, decrypting traffic for inspection and re-encrypting it before forwarding. This is why you should only install the CA certificate in a dedicated testing browser.

What is the difference between Repeater and Intruder?

Repeater is for manual testing — you modify a single request and send it one at a time, analysing each response individually. Intruder automates sending many requests with varying payloads, useful for brute force attacks, fuzzing, and enumeration. Use Repeater for targeted manual testing and Intruder for automated payload delivery.

What certifications test Burp Suite knowledge?

CompTIA PenTest+ (PT0-002) covers web application testing tools including intercepting proxies. The OffSec OSCP and OSWE certifications require practical web testing skills. PortSwigger also offers their own Burp Suite Certified Practitioner (BSCP) certification.

What should I practise with as a beginner?

Start with OWASP Juice Shop (runs via Docker), DVWA (Damn Vulnerable Web Application), or PortSwigger's free Web Security Academy labs. These are deliberately vulnerable applications designed for learning. Never practise against real websites without explicit authorisation.

More resources

PortSwigger Web Security Academy

Free interactive labs for learning web security with Burp Suite — the best hands-on resource available.

Visit Burp Suite Official Documentation

Complete reference for all Burp Suite tools, features, and configuration options.

Visit OWASP Testing Guide v4.2

Comprehensive web application security testing methodology that maps to Burp Suite capabilities.

Visit OWASP Top 10

The industry-standard awareness document for the most critical web application security risks.

Visit