Burp Suite

Burp Suite is the industry-standard web application security testing platform. It provides an integrated set of tools for performing security testing, from initial mapping to exploitation of vulnerabilities.

Core Tools

• Proxy: Intercept, view, and modify HTTP/HTTPS traffic
• Scanner: Automated vulnerability detection (Pro only)
• Intruder: Automated customized attacks (fuzzing, brute force)
• Repeater: Manually modify and resend requests
• Decoder: Encode/decode data in various formats
• Comparer: Visual diff between responses
• Sequencer: Analyze token randomness

Common Workflows

# Intercepting requests
1. Configure browser to use Burp as proxy (127.0.0.1:8080)
2. Browse target application
3. Intercept → view/modify → forward

# Fuzzing with Intruder
1. Send request to Intruder
2. Mark payload positions with §
3. Configure payload lists
4. Start attack, analyze responses

# Repeating and modifying
1. Send request to Repeater
2. Modify parameters
3. Send and compare responses

Versions

• Community: Free, manual tools only
• Professional: Full scanner, faster Intruder
• Enterprise: CI/CD integration, team features

Extensions (BApps)

Burp supports extensions via the BApp Store and custom plugins written in Java, Python (Jython), or Ruby (JRuby).

See Also

• OWASP ZAP
• sqlmap