What is Burp Suite?
Burp Suite is an integrated platform for web application security testing made by PortSwigger. It sits between your browser and the target web server, letting you intercept, inspect, and modify every HTTP/S request and response in real time.
The Community Edition is free and covers everything you need to get started — Proxy, Repeater, and a rate-limited Intruder. The Professional edition adds an active scanner and unlimited Intruder speed, which is what the BSCP exam uses.
To use Burp, configure your browser to send traffic through Burp's proxy (default: 127.0.0.1:8080), then install the Burp CA certificate in your browser to intercept HTTPS without errors. Use the FoxyProxy extension to toggle it easily.
Proxy
The Proxy tab is the core of Burp Suite. It intercepts all HTTP/S traffic flowing between your browser and the target server. Every request passes through here before it's sent, giving you the chance to inspect or modify it.
Pause live traffic mid-flight. Toggle it on to hold each request and manually inspect or modify it before forwarding. Toggle off to let traffic flow through automatically.
A running log of every request and response that has passed through the proxy — even when Intercept is off. Your primary browsing audit trail.
The typical workflow: browse the target normally with Intercept off, then use HTTP History to find interesting requests. Right-click any request to send it to Repeater or Intruder for deeper testing.
Repeater
Repeater lets you take a single HTTP request and send it to the server as many times as you want — with manual modifications each time. It's your workbench for testing individual inputs.
Proxy intercepts live browser traffic. Repeater works on a copy of a request, completely decoupled from your browser. Changes in Repeater don't affect your actual session unless you want them to.
How to send a request to Repeater:
- From HTTP History or Intercept: right-click → Send to Repeater
- Keyboard shortcut:
Ctrl+R
Once in Repeater, you can:
- Edit — change headers, body parameters, cookies, anything
- Send — fire the modified request and immediately see the response
- Compare — use the built-in diff to compare two responses side by side
- History — step back through previous sends in the same Repeater tab
Repeater is where you'll spend most of your time during manual testing — probing for SQLi, XSS, IDOR, authentication bypasses, and anything else that requires tweaking one parameter at a time.
Intruder
Intruder automates sending large numbers of customized requests to a target. You mark positions in a request where payloads will be inserted, supply a list of payloads, and Intruder fires them all.
Common use cases: brute-forcing login credentials, fuzzing parameters for injection, enumerating user IDs, or testing every item in a wordlist.
Attack Types
One payload list, inserted into one position at a time. Best for testing a single parameter against many payloads.
One payload list, inserted into all positions simultaneously. Every request uses the same payload in all positions.
Multiple payload lists, one per position. Pairs values together — useful for username+password combinations where they're matched.
Multiple payload lists, tries every combination. Generates huge request volumes — use carefully.
Intruder is rate-limited in Community Edition — it throttles requests to slow the attack down significantly. For serious brute-forcing, use ffuf, hydra, or wfuzz from the command line instead.
Other Tools Worth Knowing
Encode/decode strings in URL, Base64, HTML, hex, and more. Useful for quickly transforming values you find in requests.
Diff two requests or responses side by side. Great for spotting subtle differences between a successful and failed response.
Visualizes the application structure as you browse. Shows all discovered endpoints, paths, and parameters in a tree.
Define what's in scope for the engagement. Burp can filter history and tools to only show in-scope traffic.
Typical Testing Workflow
Here's a rough order of operations when approaching a new web app with Burp:
- Set up proxy + browser. Define scope in Target → Scope.
- Browse the entire application manually with Intercept off — let HTTP History record everything.
- Review HTTP History. Identify interesting endpoints: login, search, file upload, APIs, anything accepting user input.
- Send interesting requests to Repeater. Manually probe each input.
- For anything requiring iteration (brute-force, fuzzing) — send to Intruder or use a CLI tool.
- Use Decoder to analyze any encoded values (tokens, cookies, hidden params).
Proxy = intercept and log all traffic. Repeater = manually test and tweak a single request. Intruder = automate across many payloads. Start with Proxy, use HTTP History to find targets, then pivot to Repeater for manual testing. That's 90% of your Burp workflow.