🎯 Lab Objectives

  • Understand what Burp Suite is and why every web tester needs it
  • Configure your browser to route traffic through Burp's proxy
  • Intercept and modify HTTP/HTTPS requests and responses
  • Use Repeater to manually test and replay requests
  • Use Intruder to automate attacks like brute-force and fuzzing
👶
Complete beginner? Think of Burp Suite as a "middleman" that sits between your browser and the website. Every request your browser makes goes through Burp first, where you can read, pause, or change it before it reaches the server.

Step 1 — What is Burp Suite?

Burp Suite is a web application testing platform made by PortSwigger. The Community Edition is free and includes everything you need to get started. Professionals use the Pro version ($499/year) for automated scanning.

At its core, Burp is a proxy — it intercepts all traffic between your browser and web servers so you can see exactly what's being sent and received, and modify it.

Step 2 — Installation

# On Kali Linux — already installed:
burpsuite &

# Or install fresh:
sudo apt install burpsuite -y

# Download Community Edition on any OS:
# https://portswigger.net/burp/communitydownload

# Launch from Kali applications menu:
# Applications → Web Application Analysis → burpsuite

Step 3 — Proxy Setup

Burp listens on 127.0.0.1:8080 by default. You need to tell your browser to use it as a proxy.

# Option A — Use Burp's built-in Chromium browser (easiest)
# In Burp → Proxy → Open browser
# This pre-configured browser needs no setup

# Option B — Configure Firefox manually
# Firefox → Settings → Network Settings → Manual proxy
# HTTP Proxy: 127.0.0.1   Port: 8080
# ✓ Also use for HTTPS

# Install Burp's CA certificate (for HTTPS)
# 1. With Burp running, visit http://burpsuite in Firefox
# 2. Click "CA Certificate" → download cacert.der
# 3. Firefox → Settings → Privacy → View Certificates
# 4. Import → select cacert.der → trust for websites

Step 4 — Intercepting Traffic

# In Burp Suite:
# Proxy → Intercept → Turn Intercept ON

# Now browse to any website in Firefox
# Every request will pause here for you to inspect

# What you'll see in the intercept window:
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

username=admin&password=test123

# You can:
# - Click "Forward" to send the request as-is
# - Edit fields and then Forward (e.g. change password=test123)
# - Click "Drop" to block the request entirely
# - Right-click → Send to Repeater / Intruder

Step 5 — Repeater

Repeater lets you send the same request over and over with modifications — essential for manual testing.

# From Intercept: right-click → Send to Repeater
# Or: Ctrl+R

# In Repeater:
# - Left panel: edit the request
# - Click "Send"
# - Right panel: see the response immediately
# - Change a parameter value, send again, compare responses

# Example: test SQL injection manually
GET /product?id=1        → 200 OK, shows product
GET /product?id=1'       → 500 Error, SQL syntax error!
GET /product?id=1 OR 1=1 → shows all products

# Repeater is your best friend — use it for:
# - Testing every parameter manually
# - Trying authentication bypasses
# - Replaying a login request with different passwords

Step 6 — Intruder

Intruder automates sending many variations of a request — for brute-force, fuzzing, and enumeration.

# Send a request to Intruder: right-click → Send to Intruder

# In Intruder → Positions tab:
# Burp highlights attack positions with § markers
# Clear all → manually select the parameter to fuzz
# e.g. select "admin" in username=§admin§

# In Intruder → Payloads tab:
# Payload type: Simple list
# Add payloads manually or load from file:
# /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt

# Attack types:
# Sniper    → one payload list, one position at a time (most common)
# Pitchfork → multiple lists, one per position (credential stuffing)
# Cluster bomb → all combinations (brute force username+password)

# Click "Start Attack"
# Sort results by Status or Length to find anomalies

Step 7 — Decoder & Other Tools

# Decoder — encode/decode values instantly
# Paste: YWRtaW4=
# Decode as: Base64 → admin

# Common encodings you'll encounter:
# Base64:     YWRtaW4=  → admin
# URL:        admin%40test.com → admin@test.com
# HTML:       &lt;script&gt; → <script>

# HTTP History — Proxy → HTTP History
# Every request recorded here automatically
# Right-click any request → Send to Repeater/Intruder/Scanner
# This is great for reviewing what JavaScript loaded

# Target → Site map
# Burp builds a map of every URL it has seen
# Great for understanding the full attack surface

Step 8 — Practical Exercise

💡
Practice on DVWA (Damn Vulnerable Web App) — a safe, intentionally vulnerable app: sudo apt install dvwa on Kali, or use the Docker version.
# Start DVWA on Kali
sudo service apache2 start
sudo service mysql start
# Visit http://localhost/dvwa → Setup → Create / Reset Database
# Login: admin / password

# Exercise 1: Intercept login
# Set DVWA security to Low
# Turn on Burp intercept, submit login form
# Observe the POST parameters

# Exercise 2: Brute-force with Intruder
# Intercept the login → Send to Intruder
# Position: mark the password field
# Payload: load /usr/share/wordlists/rockyou.txt (first 100 lines)
# Start attack → find which password returns different length

# Exercise 3: Modify a response
# Proxy → Options → Match and Replace
# Add rule: replace "Low" with "High" in responses
# Now browse DVWA — security level appears as "High" to the server!
Lab Complete! Burp Suite is now your web testing foundation. Every web lab on KaliRange benefits from using Burp alongside it.
Next: SQL Injection → ← All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands