🎯 Lab Objectives
- Understand what Burp Suite is and why every web tester needs it
- Configure your browser to route traffic through Burp's proxy
- Intercept and modify HTTP/HTTPS requests and responses
- Use Repeater to manually test and replay requests
- Use Intruder to automate attacks like brute-force and fuzzing
Step 1 — What is Burp Suite?
Burp Suite is a web application testing platform made by PortSwigger. The Community Edition is free and includes everything you need to get started. Professionals use the Pro version ($499/year) for automated scanning.
At its core, Burp is a proxy — it intercepts all traffic between your browser and web servers so you can see exactly what's being sent and received, and modify it.
Step 2 — Installation
# On Kali Linux — already installed:
burpsuite &
# Or install fresh:
sudo apt install burpsuite -y
# Download Community Edition on any OS:
# https://portswigger.net/burp/communitydownload
# Launch from Kali applications menu:
# Applications → Web Application Analysis → burpsuite
Step 3 — Proxy Setup
Burp listens on 127.0.0.1:8080 by default. You need to tell your browser to use it as a proxy.
# Option A — Use Burp's built-in Chromium browser (easiest)
# In Burp → Proxy → Open browser
# This pre-configured browser needs no setup
# Option B — Configure Firefox manually
# Firefox → Settings → Network Settings → Manual proxy
# HTTP Proxy: 127.0.0.1 Port: 8080
# ✓ Also use for HTTPS
# Install Burp's CA certificate (for HTTPS)
# 1. With Burp running, visit http://burpsuite in Firefox
# 2. Click "CA Certificate" → download cacert.der
# 3. Firefox → Settings → Privacy → View Certificates
# 4. Import → select cacert.der → trust for websites
Step 4 — Intercepting Traffic
# In Burp Suite:
# Proxy → Intercept → Turn Intercept ON
# Now browse to any website in Firefox
# Every request will pause here for you to inspect
# What you'll see in the intercept window:
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
username=admin&password=test123
# You can:
# - Click "Forward" to send the request as-is
# - Edit fields and then Forward (e.g. change password=test123)
# - Click "Drop" to block the request entirely
# - Right-click → Send to Repeater / Intruder
Step 5 — Repeater
Repeater lets you send the same request over and over with modifications — essential for manual testing.
# From Intercept: right-click → Send to Repeater
# Or: Ctrl+R
# In Repeater:
# - Left panel: edit the request
# - Click "Send"
# - Right panel: see the response immediately
# - Change a parameter value, send again, compare responses
# Example: test SQL injection manually
GET /product?id=1 → 200 OK, shows product
GET /product?id=1' → 500 Error, SQL syntax error!
GET /product?id=1 OR 1=1 → shows all products
# Repeater is your best friend — use it for:
# - Testing every parameter manually
# - Trying authentication bypasses
# - Replaying a login request with different passwords
Step 6 — Intruder
Intruder automates sending many variations of a request — for brute-force, fuzzing, and enumeration.
# Send a request to Intruder: right-click → Send to Intruder
# In Intruder → Positions tab:
# Burp highlights attack positions with § markers
# Clear all → manually select the parameter to fuzz
# e.g. select "admin" in username=§admin§
# In Intruder → Payloads tab:
# Payload type: Simple list
# Add payloads manually or load from file:
# /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt
# Attack types:
# Sniper → one payload list, one position at a time (most common)
# Pitchfork → multiple lists, one per position (credential stuffing)
# Cluster bomb → all combinations (brute force username+password)
# Click "Start Attack"
# Sort results by Status or Length to find anomalies
Step 7 — Decoder & Other Tools
# Decoder — encode/decode values instantly
# Paste: YWRtaW4=
# Decode as: Base64 → admin
# Common encodings you'll encounter:
# Base64: YWRtaW4= → admin
# URL: admin%40test.com → admin@test.com
# HTML: <script> → <script>
# HTTP History — Proxy → HTTP History
# Every request recorded here automatically
# Right-click any request → Send to Repeater/Intruder/Scanner
# This is great for reviewing what JavaScript loaded
# Target → Site map
# Burp builds a map of every URL it has seen
# Great for understanding the full attack surface
Step 8 — Practical Exercise
sudo apt install dvwa on Kali, or use the Docker version.# Start DVWA on Kali
sudo service apache2 start
sudo service mysql start
# Visit http://localhost/dvwa → Setup → Create / Reset Database
# Login: admin / password
# Exercise 1: Intercept login
# Set DVWA security to Low
# Turn on Burp intercept, submit login form
# Observe the POST parameters
# Exercise 2: Brute-force with Intruder
# Intercept the login → Send to Intruder
# Position: mark the password field
# Payload: load /usr/share/wordlists/rockyou.txt (first 100 lines)
# Start attack → find which password returns different length
# Exercise 3: Modify a response
# Proxy → Options → Match and Replace
# Add rule: replace "Low" with "High" in responses
# Now browse DVWA — security level appears as "High" to the server!