Burp Suite is the industry standard tool for web application security testing. If you're doing any kind of web hacking — CTFs, bug bounty, or professional pentesting — you need to know Burp Suite. I first used it on TryHackMe and it completely changed how I understood web applications.

What is Burp Suite?

Burp Suite is a web application security testing platform made by PortSwigger. It sits between your browser and the internet as a proxy, letting you intercept, inspect, and modify web traffic in real time.

Two versions:

• Community Edition — Free, covers everything a beginner needs
• Professional Edition — $449/yr, adds automated scanner (not needed when starting out)

Installing Burp Suite

On Kali Linux (already installed)

On Windows

1. Go to portswigger.net/burp/communitydownload
2. Download the Windows installer
3. Run it — all defaults are fine
4. Launch and select Temporary Project → Use Burp Defaults

Setting Up Your Browser Proxy

Step 1: Check Burp's Proxy Port

Go to Proxy → Options. Default listener is 127.0.0.1:8080.

Step 2: Configure Firefox

1. Open Firefox → Settings → search "proxy"
2. Click Settings under Network Settings
3. Select Manual proxy configuration
4. HTTP Proxy: 127.0.0.1 Port: 8080
5. Check Also use this proxy for HTTPS
6. Click OK

Step 3: Install Burp's CA Certificate

1. With Firefox proxy configured, go to http://burpsuite
2. Click CA Certificate to download it
3. In Firefox go to Settings → search "certificates"
4. Click View Certificates → Import
5. Select the downloaded certificate → check both trust boxes → OK

The Main Tools You Need to Know

1. Proxy — Intercept Traffic

The Proxy tab lets you intercept requests before they reach the server.

1. Go to Proxy → Intercept
2. Make sure Intercept is on
3. Visit any website in Firefox
4. The request appears in Burp — read or modify it
5. Click Forward to send or Drop to block

2. Repeater — Modify and Resend Requests

Repeater lets you take a captured request, modify it, and resend it as many times as you want. This is the tool you'll use most.

1. Intercept a request in Proxy
2. Right-click → Send to Repeater
3. Go to the Repeater tab
4. Modify the request and click Send
5. See the response on the right

3. Intruder — Automated Attack Tool

Intruder automates sending many requests with different payloads. Useful for brute forcing login forms or finding hidden parameters. Note: rate-limited in Community Edition.

4. Decoder — Encode and Decode Data

Instantly encode/decode Base64, URL encoding, HTML encoding, and Hex. Super useful in CTFs when you find encoded strings.

Burp Suite Cheat Sheet

Practice Burp Suite for Free

• TryHackMe — dedicated Burp Suite rooms in Jr Penetration Tester path
• PortSwigger Web Security Academy — free labs designed for Burp Suite
• DigitalOcean VPS — run DVWA in the cloud, $200 free credits