Burp Suite Web Application Testing
Purpose
Execute comprehensive web application security testing using Burp Suite's integrated toolset, including HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows. This skill enables systematic discovery and exploitation of web application vulnerabilities through proxy-based testing methodology.
Inputs / Prerequisites
Required Tools
- Burp Suite Community or Professional Edition installed
- Burp's embedded browser or configured external browser
- Target web application URL
- Valid credentials for authenticated testing (if applicable)
Environment Setup
- Burp Suite launched with temporary or named project
- Proxy listener active on 127.0.0.1:8080 (default)
- Browser configured to use Burp proxy (or use Burp's browser)
- CA certificate installed for HTTPS interception
Editions Comparison
| Feature |
Community |
Professional |
| Proxy |
โ |
โ |
| Repeater |
โ |
โ |
| Intruder |
Limited |
Full |
| Scanner |
โ |
โ |
| Extensions |
โ |
โ |
Outputs / Deliverables
Primary Outputs
- Intercepted and modified HTTP requests/responses
- Vulnerability scan reports with remediation advice
- HTTP history and site map documentation
- Proof-of-concept exploits for identified vulnerabilities
Core Workflow
Phase 1: Intercepting HTTP Traffic
Launch Burp's Browser
Navigate to integrated browser for seamless proxy integration:
- Open Burp Suite and create/open project
- Go to Proxy > Intercept tab
- Click Open Browser to launch preconfigured browser
- Position windows to view both Burp and browser simultaneously
Configure Interception
Control which requests are captured:
Proxy > Intercept > Intercept is on/off toggle
When ON: Requests pause for review/modification
When OFF: Requests pass through, logged to history
Intercept and Forward Requests
Process intercepted traffic:
- Set intercept toggle to Intercept on
- Navigate to target URL in browser
- Observe request held in Proxy > Intercept tab
- Review request contents (headers, parameters, body)
- Click Forward to send request to server
- Continue forwarding subsequent requests until page loads
View HTTP History
Access complete traffic log:
- Go to Proxy > HTTP history tab
- Click any entry to view full request/response
- Sort by clicking column headers (# for chronological order)
- Use filters to focus on relevant traffic
Phase 2: Modifying Requests
Intercept and Modify
Change request parameters before forwarding:
- Enable interception: Intercept on
- Trigger target request in browser
- Locate parameter to modify in intercepted request
- Edit value directly in request editor
- Click Forward to send modified request
Common Modification Targets
| Target |
Example |
Purpose |
| Price parameters |
price=1 |
Test business logic |
| User IDs |
userId=admin |
Test access control |
| Quantity values |
qty=-1 |
Test input validation |
| Hidden fields |
isAdmin=true |
Test privilege escalation |
Example: Price Manipulation
POST /cart HTTP/1.1
productId=1&quantity=1&price=100
# Modify to:
productId=1&quantity=1&price=1
Result: Item added to cart at modified price.
Phase 3: Setting Target Scope
Define Scope
Focus testing on specific target:
- Go to Target > Site map
- Right-click target host in left panel
- Select Add to scope
- When prompted, click Yes to exclude out-of-scope traffic
Filter by Scope
Remove noise from HTTP history:
- Click display filter above HTTP history
- Select Show only in-scope items
- History now shows only target site traffic
Scope Benefits
- Reduces clutter from third-party requests
- Prevents accidental testing of out-of-scope sites
- Improves scanning efficiency
- Creates cleaner reports
Phase 4: Using Burp Repeater
Send Request to Repeater
Prepare request for manual testing:
- Identify interesting request in HTTP history
- Right-click request and select Send to Repeater
- Go to Repeater tab to access request
Modify and Resend
Test different inputs efficiently:
1. View request in Repeater tab
2. Modify parameter values
3. Click Send to submit request
4. Review response in right panel
5. Use navigation arrows to review request history
Repeater Testing Workflow
Original Request:
GET /product?productId=1 HTTP/1.1
Test 1: productId=2 โ Valid product response
Test 2: productId=999 โ Not Found response
Test 3: productId=' โ Error/exception response
Test 4: productId=1 OR 1=1 โ SQL injection test
Analyze Responses
Look for indicators of vulnerabilities:
- Error messages revealing stack traces
- Framework/version information disclosure
- Different response lengths indicating logic flaws
- Timing differences suggesting blind injection
- Unexpected data in responses
Phase 5: Running Automated Scans
Launch New Scan
Initiate vulnerability scanning (Professional only):
- Go to Dashboard tab
- Click New scan
- Enter target URL in URLs to scan field
- Configure scan settings
Scan Configuration Options
| Mode |
Description |
Duration |
| Lightweight |
High-level overview |
~15 minutes |
| Fast |
Quick vulnerability check |
~30 minutes |
| Balanced |
Standard comprehensive scan |
~1-2 hours |
| Deep |
Thorough testing |
Several hours |
Monitor Scan Progress
Track scanning activity:
- View task status in Dashboard
- Watch Target > Site map update in real-time
- Check Issues tab for discovered vulnerabilities
Review Identified Issues
Analyze scan findings:
- Select scan task in Dashboard
- Go to Issues tab
- Click issue to view:
- Advisory: Description and remediation
- Request: Triggering HTTP request
- Response: Server response showing vulnerability
Phase 6: Intruder Attacks
Configure Intruder
Set up automated attack:
- Send request to Intruder (right-click > Send to Intruder)
- Go to Intruder tab
- Define payload positions using ยง markers
- Select attack type
Attack Types
| Type |
Description |
Use Case |
| Sniper |
Single position, iterate payloads |
Fuzzing one parameter |
| Battering ram |
Same payload all positions |
Credential testing |
| Pitchfork |
Parallel payload iteration |
Username:password pairs |
| Cluster bomb |
All payload combinations |
Full brute force |
Configure Payloads
Positions Tab:
POST /login HTTP/1.1
...
username=ยงadminยง&password=ยงpasswordยง
Payloads Tab:
Set 1: admin, user, test, guest
Set 2: password, 123456, admin, letmein
Analyze Results
Review attack output:
- Sort by response length to find anomalies
- Filter by status code for successful attempts
- Use grep to search for specific strings
- Export results for documentation
Quick Reference
Keyboard Shortcuts
| Action |
Windows/Linux |
macOS |
| Forward request |
Ctrl+F |
Cmd+F |
| Drop request |
Ctrl+D |
Cmd+D |
| Send to Repeater |
Ctrl+R |
Cmd+R |
| Send to Intruder |
Ctrl+I |
Cmd+I |
| Toggle intercept |
Ctrl+T |
Cmd+T |
Common Testing Payloads
# SQL Injection
' OR '1'='1
' OR '1'='1'--
1 UNION SELECT NULL--
# XSS
<script>alert(1)</script>
"><img src=x onerror=alert(1)>
javascript:alert(1)
# Path Traversal
../../../etc/passwd
..\..\..\..\windows\win.ini
# Command Injection
; ls -la
| cat /etc/passwd
`whoami`
Request Modification Tips
- Right-click for context menu options
- Use decoder for encoding/decoding
- Compare requests using Comparer tool
- Save interesting requests to project
Constraints and Guardrails
Operational Boundaries
- Test only authorized applications
- Configure scope to prevent accidental out-of-scope testing
- Rate-limit scans to avoid denial of service
- Document all findings and actions
Technical Limitations
- Community Edition lacks automated scanner
- Some sites may block proxy traffic
- HSTS/certificate pinning may require additional configuration
- Heavy scanning may trigger WAF blocks
Best Practices
- Always set target scope before extensive testing
- Use Burp's browser for reliable interception
- Save project regularly to preserve work
- Review scan results manually for false positives
Examples
Example 1: Business Logic Testing
Scenario: E-commerce price manipulation
- Add item to cart normally, intercept request
- Identify
price=9999 parameter in POST body
- Modify to
price=1
- Forward request
- Complete checkout at manipulated price
Finding: Server trusts client-provided price values.
Example 2: Authentication Bypass
Scenario: Testing login form
- Submit valid credentials, capture request in Repeater
- Send to Repeater for testing
- Try:
username=admin' OR '1'='1'--
- Observe successful login response
Finding: SQL injection in authentication.
Example 3: Information Disclosure
Scenario: Error-based information gathering
- Navigate to product page, observe
productId parameter
- Send request to Repeater
- Change
productId=1 to productId=test
- Observe verbose error revealing framework version
Finding: Apache Struts 2.5.12 disclosed in stack trace.
Troubleshooting
Browser Not Connecting Through Proxy
- Verify proxy listener is active (Proxy > Options)
- Check browser proxy settings point to 127.0.0.1:8080
- Ensure no firewall blocking local connections
- Use Burp's embedded browser for reliable setup
HTTPS Interception Failing
- Install Burp CA certificate in browser/system
- Navigate to http://burp to download certificate
- Add certificate to trusted roots
- Restart browser after installation
Slow Performance
- Limit scope to reduce processing
- Disable unnecessary extensions
- Increase Java heap size in startup options
- Close unused Burp tabs and features
Requests Not Being Intercepted
- Verify "Intercept on" is enabled
- Check intercept rules aren't filtering target
- Ensure browser is using Burp proxy
- Verify target isn't using unsupported protocol
