Open in app

Sign in

Write

Sign in

A Step-by-Step Guide to Using BurpSuite for Web Application Security Testing

Umme Habiba
5 min readMay 4, 2023

--

What is burp suite?

Burp Suite is one of the most popular security testing tool. Burp Suite can be used to identify different types of vulnerabilities, such as SQL injection or cross-site scripting, by testing the web application beyond its graphical user interface (GUI). It is a type of proxy server, which means it sits between the user’s web browser and the web server to observe and manipulate all the data that is being sent back and forth.
Burp Suite has different features such as proxy, Repeater, intruder, scanner, decoder, and more.

  • Proxy: Burp Suite’s proxy function allows users to intercept and modify HTTP requests between a user’s web browser and the web server. This allows for the observation and manipulation of web traffic, which can help identify potential security issues.
  • Repeater: Burp Suite Repeater lets us grab a request, change it however we want, and send it again and again. This can be super useful, especially when we have to guess a payload by trying different things (like in SQLi) or when we want to see if an endpoint has any bugs.
  • Intruder: Burp Suite’s intruder feature contains several different attacks that can be performed on a remote website. These attacks include dictionary attacks and brute force attacks, which can help identify vulnerabilities in the web application’s authentication mechanisms.
  • Scanner: Burp Suite’s scanner function allows users to scan a particular website for potential vulnerabilities. This feature automates the testing process and provides detailed reports on any vulnerabilities that are found.
  • Decoder: Burp Suite’s decoder function allows users to decode different types of data, such as URL encoding. This can help identify potential security issues in the web application’s handling of data.

When to use Burp suite?

Hackers are always looking for ways to intercept calls so make sure hackers won’t be able to intercept the calls.

Why to use Burp suite?

  • Ensure that app/web applications are secure and reliable.
  • By using the burp suite we can check the vulnerability of websites and applications.

Downloading and Setting Up Burp Suite on Windows

  1. Go to the Burp Suite website and download the installer from here.
  2. Run the installer and follow the prompts to complete the installation process, select “new temporary project”, followed by “use burp defaults”
  3. Click on Start Burp
Create temporary project on Burp Suite Community edition

Configuring Burp Suite

  1. Set up the Proxy: In order to intercept traffic, you need to configure the proxy settings in Burp Suite.
    Go to the “Proxy” tab, then click on the sub-tab “Options/Proxy Setting”

2. You should see an entry in the table with a ticked Checkbox in the Running column, and “127.0.0.1:8080” showing in the Interface column.

By default Burp Suite runs on port 8080

3. You can modify this setting for it to listen to other ports by just clicking on the “Edit”, button and changing the port number of the listener to a different number.

4. Go to the Proxy > Intercept tab and Click the Intercept is off button, so it toggles to Intercept is on. This toggle allows you to intercept any request or response, and modify it before forwarding it.

Ensure intercept is turned on

Configuring browser

To use Burp Suite as a proxy, you need to configure your browser. The process varies depending on the browser you’re using; in this example, I’ll use Firefox. However, you can refer to the Burp Suite documentation here on how to configure other browsers.

  1. Open Firefox in the top right corner and go to Settings and then search for the word proxy. Click on the icon to open proxy settings.
Setting up a proxy server for Firefox

To configure your host computer, open the relevant configuration options and select ‘Manual proxy configuration.’ Enter the same HTTP Proxy and Port number as entered on Burp Suite, and then click ‘OK’ to save the settings.

Now the browser is already setup to use Burp Suite as a proxy which is listening at port 8080. Now you need to install Burp’s CA cert.

  • Go to burp/ or 127.0.0.1:8080 in Firefox.
  • Click on ‘CA Certificate’ in the top menu bar to download it.
Download Burp’s CA cert
Downloaded Burp Certificate
  • The CA cert must be installed in your browser as a trusted root so that the browser will trust the SSL connections made to Burp Suite.
    Go to Firefox > Click on Options from the side menu > Write Certificates in the search field and then Click on “View Certificates” > Authorities > Import.

Once the Burp’s CA cert is installed you should have no problem using Burp Suite as an interceptor. At Firefox, try to browse to https://google.com and you will not see any security warning.

At Burp Suite, when the interceptor is turned on, you will see all the requests made by the browser. You can analyze the requests and make any modifications. When you’re satisfied, click on the Forward button to send the message.

Intercepting a request

You can also click on the HTTP History tab to view the list of request history.

HTTP request history

Conclusion:

In this blog, you learned how to configure Burp Suite as a proxy and use Firefox to make it easier to configure a proxy in the browser.

Let me know if this was helpful. If you ever need my help, you can write in the comments section. Also, you can contact me through my LinkedIn Profile. Thank you!

For more information, I leave the reference links below:

How to use Burp Suite for penetration testing — PortSwigger

Burpsuite
Web Penetration Testing
Cybersecurity
Security
Brute Force Attack

--

--

Umme Habiba

Written by Umme Habiba

13 Followers

Software Quality Assurance Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams