Burp Suite Professional is the web pentest workhorse. Once you’ve moved past clicking “Intercept On”, the difference between an average tester and a great one is Burp fluency — how quickly you can pivot between Repeater, Intruder, and Collaborator without losing context.
Setting Up Your Workspace
Bind to 127.0.0.1:8080, import the CA into Firefox via FoxyProxy. Set scope immediately — Burp’s defaults log everything, which means hours of irrelevant data in larger projects.
Target → Scope → Include in scope
https://target.example.com/.*
https://*.target.example.com/.*
Now flip “Show only in-scope items” in HTTP history. Critical for noise control.
The Core Loop: Proxy → Repeater → Intruder
A clean Burp workflow looks like this:
- Browse the application with intercept off, building HTTP history.
- Send to Repeater any request that looks parameter-rich or auth-relevant.
- Send to Intruder when you need to fuzz or brute-force.
- Send to Collaborator payloads via Repeater when testing blind injection.
Repeater
Repeater is where 80% of real testing happens. Shortcuts to memorize:
Ctrl+R— Send request to RepeaterCtrl+Space— Send request inside RepeaterCtrl+I— Send to IntruderCtrl+Shift+B— Base64 decode highlighted bytesCtrl+Shift+U— URL decode
Intruder Attack Types
| Type | When to use |
|---|---|
| Sniper | One position, one wordlist — most common |
| Battering ram | Same payload across multiple positions |
| Pitchfork | Parallel lists across positions (creds: user[i] + pass[i]) |
| Cluster bomb | All combinations — credential stuffing exhaustive |
Intruder Throttling
The community edition throttles Intruder heavily. Pro edition supports Resource Pools — create one with 20 concurrent requests and a 50 ms delay for most apps; drop to 1 concurrent for stateful flows.
Collaborator — The Blind Bug Multiplier
Collaborator gives you a unique DNS/HTTP/SMTP listener. Drop it into any parameter and watch for callbacks. This is how blind SSRF, blind XXE, OOB SQLi, and Log4Shell are confirmed.
GET /api/preview?url=http://abcdef.burpcollaborator.net HTTP/1.1
DNS callback → SSRF confirmed even without a response body.
Macros & Session Handling
Token-rotating apps break Intruder. Configure a Macro that re-authenticates and extracts the new token, then a Session Handling Rule that re-runs the macro when a 401/403 is seen. Once configured, Intruder and Scanner work transparently against expiring sessions.
Essential Extensions
- Logger++ — Searchable, exportable request log
- Autorize — One-click IDOR / vertical privilege escalation testing
- JWT Editor — Algorithm confusion attacks, weak-key cracking
- Hackvertor — Inline encoding/decoding inside any tab
- Active Scan++ — Adds checks the built-in scanner misses
- Param Miner — Brute-forces hidden parameters and headers
Scanner Workflow
Burp’s active scanner is excellent for first-pass coverage but should never be your only testing. Run it in audit mode on a few representative requests, triage findings, then continue manual testing — never scan the whole site blindly on production.
