Burp Suite Cheat Sheet
Burp Suite is an integrated platform for web application security testing. It provides a powerful intercepting proxy and a set of tools to analyze, manipulate, and exploit web traffic.
Start Burp Suite
burpsuite
Or (Community):
burpsuite-community
Proxy Setup
Intercept On / Off
Proxy → Intercept → Intercept is on/off
Default proxy:
- 127.0.0.1:8080
Tip
Configure your browser to use Burp as HTTP/HTTPS proxy.
Target Scope
Target → Scope → Add
Scope helps to: - Reduce noise - Limit attacks - Prevent accidental testing
Proxy History
Proxy → HTTP history
View all requests and responses passing through Burp.
Repeater
Send request to Repeater:
Right Click → Send to Repeater
Use Repeater to: - Modify parameters - Replay requests - Test auth & logic flaws
Intruder
Send request:
Right Click → Send to Intruder
Attack Types
- Sniper
- Battering Ram
- Pitchfork
- Cluster Bomb
Note
Community edition has rate limits.
Scanner (Professional)
- Active scanning
- Passive scanning
- Automated vulnerability detection
Decoder
Decoder → Decode / Encode
Supports: - Base64 - URL - HTML - Hex
Comparer
Comparer → Compare responses
Useful for: - Token analysis - Auth bypass testing
Extensions (BApp Store)
Popular extensions: - Logger++ - Autorize - Turbo Intruder - JWT Editor - Param Miner
Authentication Testing
- Session cookies
- JWT tokens
- CSRF tokens
- Role-based access
Common Workflow
Proxy → Intercept traffic
Target → Define scope
Repeater → Manual testing
Intruder → Fuzz parameters
Scanner → Automated scan
Common Issues
No traffic captured
- Proxy not set in browser
- HTTPS certificate not installed
SSL errors
- Install Burp CA certificate
Keyboard Shortcuts
Ctrl + R→ Send to RepeaterCtrl + I→ Send to IntruderCtrl + Shift + D→ Decoder
Use Cases
- Web application pentesting
- API testing
- Authentication testing
- Input validation
Legal Notice
Danger
Test only applications you own or have permission to assess.