Burp Suite Web Application Testing Purpose Execute comprehensive web application security testing using Burp Suite's integrated toolset, including HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows. This skill enables systematic discovery and exploitation of web application vulnerabilities through proxy-based testing methodology. Inputs / Prerequisites Required Tools Burp Suite Community or Professional Edition installed Burp's embedded browser or configured external browser Target web application URL Valid credentials for authenticated testing (if applicable) Environment Setup Burp Suite launched with temporary or named project Proxy listener active on 127.0.0.1:8080 (default) Browser configured to use Burp proxy (or use Burp's browser) CA certificate installed for HTTPS interception Editions Comparison Feature Community Professional Proxy ✓ ✓ Repeater ✓ ✓ Intruder Limited Full Scanner ✗ ✓ Extensions ✓ ✓ Outputs / Deliverables Primary Outputs Intercepted and modified HTTP requests/responses Vulnerability scan reports with remediation advice HTTP history and site map documentation Proof-of-concept exploits for identified vulnerabilities Core Workflow Phase 1: Intercepting HTTP Traffic Launch Burp's Browser Navigate to integrated browser for seamless proxy integration: Open Burp Suite and create/open project Go to Proxy > Intercept tab Click Open Browser to launch preconfigured browser Position windows to view both Burp and browser simultaneously Configure Interception Control which requests are captured: Proxy > Intercept > Intercept is on/off toggle When ON: Requests pause for review/modification When OFF: Requests pass through, logged to history Intercept and Forward Requests Process intercepted traffic: Set intercept toggle to Intercept on Navigate to target URL in browser Observe request held in Proxy > Intercept tab Review request contents (headers, parameters, body) Click Forward to send request to server Continue forwarding subsequent requests until page loads View HTTP History Access complete traffic log: Go to Proxy > HTTP history tab Click any entry to view full request/response Sort by clicking column headers (# for chronological order) Use filters to focus on relevant traffic Phase 2: Modifying Requests Intercept and Modify Change request parameters before forwarding: Enable interception: Intercept on Trigger target request in browser Locate parameter to modify in intercepted request Edit value directly in request editor Click Forward to send modified request Common Modification Targets Target Example Purpose Price parameters price=1 Test business logic User IDs userId=admin Test access control Quantity values qty=-1 Test input validation Hidden fields isAdmin=true Test privilege escalation Example: Price Manipulation POST / cart HTTP/1.1 Host : target.com Content-Type : application/x-www-form-urlencoded productId=1&quantity=1&price=100

Modify to:

productId=1&quantity=1&price=1

Result: Item added to cart at modified price.

Phase 3: Setting Target Scope

Define Scope

Focus testing on specific target:

Go to

Target > Site map

Right-click target host in left panel

Select

Add to scope

When prompted, click

Yes

to exclude out-of-scope traffic

Filter by Scope

Remove noise from HTTP history:

Click display filter above HTTP history

Select

Show only in-scope items

History now shows only target site traffic

Scope Benefits

Reduces clutter from third-party requests

Prevents accidental testing of out-of-scope sites

Improves scanning efficiency

Creates cleaner reports

Phase 4: Using Burp Repeater

Send Request to Repeater

Prepare request for manual testing:

Identify interesting request in HTTP history

Right-click request and select

Send to Repeater

Go to

Repeater

tab to access request

Modify and Resend

Test different inputs efficiently:

1. View request in Repeater tab

2. Modify parameter values

3. Click Send to submit request

4. Review response in right panel

5. Use navigation arrows to review request history

Repeater Testing Workflow

Original Request:

GET /product?productId=1 HTTP/1.1

Test 1: productId=2 → Valid product response

Test 2: productId=999 → Not Found response

Test 3: productId=' → Error/exception response

Test 4: productId=1 OR 1=1 → SQL injection test

Analyze Responses

Look for indicators of vulnerabilities:

Error messages revealing stack traces

Framework/version information disclosure

Different response lengths indicating logic flaws

Timing differences suggesting blind injection

Unexpected data in responses

Phase 5: Running Automated Scans

Launch New Scan

Initiate vulnerability scanning (Professional only):

Go to

Dashboard

tab

Click

New scan

Enter target URL in

URLs to scan

field

Configure scan settings

Scan Configuration Options

Mode

Description

Duration

Lightweight

High-level overview

~15 minutes

Fast

Quick vulnerability check

~30 minutes

Balanced

Standard comprehensive scan

~1-2 hours

Deep

Thorough testing

Several hours

Monitor Scan Progress

Track scanning activity:

View task status in

Dashboard

Watch

Target > Site map

update in real-time

Check

Issues

tab for discovered vulnerabilities

Review Identified Issues

Analyze scan findings:

Select scan task in Dashboard

Go to

Issues

tab

Click issue to view:

Advisory

Description and remediation

Request

Triggering HTTP request

Response

Server response showing vulnerability Phase 6: Intruder Attacks Configure Intruder Set up automated attack: Send request to Intruder (right-click > Send to Intruder) Go to Intruder tab Define payload positions using § markers Select attack type Attack Types Type Description Use Case Sniper Single position, iterate payloads Fuzzing one parameter Battering ram Same payload all positions Credential testing Pitchfork Parallel payload iteration Username:password pairs Cluster bomb All payload combinations Full brute force Configure Payloads Positions Tab: POST /login HTTP/1.1 ... username=§admin§&password=§password§ Payloads Tab: Set 1: admin, user, test, guest Set 2: password, 123456, admin, letmein Analyze Results Review attack output: Sort by response length to find anomalies Filter by status code for successful attempts Use grep to search for specific strings Export results for documentation Quick Reference Keyboard Shortcuts Action Windows/Linux macOS Forward request Ctrl+F Cmd+F Drop request Ctrl+D Cmd+D Send to Repeater Ctrl+R Cmd+R Send to Intruder Ctrl+I Cmd+I Toggle intercept Ctrl+T Cmd+T Common Testing Payloads

SQL Injection

' OR '1'='1 ' OR '1'='1'-- 1 UNION SELECT NULL--

XSS

"> javascript:alert(1)

Path Traversal

../../../etc/passwd ........\windows\win.ini

Command Injection

; ls -la

| cat /etc/passwd

whoami

Request Modification Tips

Right-click for context menu options

Use decoder for encoding/decoding

Compare requests using Comparer tool

Save interesting requests to project

Constraints and Guardrails

Operational Boundaries

Test only authorized applications

Configure scope to prevent accidental out-of-scope testing

Rate-limit scans to avoid denial of service

Document all findings and actions

Technical Limitations

Community Edition lacks automated scanner

Some sites may block proxy traffic

HSTS/certificate pinning may require additional configuration

Heavy scanning may trigger WAF blocks

Best Practices

Always set target scope before extensive testing

Use Burp's browser for reliable interception

Save project regularly to preserve work

Review scan results manually for false positives

Examples

Example 1: Business Logic Testing

Scenario

E-commerce price manipulation

Add item to cart normally, intercept request

Identify

price=9999

parameter in POST body

Modify to

price=1

Forward request

Complete checkout at manipulated price

Finding

Server trusts client-provided price values.

Example 2: Authentication Bypass

Scenario

Testing login form

Submit valid credentials, capture request in Repeater

Send to Repeater for testing

Try:

username=admin' OR '1'='1'--

Observe successful login response

Finding

SQL injection in authentication.

Example 3: Information Disclosure

Scenario

Error-based information gathering

Navigate to product page, observe

productId

parameter

Send request to Repeater

Change

productId=1

to

productId=test

Observe verbose error revealing framework version

Finding

Apache Struts 2.5.12 disclosed in stack trace. Troubleshooting Browser Not Connecting Through Proxy Verify proxy listener is active (Proxy > Options) Check browser proxy settings point to 127.0.0.1:8080 Ensure no firewall blocking local connections Use Burp's embedded browser for reliable setup HTTPS Interception Failing Install Burp CA certificate in browser/system Navigate to http://burp to download certificate Add certificate to trusted roots Restart browser after installation Slow Performance Limit scope to reduce processing Disable unnecessary extensions Increase Java heap size in startup options Close unused Burp tabs and features Requests Not Being Intercepted Verify "Intercept on" is enabled Check intercept rules aren't filtering target Ensure browser is using Burp proxy Verify target isn't using unsupported protocol