Burp Suite Professional is an HTTP interception proxy with numerous security testing features. Use when testing web applications for security vulnerabilities.
Automates web security testing using an HTTP interception proxy for vulnerability analysis.
/plugin marketplace add trailofbits/skills/plugin install trailofbits-testing-handbook-skills-plugins-testing-handbook-skills@trailofbits/skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Burp Suite Professional is an HTTP interception proxy with numerous security testing features. It allows you to view and manipulate the HTTP requests and responses flowing between a client (usually a web application loaded in a browser) and a server.
With the increased traffic of today's websites, Burp stands out for its ability to handle parallel requests. Its interactive tools allow you to formulate and test hypotheses about how the site will behave, even when there is a lot of traffic to sort through—a feat that is difficult for most browser development tools. In addition, Burp includes advanced search and filtering mechanisms that greatly increase user productivity when dealing with high traffic. Burp's UI also significantly outperforms browser development tools when it comes to editing requests.
Use Burp Suite when:
Consider alternatives when:
| Task | Action |
|---|---|
| Intercept requests | Proxy tab → Intercept is on |
| Send to Repeater | Right-click request → Send to Repeater (Ctrl+R) |
| Send to Intruder | Right-click request → Send to Intruder (Ctrl+I) |
| Active scan | Right-click request → Scan |
| Search all traffic | Proxy → HTTP history → Filter/Search |
| Test race condition | Repeater → Send group in parallel |
| Add payload positions | Intruder → Positions → Add § markers |
Burp contains four major features:
Open Burp Suite and verify that the license is active. Test the proxy by launching the embedded Chromium browser.
For the first steps, refer to the official documentation on installing and licensing Burp Suite Professional on your system.
To launch Burp's embedded browser based on Chromium, select the Proxy > Intercept tab and click the Open browser button. Before proceeding, get familiar with Proxy intercept.
If you want to configure an external browser other than Chromium (e.g., Firefox or Safari), refer to the official documentation.
Open your web application using the embedded Burp browser. Go through the largest number of functionalities you want to cover, such as logging in, signing up, and visiting possible features and panels.
Add your targets to your scope. Narrowing down specific domains in the Target tab allows you to control what's tested.
a. Consider stopping Burp from sending out-of-scope items to the history. A pop-up will be shown with the text, "Do you want Burp Proxy to stop sending out-of-scope items to the history or other Burp tools?" Choose one of the following options:
b. For more information on configuring the scope, see the Scope documentation.
Once you configure the scope, briefly look at Burp Proxy and what's happening in the intercepted traffic.
a. When you go through the application with Burp attached, many unwanted requests (e.g., to fonts.googleapis.com) can crop up in the Intercept tab.
b. To turn off intercepting the uninteresting host, click on the intercepted request in the Interception tab, right-click, and then choose Don't intercept requests > To this host. Burp will then automatically forward requests to the marked host.
c. Keep in mind that if you selected No when asked in the previous step, you could see a lot of out-of-scope ("unwanted") items.
Important hot key: By default, Ctrl+F forwards the current HTTP request in the Burp Intercept feature.
Extensions can be added to Burp to enhance its capabilities in finding bugs and automating various tasks. Some extensions fall under the category of "turn on and forget." They are mostly designed to automatically run on each Burp Scanner task without user interaction, with results appearing in the Issue activity pane of the Dashboard tab.
We generally recommend the following extensions:
Some of the above extensions need Jython or JRuby configured in Burp.
Warning: Because of the performance impact of enabling too many extensions, you should enable only extensions that you are actively using. We encourage you to periodically review your enabled extensions and unload any that you don't currently use.
Live tasks process traffic from specific Burp Suite tools (e.g., Burp Proxy, Burp Repeater, Burp Intruder) and perform defined actions. In the live task strategy, we set up the live active Burp Scanner task to grab the proxied traffic when we visit the website and automatically send it to Burp Scanner.
Follow these steps to set up Burp to automatically scan proxied requests:
Then, open the embedded Burp browser and go through your website carefully; try to visit every nook and cranny of your website. You can see detailed information and specific requests in Tasks > Live audit from Proxy (suite).
Use the Logger tab and observe how the scanning works under the hood and how your application reacts to potentially malicious requests.
Remember: Using an active Burp Scanner can have disruptive effects on the website, such as data loss.
Burp Repeater allows you to manually manipulate and modify HTTP requests and analyze their responses. Similar to Burp Intruder, there is no golden recipe for successfully finding bugs when using Burp Repeater—it depends on the target and an operator's skill in identifying web app vulnerabilities.
Set up a keyboard shortcut to issue requests: To streamline the testing process, Burp Suite allows you to set up a keyboard shortcut for issuing requests in Burp Repeater. Assign the Issue Repeater request to Ctrl+R in Hotkey settings.
Sending requests to Burp Scanner: When you interact with your application, make a habit of sending requests to Burp Scanner. Even if it's a small change in your request, sending it to Burp Scanner increases the chances of identifying a bug.
Burp Intruder is a tool for automating customized attacks against web applications and serves as an HTTP request fuzzer. It provides the functionality to configure attacks involving numerous iterations of a base request. Burp Intruder can change the base request by inserting various payloads into predefined positions, making it a versatile tool for discovering vulnerabilities that particularly rely on unexpected or malicious input.
To send a request to Burp Intruder, right-click on the request and select Send to Intruder.
The following table answers questions about how to use Burp beyond the regular passive and active Burp Scanner checks for specific security issues:
| Security Issue | Burp Feature | Notes |
|---|---|---|
| Authorization issues | Autorize extension, AutoRepeater extension, 403 Bypasser extension | For automating authorization testing across different user roles |
| Cross-site scripting (XSS) | DOM Invader, Intruder with XSS wordlists, Hackvertor tags | For Blind XSS, use Burp Collaborator payloads or Taborator with $collabplz placeholder |
| Cross-site request forgery (CSRF) | AutoRepeater extension (base replacements for CSRF-related parameters) | Generate CSRF PoC from context menu |
| Denial of service (DoS) | Observe responses, response time, application logs | Use denial-of-service mode in Burp Intruder |
| Edge Side Inclusion (ESI) injection | Active Scan++ extension | |
| File upload issues | Upload Scanner extension | |
| HTTP request smuggling | HTTP Request Smuggler extension | |
| Insecure direct object references (IDOR) | Backslash Powered Scanner extension, Manual interaction in Burp Repeater, Burp Intruder with numbers payload type | |
| Insecure deserialization | Freddy Deserialization Bug Finder extension, Java Serial Killer extension, Java Deserialization Scanner extension | |
| IP spoofing | Collaborator Everywhere extension, Manual interaction in Burp Repeater | |
| JWT issues | JSON Web Tokens extension, JWT Editor extension, JSON Web Token Attacker (JOSEPH) extension | |
| OAuth/OpenID issues | OAUTH Scan extension | |
| Open redirection | Burp Intruder with appropriate wordlists and analysis of the Location response | |
| Race conditions | Backslash Powered Scanner extension, Turbo Intruder extension, Burp Repeater with requests sent parallelly in a group | |
| Rate-limiting bypass | Turbo Intruder extension, IP Rotate extension, Burp Intruder when using differentiated headers/parameters, Bypass WAF extension | |
| SAML-based authentication | SAML Raider extension | |
| Server-side prototype pollution | Server-Side Prototype Pollution Scanner extension | |
| SQL Injection | Backslash Powered Scanner extension, The specific Burp request saved to a text file and passed to sqlmap tool using the -r argument | |
| Server-side request forgery (SSRF) | Burp Intruder with appropriate wordlists, Manual interaction with Burp Collaborator payloads or Taborator with the $collabplz placeholder | |
| Server-side template injection (SSTI) | Active Scan++ extension |
| Tip | Why It Helps |
|---|---|
| Use global search (Burp > Search) | Find strings across all Burp tools when you can't remember where you saw something |
| Test for race conditions using Burp Repeater groups | Send multiple requests in parallel using last-byte technique (HTTP/1) or single-packet attack (HTTP/2) |
| Use Autorize extension for access control testing | Automatically modifies and resends intercepted requests with substituted session identifiers to reveal authorization issues |
| Run Collaborator Everywhere | Adds noninvasive headers designed to reveal back-end systems by triggering pingbacks to Burp Collaborator |
| Intercept and modify responses | Unhide hidden form fields, enable disabled form fields, remove input field length limits, remove CSP headers |
| Use BChecks for custom scan checks | Automate passive and active hunts without extensive coding |
| Use Bambdas for filtering HTTP history | Customize your Burp tools with small snippets of Java |
| Use custom Hackvertor tags | Configure your own tags based on Python or JavaScript for custom encoding/escaping |
| Configure upstream proxy | Chain Burp with other tools like ZAP or mitmproxy |
| Use Easy Auto Refresh Chrome extension | Extend your session and prevent automatic logout |
Race conditions occur when the timing or ordering of events affects a system's behavior. Burp allows you to group multiple requests and send them in a short time window.
Using Burp Repeater:
Burp will send all grouped requests using last-byte technique (HTTP/1) or single-packet attack (HTTP/2).
Using Turbo Intruder:
examples/race-single-packet-attack.pyThe Autorize extension is tailored to make testing access controls in web applications flexible and efficient.
The general rule for using Autorize:
Autorize automatically modifies and resends intercepted requests with these substituted session identifiers. This allows us to investigate whether the server appropriately authorizes each incoming request, revealing any discrepancies in access controls.
Useful tips:
BChecks are custom scan checks that you can create and import. Burp Scanner runs these checks in addition to its built-in scanning routine, helping you to target your scans and make your testing workflow as efficient as possible.
BChecks are written in a .bcheck file extension with a plaintext, custom definition language to declare the behavior of the check.
Example BCheck structure:
metadata:
language: v1-beta
name: "Insertion-point-level"
description: "Inserts a calculation into each parameter to detect suspicious input transformation"
author: "Carlos Montoya"
define:
calculation = "{{1337*1337}}"
answer = "1787569"
given insertion point then
if not({answer} in {base.response}) then
send payload:
appending: {calculation}
if {answer} in {latest.response} then
report issue:
severity: high
confidence: tentative
detail: "The application transforms input in a way that suggests it might be
vulnerable to some kind of server-side code injection."
remediation: "Manual investigation is advised."
end if
end if
Bambda mode allows you to use small snippets of Java to customize your Burp tools. For example, Bambdas can allow you to find JSON responses with the wrong Content-Type in the HTTP history.
A wordlist is a file containing a collection of payloads (i.e., input strings) that Burp populates requests with during an attack.
Popular public wordlists:
Configure a custom wordlist location: Burp Intruder comes with basic predefined payload lists. You can load your own directory of custom wordlists in the Intruder settings. This allows your custom wordlists to be easily accessible.
Use the Taborator extension: Add the $collabplz placeholder to a wordlist. When processing the request, Taborator will automatically change it to a valid Burp Collaborator payload.
You can run a specific extension when you work on a specific request. Right-click on the request, then select Extensions, and choose the specific one:
§§ characters inside a Hackvertor tag—for example, <@jwt('HS256','secret')>§payload§<@/jwt>.First, export Burp's CA certificate. Convert the PKCS#12 CA bundle to PEM formatting:
openssl pkcs12 -in /path/to/burp.pkcs12 -nodes -out /path/to/burp.pem
Test Burp's proxying with curl:
docker run \
--volume /path/to/burp.pem:/tmp/burp.pem \
curlimages/curl:latest \
--proxy host.docker.internal:8080 \
--cacert /tmp/burp.pem \
https://www.google.com
For Go applications:
docker run \
--env SSL_CERT_DIR=/usr/local/share/ca-certificates \
--volume /path/to/burp.pem:/usr/local/share/ca-certificates/burp.pem \
--env HTTPS_PROXY=host.docker.internal:8080 \
--volume $(pwd)/req.go:/go/req.go \
golang:latest go run req.go
Note: host.docker.internal is Docker Desktop's special domain for referencing the host machine, and 8080 is Burp's default proxy listener port.
| Mistake | Why It's Wrong | Correct Approach |
|---|---|---|
| Not configuring scope properly | Scanning out-of-scope targets wastes time and may cause unintended harm | Always configure Target scope and decide whether to stop sending out-of-scope items to history |
| Enabling too many extensions | Performance impact and potential conflicts | Only enable extensions actively being used; periodically review and unload unused extensions |
| Not monitoring Logger tab | Missing important error responses and unexpected behaviors | Regularly check Logger tab for nonstandard responses, errors, and stack traces |
| Scanning logout endpoints | Terminates session causing 401 Unauthorized errors | Exclude logout/signout endpoints from active scanning |
| Not handling session tokens properly | Tests fail with authentication errors | Use Easy Auto Refresh extension or custom Authorization Bearer Detector for session management |
| Using default Burp Intruder wordlists | Limited coverage and generic payloads | Prepare custom wordlists based on target technology stack and vulnerability types |
| Not analyzing Burp Intruder results thoroughly | Missing subtle vulnerabilities | Sort by Length, HTTP codes, Response time; use Extract grep; watch Collaborator interactions |
| Saving all attacks to project file | Large file sizes and performance degradation | Run attacks in temporary project mode; save only important results afterward |
| Skill | When to Use Together |
|---|---|
| dom-invader | For identifying client-side vulnerabilities in browser-based applications alongside Burp's server-side testing |
| sqlmap | For advanced SQL injection testing; export Burp requests to sqlmap using the -r argument |
| web-security-testing | For understanding the broader context of web security vulnerabilities that Burp helps identify |
Mastering Web Research with Burp Suite Trail of Bits Webinar diving into advanced web research techniques using Burp Suite with James Kettle, including how to discover ideas and targets, optimize your setup, and utilize Burp tools in various scenarios. Explores the future of Burp with the introduction of BChecks and compares dynamic and static analysis through real-world examples.
NSEC2023 - Burp Suite Pro tips and tricks, the sequel Advanced tips and tricks for Burp Suite Professional users.
Burp Suite Essentials YouTube Playlist Comprehensive video series covering Burp Suite essentials.
The official BChecks developed by Portswigger and community Collection of custom scan checks that you can create and import into Burp Scanner.
The official Bambdas collection developed by Portswigger and community Collection of Java snippets to customize your Burp tools.
Use when working with Payload CMS projects (payload.config.ts, collections, fields, hooks, access control, Payload API). Use when debugging validation errors, security issues, relationship queries, transactions, or hook behavior.