Burp Suite Introduction

Burp Suite Introduction

Burp Suite is one of the most popular tools used in web application security testing. It is mainly used by security researchers, penetration testers, and ethical hackers to find vulnerabilities in web applications.

What Is Burp Suite

Burp Suite is a web application security testing tool developed by PortSwigger.

It works as an intercepting proxy. This means:

Instead of your browser talking directly to a website, your browser talks to Burp Suite first. Then Burp forwards the request to the website.

So the communication flow becomes:

Browser → Burp Suite → Website

Website → Burp Suite → Browser

This allows you to:

• See HTTP requests
• Modify requests
• Analyze responses
• Test for vulnerabilities

Why Burp Suite Is Important

Modern web applications rely heavily on:

• HTTP requests
• Cookies
• Headers
• Authentication tokens
• APIs

Burp Suite lets you inspect and manipulate all of these.

It is commonly used to test for:

• XSS
• SQL Injection
• Authentication flaws
• Access control issues
• Insecure APIs

Editions Of Burp Suite

Burp Suite has three main versions:

1. Community Edition (Free)
2. Professional Edition (Paid)
3. Enterprise Edition (Automated large-scale scanning)

Beginners usually start with the Community Edition.

How Burp Suite Works

The Proxy Concept

Burp Suite acts as a proxy server.

A proxy server is something that sits between a client (browser) and a server (website).

Normal connection:

Browser → Website

With Burp:

Browser → Burp Proxy → Website

Because Burp is in the middle, it can:

• Capture requests
• Pause them
• Modify them
• Forward them
• Drop them

Basic HTTP Request Example

Here is a simple HTTP login request:

POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

username=admin&password=1234

Burp Suite allows you to:

• Change username
• Change password
• Modify headers
• Add cookies
• Replay this request many times

This is extremely useful for testing.

Main Components Of Burp Suite

Burp Suite is divided into several tools. These are the most important ones for beginners.

Proxy

The Proxy tab is the heart of Burp.

It allows you to:

• Intercept requests
• Modify requests before sending
• View responses

When Intercept is ON, every request stops in Burp before reaching the server.

You can:

• Edit the request
• Forward it
• Drop it

Repeater

Repeater is used to manually test requests.

You can:

1. Capture a request in Proxy
2. Send it to Repeater
3. Modify parameters
4. Send it repeatedly

Example use case:

Testing a login request with different passwords.

Intruder

Intruder is used for automated attacks such as:

• Brute force
• Fuzzing
• Parameter testing

Example:

If a login request looks like this:

POST /login
username=admin&password=§test§

Intruder can automatically try:

• 1234
• password
• admin123
• qwerty

And observe which one succeeds.

Decoder

Decoder is used to encode or decode data.

Common uses:

• Base64 decoding
• URL decoding
• Hashing

Example Base64:

YWRtaW4=

Decoded becomes:

admin

Comparer

Comparer helps compare:

• Two HTTP responses
• Two requests
• Differences between outputs

Useful when checking how the server reacts to small changes.

Step-By-Step Beginner Setup

Step 1: Install Burp Suite

Download Burp Suite Community Edition from the official website of PortSwigger.

Install and launch it.

Step 2: Configure Browser Proxy

Burp runs on:

127.0.0.1

Port 8080

You must configure your browser to use:

HTTP Proxy: 127.0.0.1

Port: 8080

Now your traffic flows through Burp.

Step 3: Turn Intercept On

Go to:

Proxy → Intercept → Turn ON

Now when you visit a website, requests will pause in Burp.

Step 4: Modify A Request

Example:

Original request:

POST /login
username=user&password=wrongpass

Modify to:

POST /login
username=admin&password=admin123

Then click Forward.

This allows testing authentication logic.

Basic Exploitation Example Using Burp

Let us say a website has:

GET /profile?id=5

You intercept it in Burp.

You modify:

GET /profile?id=1

If the server does not properly check authorization, you might access another user's profile.

This is called an Insecure Direct Object Reference (IDOR).

Burp helps you discover these vulnerabilities by letting you manipulate parameters.

Important Ethical Warning

Burp Suite is a powerful tool.

You must:

• Only test applications you own
• Or applications you have written permission to test

Using it against systems without permission is illegal.

Ethical hacking requires authorization.

Simple Local Test Setup Code

Here is a very small vulnerable Express app you can test with Burp:

const express = require('express');
const app = express();

app.use(express.urlencoded({ extended: true }));

app.post('/login', (req, res) => {
    const { username, password } = req.body;

    if (username === "admin" && password === "admin123") {
        res.send("Welcome Admin");
    } else {
        res.send("Invalid credentials");
    }
});

app.get('/', (req, res) => {
    res.send(`
        <form method="POST" action="/login">
            <input name="username" />
            <input name="password" />
            <button>Login</button>
        </form>
    `);
});

app.listen(3000, () => {
    console.log("Server running on port 3000");
});

You can:

1. Run this server
2. Configure Burp proxy
3. Intercept login requests
4. Modify credentials
5. Observe behavior