This chapter covers Burp Suite, the most widely used web application security testing platform, and its critical role in the PT0-002 exam. You will learn how to configure and operate Burp Suite's proxy, scanner, intruder, repeater, and other tools to identify vulnerabilities such as SQL injection, XSS, and authentication flaws. Approximately 10-15% of exam questions touch on web application testing tools and techniques, with Burp Suite being the primary tool referenced. Mastering Burp Suite is essential for the performance-based questions where you must demonstrate intercepting and modifying HTTP traffic.
Jump to a section
Imagine you are a postal inspector tasked with examining all mail entering and leaving a company. You set up a mail room where every letter is routed through your desk before delivery. You can open envelopes, read contents, modify messages, re-seal envelopes, and then forward them to the intended recipient. You can also block certain letters, delay them, or send them multiple times. This mail room is Burp Suite's proxy. The company's web browser is configured to send all HTTP/HTTPS traffic through your inspection desk (the proxy listener). When a user visits a website, the request first lands on your desk. You can examine the raw HTTP request, modify headers, change parameters, or even drop the request entirely. After your inspection, you forward the request to the actual web server. The server's response comes back to your desk, where you can modify it before sending it to the browser. This allows you to see exactly what the browser sends and what the server returns, and to manipulate traffic in real time to test for vulnerabilities. Just as a postal inspector maintains a log of all intercepted letters, Burp Suite logs all requests and responses for later analysis. The key difference is that Burp Suite can also decrypt HTTPS traffic by acting as a man-in-the-middle using its own CA certificate, which the browser must trust.
What is Burp Suite?
Burp Suite is an integrated platform for performing security testing of web applications. Developed by PortSwigger, it is the de facto standard tool for penetration testers and bug bounty hunters. Burp Suite acts as an intercepting proxy, allowing you to inspect and modify all HTTP/HTTPS traffic between your browser and the target web application. It includes a suite of tools for automated scanning, manual testing, session handling, and reporting.
How Burp Suite Works
Burp Suite operates by inserting itself as a man-in-the-middle (MITM) proxy. You configure your browser to route all traffic through Burp's proxy listener (default: 127.0.0.1:8080). When the browser sends an HTTP request, Burp intercepts it before it reaches the server. The request appears in the Proxy tab's Intercept tab, where you can view, modify, or forward it. The server's response is also intercepted, allowing you to modify it before it reaches the browser.
For HTTPS traffic, Burp Suite generates its own CA certificate. When you install this certificate in your browser's trust store, Burp can decrypt TLS traffic, inspect the plaintext HTTP, and re-encrypt it with the server's certificate. This process is transparent to the user but allows Burp to see and modify encrypted traffic.
Key Components and Their Functions
Proxy: The core intercepting proxy. It listens on a local port (default 8080) and captures all traffic. It has two sub-tabs: Intercept (for real-time modification) and HTTP history (for logging all requests/responses).
Spider: Crawls the web application to map content and functionality. It discovers links, forms, and parameters. The Spider is now deprecated in newer versions in favor of the crawler integrated into the Scanner.
Scanner: Automated vulnerability scanner that performs passive and active scans. Passive scans analyze traffic without sending requests; active scans send crafted payloads to detect vulnerabilities like SQLi, XSS, and command injection.
Intruder: A tool for automated customized attacks against a target. It can fuzz parameters, perform brute-force attacks, and test for parameter tampering. Supports various attack types: Sniper, Battering ram, Pitchfork, and Cluster bomb.
Repeater: Allows manual resending of individual requests with modifications. Useful for testing parameter manipulation or verifying vulnerabilities.
Sequencer: Analyzes the randomness of session tokens and other data to assess their predictability.
Decoder: Converts between different encoding formats (URL, Base64, hex, etc.) and performs hashing.
Comparer: Performs visual comparisons between two pieces of data (e.g., two HTTP responses) to identify differences.
Extender: Allows loading of BApp Store extensions to add functionality.
Default Configuration and Important Values
Proxy listener: Default port 8080 on loopback interface (127.0.0.1). For remote testing, you can bind to all interfaces (0.0.0.0).
Intercept: On by default. Requests are caught until you click 'Forward' or 'Drop'. You can set rules to automatically intercept requests matching certain conditions.
Scope: You can define a target scope to limit which requests are intercepted/logged. Requests outside scope are forwarded without interception.
SSL/TLS: Burp generates a CA certificate on first run. You must export this certificate (Proxy > Options > Import/Export CA certificate) and install it in your browser to intercept HTTPS without warnings.
Session handling rules: Define how Burp handles cookies, authentication tokens, and other session-related data across requests.
Using Burp Suite Step-by-Step
Configure Browser: Set your browser's proxy to 127.0.0.1:8080. For Chrome, use the 'SwitchyOmega' extension or command-line flags. For Firefox, go to Settings > Network Settings > Manual proxy configuration.
Install CA Certificate: Browse to http://burpsuite and download the CA certificate. Import it into your browser's certificate authorities.
Set Target Scope: In Target > Scope, add the target URLs (e.g., *.example.com). This ensures Burp only intercepts relevant traffic.
Browse the Application: With Intercept on, Burp will capture each request. You can forward or modify them. The HTTP history logs all traffic.
Run Spider: Right-click on a target in Target > Site map and select 'Spider this host' to crawl the application.
Run Active Scan: Right-click on a request and select 'Do an active scan' to launch automated vulnerability scanning.
Use Intruder: Send a request to Intruder, set payload positions (e.g., parameter values), configure payloads (e.g., wordlist), and launch attack.
Use Repeater: Send a request to Repeater, modify parameters, and send repeatedly to observe responses.
Command-Line Options
Burp Suite is a GUI application, but it can be started from the command line with options:
java -jar burpsuite_pro_v2023.12.1.jar --user-config-file=config.json --project-file=project.burp--user-config-file: Load a configuration file.
--project-file: Save/load project state.
--collaborator-server: Start Burp Collaborator server for out-of-band testing.
Interacting with Related Technologies
Burp Suite integrates with other tools via the Extender API. For example:
- SQLMap: You can copy a request from Burp and use it with SQLMap (sqlmap -r request.txt).
- Nmap: Use Burp's target information to inform network scanning.
- Custom Scripts: Write Python or Ruby extensions using the BApp Store or the Extender API.
Performance Considerations
Burp Suite can be memory-intensive. For large-scale testing, increase the Java heap size:
java -Xmx2g -jar burpsuite_pro.jar-Xmx2g: Allocates 2GB of RAM. Adjust based on your system.
Common Pitfalls
Not configuring scope: Without scope, Burp intercepts all traffic (including system updates), which can be overwhelming.
Forgetting to install CA certificate: HTTPS traffic will show errors or not be intercepted.
Leaving intercept on: Forgets to turn off Intercept after use, causing browser to hang.
Not saving project: Burp projects can be saved for later analysis; losing state can be costly.
Exam Relevance
For PT0-002, you must demonstrate proficiency in:
Setting up Burp Suite as an intercepting proxy.
Modifying requests in transit (e.g., changing parameter values to test for authorization flaws).
Using Repeater to manually test for vulnerabilities.
Using Intruder for brute-force or fuzzing attacks.
Interpreting scan results.
The exam may present a scenario where you need to choose the correct tool within Burp for a specific task (e.g., Intruder for brute-force, Repeater for manual parameter testing).
Configure Browser Proxy Settings
Set your browser to route traffic through Burp's proxy listener. In Firefox, go to Options > Network Settings > Manual proxy configuration: HTTP Proxy = 127.0.0.1, Port = 8080. Check 'Also use this proxy for HTTPS'. In Chrome, use a proxy switcher extension like SwitchyOmega or launch with --proxy-server=127.0.0.1:8080. Verify by visiting http://burpsuite — you should see the Burp Suite welcome page. This step ensures all HTTP/HTTPS requests pass through Burp for interception.
Install Burp CA Certificate
To intercept HTTPS traffic without browser warnings, you must install Burp's CA certificate. Browse to http://burpsuite, click 'CA Certificate', and download the cacert.der file. In Firefox, go to Options > Privacy & Security > Certificates > View Certificates > Authorities > Import. In Chrome, go to Settings > Privacy and security > Security > Manage certificates > Authorities > Import. This certificate allows Burp to decrypt and re-encrypt TLS traffic as a man-in-the-middle. Without it, HTTPS connections will fail with security errors.
Define Target Scope
In Burp, go to Target > Scope. Add the target URL pattern (e.g., *.example.com) to the 'Include in scope' list. This tells Burp to only intercept and log traffic matching these URLs. Requests outside scope are automatically forwarded without interception. Proper scope management prevents clutter from irrelevant traffic (e.g., browser updates) and ensures focused testing. You can also exclude specific URLs (e.g., logout endpoints) if needed.
Intercept and Modify Requests
With Intercept enabled (Proxy > Intercept > Intercept is on), browse the target application. Each request appears in the Intercept tab. You can view the raw HTTP request, modify headers (e.g., change User-Agent), modify parameters (e.g., change 'admin=false' to 'admin=true'), or drop the request entirely. Click 'Forward' to send the modified request to the server. The response is also intercepted, allowing you to modify it before it reaches the browser. This is critical for testing parameter tampering, authorization bypass, and input validation.
Use Repeater for Manual Testing
Right-click on any request in Proxy > HTTP history and select 'Send to Repeater'. In the Repeater tab, you can modify the request (e.g., change a parameter value, add headers) and click 'Send' to see the server's response immediately. This is ideal for manually testing specific vulnerabilities like SQL injection or XSS. You can also compare responses side-by-side. Repeater saves time by avoiding the need to navigate the application repeatedly. Use the 'Go' button to resend the original request for comparison.
Enterprise Scenario 1: Web Application Penetration Test
A penetration testing firm is contracted to assess a large e-commerce application. The tester configures Burp Suite as a proxy and browses the application's shopping cart, checkout, and user profile pages. Using the Spider, they map the entire site structure, discovering hidden admin panels and API endpoints. The Scanner identifies a reflected XSS in the search parameter and a SQL injection in the product ID parameter. The tester uses Intruder with a wordlist to brute-force the admin panel login, finding weak credentials. The Repeater is used to manually verify the SQL injection by extracting database version. The final report includes screenshots from Burp's HTTP history and scan results. The key challenge is handling the application's session management: the tester must configure session handling rules to maintain authentication across requests, otherwise the scanner may generate false positives by testing unauthenticated endpoints.
Enterprise Scenario 2: Bug Bounty Hunting on a Large Platform
A bug bounty hunter targets a social media platform with millions of users. They set up Burp Suite with a custom extension from the BApp Store to detect race conditions. Using Intruder's Pitchfork attack type, they simultaneously send multiple requests to exploit a race condition in the 'like' button, causing multiple likes from a single click. They also use the Sequencer to analyze the randomness of session tokens, finding that tokens are predictable because they are based on timestamps. The hunter uses Burp's Collaborator client to detect out-of-band vulnerabilities, such as blind XXE that triggers a DNS lookup. Performance is critical: the hunter must limit the scope to specific subdomains and use Burp's 'Throttle' feature to avoid overwhelming the target server, which could trigger rate-limiting or account suspension.
Enterprise Scenario 3: Internal Application Security Review
A company's security team uses Burp Suite to test their internal HR application before deployment. They configure Burp to listen on 0.0.0.0:8080 and have developers point their browsers to this proxy. The team uses Repeater to test role-based access control by modifying the 'role' parameter in requests. They discover that changing 'role=user' to 'role=admin' in a POST request grants administrative privileges. They also use the Comparer to diff responses between authenticated and unauthenticated requests to identify information disclosure. A common misconfiguration is forgetting to enable 'SSL passthrough' for certain endpoints that use client certificates, causing handshake failures. The team also uses Burp's 'Live capture' feature to record traffic from non-proxy-aware thick clients by using ARP spoofing or transparent proxying.
What PT0-002 Tests on This Topic
The PT0-002 exam objective 3.2 focuses on 'Exploit web application vulnerabilities' and includes using tools like Burp Suite. Specifically, you must understand:
How to configure Burp Suite as an intercepting proxy (objective 3.2.1)
How to modify requests in transit (objective 3.2.2)
How to use Burp Suite's tools (Scanner, Intruder, Repeater) to identify and exploit vulnerabilities (objective 3.2.3)
How to interpret scan results and logs (objective 3.2.4)
Common Wrong Answers and Why Candidates Choose Them
Choosing 'Spider' for brute-force attacks: Candidates confuse the Spider (crawling) with Intruder (automated attacks). The Spider maps content; Intruder performs brute-force or fuzzing. On the exam, if a question asks for a tool to test multiple password attempts, the answer is Intruder, not Spider.
Using Repeater for automated scanning: Repeater is for manual single-request testing; Scanner is for automated vulnerability detection. Candidates often think Repeater can scan because it sends requests, but it only sends one at a time with manual modifications.
Forgetting to install CA certificate for HTTPS: A question may describe a tester unable to intercept HTTPS traffic. The correct fix is installing Burp's CA certificate in the browser, not changing the proxy port or disabling TLS.
Thinking Burp Suite can only test HTTP: Burp Suite fully supports HTTPS interception with its CA certificate. Candidates may incorrectly believe it only works with HTTP.
Specific Numbers, Values, and Terms
Default proxy listener: 127.0.0.1:8080
Default port for Burp's web interface: http://burpsuite (resolves to 127.0.0.1:8080)
Attack types in Intruder: Sniper, Battering ram, Pitchfork, Cluster bomb
Scanner types: Passive (no requests sent) vs Active (sends payloads)
Project file extension: .burp
Java heap size allocation: -Xmx (e.g., -Xmx2g for 2GB)
Edge Cases and Exceptions
Non-proxy-aware clients: Some thick clients or mobile apps don't support proxy settings. Use Burp's 'Invisible proxying' or ARP spoofing with tools like BetterCap.
WebSockets: Burp Suite can intercept WebSocket traffic if configured correctly; the exam may test this.
Client certificates: If the target requires client certificates, you must configure Burp to present them in Proxy > Options > TLS.
Scope exclusion: If you accidentally exclude a critical endpoint, the Scanner may miss vulnerabilities. Always verify scope.
How to Eliminate Wrong Answers
If a question mentions 'automated vulnerability scanning', choose Scanner, not Intruder (Intruder is for custom automated attacks, not scanning).
If the question says 'manual testing of a single request', choose Repeater.
If the question involves 'fuzzing multiple parameters with different payloads', choose Intruder with Cluster bomb attack type.
If the question involves 'crawling to discover hidden pages', choose Spider.
Burp Suite acts as an intercepting proxy, listening on 127.0.0.1:8080 by default.
To intercept HTTPS, install Burp's CA certificate in the browser.
Use Repeater for manual, single-request testing; use Intruder for automated attacks like brute-force or fuzzing.
Intruder has four attack types: Sniper, Battering ram, Pitchfork, and Cluster bomb.
The Scanner performs passive (no requests) and active (sends payloads) vulnerability scanning.
Always define a target scope to avoid intercepting irrelevant traffic.
Burp Suite can be extended via BApp Store extensions; common extensions include JSON/XML formatters and custom scanners.
For performance, increase Java heap size with -Xmx flag (e.g., -Xmx2g).
These come up on the exam all the time. Here's how to tell them apart.
Burp Suite
Commercial tool with free community edition; Pro version has advanced features like rate limiting and Collaborator.
User-friendly GUI with intuitive workflow; industry standard in pentesting.
Extensive BApp Store for extensions; powerful Extender API.
Built-in session handling rules and scope management.
Requires Java; can be resource-intensive.
OWASP ZAP
Open-source and free; no paid version required for full features.
Slightly steeper learning curve; less polished GUI.
Has its own marketplace for add-ons; extensible via scripts.
Session management is manual; lacks some advanced features like Collaborator.
Also Java-based; lighter weight than Burp Pro.
Mistake
Burp Suite can only intercept HTTP, not HTTPS.
Correct
Burp Suite can intercept HTTPS traffic by acting as a man-in-the-middle. It generates its own CA certificate, which must be installed in the browser's trust store. Once installed, Burp decrypts TLS traffic, inspects plaintext, and re-encrypts it.
Mistake
The Intruder tool is used for automated vulnerability scanning.
Correct
Intruder is for custom automated attacks like brute-forcing or fuzzing, not for scanning for vulnerabilities. The Scanner tool performs automated vulnerability scanning (passive and active).
Mistake
You must disable Intercept to use Repeater.
Correct
Repeater works independently of the Intercept feature. You can send a request to Repeater from the HTTP history even while Intercept is on. Intercept only affects live browser traffic.
Mistake
Burp Suite only works with Firefox.
Correct
Burp Suite works with any browser that supports proxy configuration, including Chrome, Edge, and Safari. It can also intercept traffic from non-browser applications if they use HTTP/HTTPS.
Mistake
The Spider tool can perform active attacks.
Correct
The Spider only crawls the application by following links and submitting forms. It does not send malicious payloads. Active attacks are performed by the Scanner or Intruder.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, configure your browser to use Burp as a proxy (127.0.0.1:8080). Then, browse to http://burpsuite and download the CA certificate. Import this certificate into your browser's trusted certificate authorities. Once installed, Burp will decrypt HTTPS traffic, allowing you to inspect and modify it. Without this step, HTTPS connections will show certificate errors.
The Scanner is an automated vulnerability scanner that passively or actively tests for security flaws (e.g., SQL injection, XSS). It sends payloads automatically based on its detection engine. Intruder is a tool for custom automated attacks, such as brute-forcing passwords or fuzzing parameters with user-defined payloads. Intruder does not detect vulnerabilities; it only sends requests and records responses.
Yes. You can configure Chrome to use a proxy by using command-line flags (--proxy-server=127.0.0.1:8080) or using a proxy extension like SwitchyOmega. Chrome requires the Burp CA certificate to be installed in the system certificate store or Chrome's certificate manager. Note that Chrome may have issues with some HTTPS sites due to certificate pinning; you may need to disable Chrome's built-in security features for testing.
Go to Burp > Save project (or use Ctrl+S). You can save as a .burp file containing all settings, HTTP history, scan results, and configurations. To load a project, use Burp > Open project. It is recommended to save frequently to avoid losing data. You can also export specific items (e.g., scan results as HTML report).
Burp Collaborator is a service that helps detect out-of-band vulnerabilities, such as blind SQL injection, XXE, or SSRF. It provides a unique subdomain that Burp uses to receive DNS and HTTP interactions. When a vulnerability triggers a request to the Collaborator server, Burp logs it. This is useful when the application does not directly reflect the attack results. Collaborator can be used via the Scanner or manually via the 'Burp Collaborator client' tab.
Burp Suite runs on Java. To allocate more memory, launch it from the command line with the -Xmx flag. For example: java -Xmx2g -jar burpsuite_pro.jar allocates 2GB of heap space. You can adjust the value (e.g., 4g for 4GB). Insufficient memory can cause slow performance or crashes, especially with large applications.
Sniper uses a single payload set and iterates through it one payload at a time, placing the payload in each marked position sequentially. It is best for testing one parameter at a time. Cluster bomb uses multiple payload sets (one for each position) and iterates through all combinations, like a Cartesian product. It is used when you need to test different values for different parameters simultaneously, such as username and password brute-force.
You've just covered Burp Suite for Web Application Testing — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?