Burp Suite Tutorial for Beginners: From Setup to Your First Security Scan

Burp Suite Tutorial for Beginners: From Setup to Your First Security Scan

A burp suite tutorial is one of the most searched security topics online — and for good reason. Burp Suite by PortSwigger is the de facto tool for manual web application penetration testing. Whether you are a developer trying to understand how attackers see your app, or a security engineer doing a full assessment, Burp Suite gives you unmatched visibility into HTTP traffic.

This guide covers everything from initial setup to running your first scans, with clear explanations of each core component. By the end, you will know exactly when to reach for Burp Suite and when a faster tool like ZeriFlow will get the job done in seconds.

Quick check first: Before diving into manual testing, run a free ZeriFlow scan at zeriflow.com to identify the low-hanging fruit automatically — headers, TLS misconfigs, exposed paths, and 80+ checks in under a minute.

What Is Burp Suite and Why Do Security Teams Use It?

Burp Suite is an integrated platform for web application security testing. It sits as a proxy between your browser and the target application, letting you intercept, inspect, modify, and replay every HTTP and HTTPS request.

There are three editions: - Community (free): Manual proxy, Repeater, Decoder, Comparer, and a limited scanner. - Professional (~$449/year): Full active scanner, Intruder automation, BApp extensions. - Enterprise: Continuous automated scanning for large teams.

For most beginners, the Community edition is sufficient to learn the fundamentals.

Setting Up Burp Suite: Step-by-Step Proxy Configuration

1. Download and Install

Download Burp Suite Community from portswigger.net/burp/communitydownload. It runs on Windows, macOS, and Linux via a JAR installer.

2. Configure Your Browser Proxy

Burp listens on 127.0.0.1:8080 by default. You need to route your browser traffic through it:

• Firefox: Settings → Network Settings → Manual Proxy → HTTP Proxy 127.0.0.1, Port 8080.
• Chrome: Use a browser extension like FoxyProxy, pointing to 127.0.0.1:8080.

3. Install the Burp CA Certificate

To intercept HTTPS traffic without SSL errors:

1. 1With the proxy running, visit http://burpsuite in your browser.
2. 2Download the CA certificate.
3. 3Import it into your browser's trusted certificate store.

4. Verify Interception

Navigate to any HTTP site. You should see requests appearing in Proxy → HTTP History. If they do, your setup is working.

Core Burp Suite Components Explained

The Proxy: Intercepting Every Request

The Proxy is Burp Suite's heart. Every request your browser sends passes through it. In Intercept mode, Burp pauses each request so you can inspect or modify it before it reaches the server.

Key uses: - Modify form fields before submission (e.g., change a price from 100 to 1). - Inject test payloads into headers or cookies. - Observe how the server responds to unexpected input.

Turn off Intercept for passive monitoring — Burp will still log everything in HTTP History without pausing your browsing.

Repeater: Replaying and Modifying Requests

Repeater lets you take any captured request and send it repeatedly with modifications. This is essential for:

• Testing different payloads in a parameter one by one.
• Exploring error messages by sending malformed data.
• Confirming a vulnerability is reproducible.

Workflow: Right-click any request in HTTP History → Send to Repeater → Modify → Click Send → Analyze response.

Intruder: Automated Payload Injection

Intruder automates the process of inserting payloads into marked positions across hundreds or thousands of requests. Common attack types:

• Sniper: One payload list, one insertion point at a time.
• Battering Ram: Same payload inserted into all positions simultaneously.
• Pitchfork: Multiple payload lists, one per position, iterated in parallel.
• Cluster Bomb: Every combination of multiple payload lists (brute force).

Note: In the Community edition, Intruder is rate-limited. For professional use cases, upgrading to Pro or using a dedicated fuzzer is recommended.

The Passive Scanner

Even in Community, Burp passively analyzes traffic as you browse and flags issues like:

• Missing security headers (CSP, HSTS, X-Frame-Options).
• Cookie attributes (missing HttpOnly, Secure, SameSite).
• Reflected input that could indicate XSS.
• Information disclosure in responses.

The Pro edition adds active scanning — automatically probing for SQLi, XSS, XXE, and dozens of other vulnerabilities.

A Practical Burp Suite Testing Workflow

Here is a realistic workflow for testing a web application:

1. 1Spider the application — Use Burp's crawler (or manually browse every page) to populate HTTP History with all endpoints.
2. 2Review the target map — In Site Map, look for interesting endpoints: APIs, admin paths, file uploads.
3. 3Run passive scan — Burp will flag obvious issues automatically.
4. 4Test authentication — Use Repeater to test password fields, session tokens, and remember-me functions.
5. 5Test inputs — Send interesting parameters to Intruder, try XSS and SQLi payloads.
6. 6Check authorization — Log in as a low-privilege user, capture requests, replay them with another user's session token.
7. 7Document findings — Use Burp's reporting feature or export to a spreadsheet.

Common Mistakes Beginners Make with Burp Suite

• Testing production without permission. Always have written authorization before testing any application you do not own.
• Ignoring HTTPS setup. Without the CA certificate installed, you will miss most modern web traffic.
• Skipping passive analysis. Many testers jump straight to active attacks and miss the passive findings Burp surfaces automatically.
• Over-relying on automated scans. Burp Scanner is powerful, but logic flaws, authorization issues, and business logic bugs require manual testing.

FAQ

Q: Is Burp Suite free to use?

A: Yes, the Community edition is free and includes the proxy, Repeater, Intruder (rate-limited), and passive scanning. The Professional edition ($449/year) adds full active scanning, saved projects, and automation capabilities.

Q: Can I use Burp Suite legally?

A: You can use Burp Suite on any application you own or have explicit written permission to test. Never run it against third-party applications without authorization — this is illegal in most jurisdictions.

Q: What is the difference between Burp Suite and a scanner like ZeriFlow?

A: Burp Suite is a manual testing platform that requires a tester to actively drive the process. ZeriFlow is an automated configuration and header scanner that runs 80+ checks in seconds without any setup. ZeriFlow is ideal for developers who want quick feedback on security headers, TLS configuration, and exposed paths. Burp Suite is for deep manual penetration testing.

Q: How do I intercept mobile app traffic with Burp Suite?

A: Configure your mobile device to use your machine's IP and port 8080 as its HTTP proxy, then install the Burp CA certificate on the device. For apps using certificate pinning, additional techniques (like Frida) are needed.

Q: Does Burp Suite work with modern SPAs and REST APIs?

A: Yes. Burp Suite handles JSON, GraphQL, and modern JavaScript applications well. You may need to use the Proxy's HTTP History filter to focus on API calls rather than static asset requests.

When to Use Burp Suite vs. ZeriFlow

Use ZeriFlow first to clear the obvious misconfigurations. Then bring in Burp Suite for the deep manual work that only a human-guided tool can do.

Conclusion: Burp Suite Is a Skill, Not Just a Tool

Mastering this burp suite tutorial material takes time, but the investment pays off significantly. Burp Suite reveals how web applications behave under pressure — it teaches you to think like an attacker by giving you the same visibility.

Start with the Community edition, work through PortSwigger's free Web Security Academy labs (the best hands-on practice available), and layer in Burp Pro when you need automation.

And before every engagement, run a ZeriFlow scan to knock out the configuration-level findings automatically — so your Burp testing time is spent on the interesting vulnerabilities that only manual work can find.