How to Use Burp Suite for Beginners (Community Edition Guide)

Burp Suite is the tool every web security tester uses, from beginners learning their first SQL injection to professional penetration testers on enterprise engagements. The community edition is free. This guide covers how it works and how to use it effectively from day one.

What Burp Suite actually is

Burp Suite is an intercepting proxy. It sits between your browser and the website you're testing, capturing every HTTP request and response. Once you have that traffic in Burp, you can inspect it, modify it, replay it, and fuzz it — actions that are impossible through a normal browser.

Without an intercepting proxy, you're limited to what the browser will let you send. Burp removes that limitation entirely. You can change any header, any parameter value, any cookie — and send the modified request directly to the server to see what happens.

Setting up the proxy

Burp runs a proxy listener on 127.0.0.1:8080 by default. You need to configure your browser to route traffic through it. The cleanest way is using a browser extension like FoxyProxy (Firefox or Chrome) which lets you switch the proxy on and off with one click.

FoxyProxy settings:
  Proxy host: 127.0.0.1
  Port: 8080
  Type: HTTP

For HTTPS traffic, you also need to install Burp's CA certificate in your browser. Navigate to http://burpsuitewhile the proxy is running, download the certificate, and add it to your browser's trusted certificate authorities. After this, Burp can intercept and decrypt HTTPS traffic transparently.

The Proxy tab: capturing traffic

The Proxy tab is where everything starts. With interception turned on, every request your browser makes pauses in Burp waiting for you to review it. You can read it, modify any part of it, then forward it to the server.

More useful for most workflows: turn interception off and let requests pass through automatically. Everything still gets logged in the HTTP history. Browse the target application normally, then come back to the history to find interesting requests to investigate.

Right-clicking any request in the history gives you options to send it to other Burp tools — the key action you'll use constantly.

Repeater: the core of manual testing

Repeater lets you take a request from the proxy history, modify it, and resend it as many times as you want. This is the primary tool for manually testing vulnerabilities.

Workflow: find an interesting request in Proxy history → right-click → Send to Repeater → switch to Repeater tab → make your modification → Send → read the response.

# Example: testing a parameter for SQL injection
# Original request captured in Proxy:
GET /products?id=42 HTTP/1.1
Host: shop.com

# In Repeater, modify the id parameter:
GET /products?id=42' HTTP/1.1
Host: shop.com

# Send and check the response for:
# - Database error messages
# - Different content length
# - Changes in application behaviour

You can save Repeater tabs and come back to them. Keep multiple tabs open for different endpoints you're testing simultaneously.

Intruder: automated fuzzing

Intruder automates sending a large number of modified requests. You mark one or more positions in a request as the injection point, choose a payload list, and Intruder sends the request once for each payload — logging every response.

Common uses:

• —Password brute force — mark the password field as a position, use a wordlist as the payload. Sort responses by status code or content length to identify the one successful login.
• —Parameter fuzzing — test an endpoint with a wordlist of common parameter names to discover hidden parameters.
• —IDOR testing — mark a numeric ID as a position, use a number range as payloads, scan for responses with different content lengths that indicate data you shouldn't be accessing.

Scanner and other Pro features

Burp Suite Professional (paid, ~$450/year) adds an automated scanner that crawls and tests the target for vulnerabilities, the full-speed Intruder, Collaborator (an out-of-band interaction server for blind vulnerabilities), and several other tools. For professional penetration testing, Pro is worth it. For learning and bug bounty starting out, Community is sufficient.

Decoder and Comparer

Decoder converts data between formats — base64, URL encoding, HTML encoding, hex. When you see a cookie or parameter that looks encoded, paste it into Decoder to read the underlying value. And to craft payloads in the right encoding for the context.

# Base64 decode a suspicious session cookie
eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoidXNlciJ9
→ {"user":"admin","role":"user"}

# The role field is user-controlled — change it:
{"user":"admin","role":"admin"}
→ eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ==

Comparerdiffs two responses at the byte level. Useful for spotting the exact difference between an "access denied" response and a successful one, or between two responses that look similar but have different content.

The workflow that works

For web application testing, the daily loop is:

• —Turn proxy on, browse the target application thoroughly — log in, use every feature, submit forms
• —Review HTTP history to understand what requests the app makes and what data flows where
• —Identify interesting endpoints — anything that takes user input, accesses resources by ID, or performs privileged actions
• —Send those requests to Repeater, modify them one parameter at a time, observe changes in the response
• —When you find something interesting, build on it — chain it, escalate impact, document reproduction steps

Burp is a tool for thinking, not a tool for automating. The scanner helps, the intruder speeds things up, but the vulnerabilities that matter — logic bugs, authorisation flaws, chained issues — are found by a person with Repeater open, asking "what happens if I change this?"