Burp Suite Cheat Sheet
Integrated web proxy and testing platform for intercepting, modifying, and automating HTTP traffic.
Overview
Burp Suite is the standard web app pentest workbench: intercept traffic with Proxy, manually replay and tweak requests in Repeater, and fuzz or brute-force with Intruder. Configure browser or tools to use 127.0.0.1:8080, install the CA certificate for HTTPS, and work only on authorized targets.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
Kali often includes:
sudo apt install -y burpsuiteEssential commands
Start with project (Pro) or default config
burpsuiteRoute other tools through Burp
export http_proxy=http://127.0.0.1:8080export https_proxy=http://127.0.0.1:8080curl -k https://target.example/ --proxy http://127.0.0.1:8080Common workflows
Proxy — intercept and modify live traffic — 1. Proxy → Intercept: turn Intercept is on to hold requests; Forward / Drop as needed.2. Proxy → HTTP history: browse captured traffic; right-click → Send to Repeater / Intruder / Scanner (Pro).3. Proxy → Intercept client requests / server responses: toggle what you intercept.4. Proxy → Match and replace: auto-replace headers (e.g. strip Content-Security-Policy only if in scope).5. Scope: Target → Scope add https://target.example; Proxy → Options → Intercept only scoped items to avoid logging out-of-scope hosts.
Typical flow:Browser/tool → Burp Proxy (8080) → TargetEdit request in Intercept → Forward → observe response in HTTP historyRepeater — manual request replay — 1. From HTTP history or Site map: right-click request → Send to Repeater.2. Select a Repeater tab; edit method, path, headers, body.3. Send (or Ctrl+R / Cmd+R) — compare response panes (render/raw).4. Use for: IDOR checks, auth bypass headers, SQLi/XSS payload tweaking, JSON API testing.
Workflow:Copy interesting request → Repeater → change one variable → Send → note status/length/bodyChain: login in browser → grab authenticated request → Repeater → test horizontal accessIntruder — fuzzing and brute-force (rate-limit aware) — 1. Right-click request → Send to Intruder.2. Positions: Clear §, select attack type, mark payload positions with § (e.g. id=§1§).3. Payloads: add wordlist (Sniper = one position; Battering ram = same payload everywhere; Pitchfork = parallel lists; Cluster bomb = Cartesian product).4. Options → Grep - Match: flag responses containing error, welcome, admin.5. Start attack — sort by length/status/grep; send winners to Repeater.
Sniper example — password spray on one field:POST /login HTTP/1.1...username=admin&password=§password§Payloads: /usr/share/wordlists/rockyou.txt (subset per policy)Grep-Match: Invalid password|Dashboard|Set-CookieExport for sqlmap / commix —
Right-click request → Copy to file → request.txtsqlmap -r request.txt --batchFeature reference
Proxy listener | Default 127.0.0.1:8080 |
|---|---|
Intercept on/off | Hold vs pass-through traffic |
Scope | Limit spider/scanner/proxy to target |
Repeater Send | Replay current request |
Intruder attack types | Sniper, Battering ram, Pitchfork, Cluster bomb |
Grep-Match / Extract | Filter Intruder results |
CA cert | Decrypt HTTPS in browser after trust |
Project options | Sessions, upstream proxy, timeouts |
Tips
- Define Target scope before crawling or active scanning to stay in program rules.
- Use Logger / HTTP history search (status:500, MIME type) to find interesting endpoints.
- Match and replace and Session handling rules (Pro) automate login macros for Intruder.
- For mobile/API: point emulator or curl at Burp; use invisible proxying or --proxy on CLI tools.
- Community edition: no scanner; Repeater/Intruder still core for manual testing.