Burp Suite

Why It Matters

The browser is built for users, not for testers. It encodes input, follows redirects, and renders a friendly error page while quietly dropping the stack traces and database errors the server sends back. Burp Suite removes that filter. As an intercepting proxy it shows you the exact bytes leaving your machine and the exact bytes the server returns, which is where information disclosure, SQL injection, authentication bypass, and IDOR become visible.

For anyone learning offensive security or starting in bug bounty, Burp Suite is usually the first professional tool they pick up, because almost every manual web finding starts by reading or modifying a request inside it. Built by PortSwigger, it has become the shared language of web testing: when a researcher says they "sent it to Repeater" or "ran it through Intruder", every other tester knows exactly what they did.

Core Tools

Burp Suite is not a single feature but a set of tools that share captured traffic:

• Proxy: intercepts traffic between the browser and the server so you can pause, read, and edit each request before it is sent. The proxy history is also a complete map of every endpoint the application called, including the ones triggered silently by JavaScript.
• Repeater: lets you resend a single request again and again with small changes, the workhorse for parameter tampering and manual probing.
• Intruder: automates sending many payloads into chosen positions, useful for fuzzing parameters, enumerating IDs, and brute forcing values.
• Decoder and Comparer: encode, decode, and diff data so you can understand tokens and spot subtle differences between two responses.
• Scanner (Professional only): crawls and automatically tests for common vulnerability classes, then reports confirmed and tentative issues.

A Typical Workflow

A real test rarely starts with an exotic payload. It starts with reading. You browse the application normally while Burp records every request, then you pick an interesting one, for example a POST /api/reviews/vote that carries a numeric reviewId. You send it to Repeater, append a single quote to the ID, and resend. If the response changes from a clean 200 OK to a 500 carrying a database error, you have found an information disclosure that the browser would have hidden behind a generic message. That loop, capture, modify, resend, read, is the heart of web application penetration testing.

Community vs Professional

Burp Suite Community Edition is free and includes the Proxy, Repeater, and Decoder, which cover every manual technique a beginner needs. Burp Suite Professional adds the automated scanner, an unthrottled Intruder, saved projects, and the BApp extension store, where tools like the 403 bypass extensions and authorization testers live. You can learn and practice the entire manual workflow on Community Edition before deciding whether the Professional license is worth it for your work.

How to Get Started

Install Burp Suite, configure your browser to route traffic through the proxy, then install Burp's CA certificate so HTTPS traffic is readable. Browse the target normally and watch the request history fill up. From there you intercept a request, send it to Repeater, change one value at a time, and read the raw response. Pair the tool with the free PortSwigger Web Security Academy labs to practice each vulnerability class safely and legally before you ever touch a live program.