If you're new to Burp Suite Professional, then congratulations. Not only have you just bought into the world's leading toolkit for web security testing - you've also joined a massive worldwide community of security professionals. Welcome to the party.
Burp Suite Professional has plenty to learn - and we want to help you hit the ground running - so we put our heads together and created a list of resources to help you get started. Whether you're a pentester looking to do more in less time, or you want to take your bug bounty hunting to the next level, there's something here for everyone.
Burp Suite Professional video tutorials from PortSwigger
Quick link: the basics of Burp Suite Professional.
Call us biased, but we think our video tutorials on the basics of Burp Suite Pro are pretty handy. This series is great for learning your way around the UI, as well as covering the basics of things like setting up Burp Scanner for the first time. And the videos are voiced by our founder and CEO - the original creator of Burp Suite - Dafydd Stuttard.
Pro-exclusive features you should try
With Burp Suite Professional, you get access to some seriously powerful tools. These include big names like Burp Intruder and Burp Collaborator client, which will directly help you to find more bugs. But there are also plenty of exclusive productivity features in Burp Suite Pro that will make your life easier and more efficient. Project files, for instance, can be a real life-saver - and the search function is incredibly useful. Find out more in our recent blog post on Burp Suite Pro's exclusive features.
The Web Security Academy
Quick link: the Web Security Academy.
Whether you're new to ethical hacking, or an old hand looking to pick up the latest techniques, the Web Security Academy is the place to be. Featuring content from PortSwigger Research, it's a great place to learn - potentially giving your career a boost in the process. And best of all? It's completely free.
If you're new to ethical hacking, then the best place to start with the Web Security Academy is the learning path. Beginning with server-side topics like SQL injection, it's our recommended route through for first-timers. Many labs feature community walkthroughs from members like Rana Khalil and Michael Sommer, so you'll be able to check your techniques against the work of others.
Fancy creating your own Web Security Academy content to help other users? We'd love to see! Jump on Twitter and tag #BurpSuiteTips.
Content from the Burp Suite Professional user community
Speaking of Burp Suite Professional's user community, there's an absolute wealth of user content out there, if you know where to look. Here are a few content creators we think would be good to start with:
InsiderPhD (Katie Paxton-Fear)
Covering a variety of ethical hacking topics, Katie's channel is a great place to pick up Burp Suite tips. Her video on finding your first bug, for instance, will show you how to use Burp Suite to hunt for beginner-friendly business logic vulnerabilities. Katie recently discussed bug bounties with The Daily Swig.
webpwnized (Jeremy Druin)
If it's pentesting knowledge you're after, then webpwnized has some great content. There are loads of Burp Suite videos here, including a useful one on using Burp Suite Professional's crawl engine to discover new content automatically. This feature can save you a lot of time when pentesting.
STÖK (Fredrik Alexandersson)
STÖK is a well-known name in bug bounty hunting circles, and he produces a wealth of easy-to-consume content. If you want to see what you can achieve with Burp Collaborator's OAST testing, for instance, check out STÖK's report on a juicy blind XXE bug he found with it. And don't forget to read our interview with STÖK for more Burp Suite Professional tips.
Remember - if you've got your own content you'd like us to see, tag #BurpSuiteTips.
Burp Suite Professional tutorials and guides
There are many tutorials out there on using Burp Suite Professional. Here are a couple that should be especially useful for people just starting out:
- Burp Suite cheat sheet for pentesters (Ignite Technologies).
- Burp Suite scan profiles for pentesters (White Oak Security).
And of course, Burp Suite Professional's documentation is a great place to find in-depth information on how to use a certain feature. The getting started page is an obvious place to begin, but other pages of particular note include the Burp Suite for pentesting, and scanning a website with Burp Scanner pages.
The BApp Store/Burp Extender
The BApp Store is one of the largest repositories of community-created Burp Suite content you're likely to find anywhere. It contains hundreds of free, open source BApp extensions that can expand Burp Suite's functionality to suit any number of specific use-cases.
Like to code? You can also create your own Burp Suite extensions in Java, Python, or Ruby, using Burp Extender. You can then share these with the rest of the community, through the BApp Store. Don't forget to check out our tips on building successful BApps.
Join us - and learn more
The best way to learn anything is often to get involved in the community around it - and that certainly goes for Burp Suite Professional. Twitter is one of the best places to catch up with what's happening in the community and pick up new tips - as many Burp Suite users are very active there. Here are a few to start you off:
- Mastering Burp Suite Pro - run by Nicolas Grégoire - posts a lot of useful Burp Suite content - both on Twitter and on the Agarri blog.
- Kamil Vavra is a high flier in the Web Security Academy Hall of Fame, and posts some great content to learn from.
- Burp Suite Guide is another account worth following, and also produces a regular Burp Suite newsletter, filled with the latest happenings.
- Last, but by no means least, PortSwigger Research will keep you up to date on the very latest hacking exploits and techniques. James, Gareth, and Michael's individual accounts are also great places to learn.