How to use Burp Suite for penetration testing

The sections below describe the essentials of how to use Burp Suite within your web application testing workflow. For help with installing and launching Burp, starting projects, and configuring display settings, please see the help on Getting started with Burp Suite.

If this is your first time using Burp Suite, we recommend watching the following video to familiarize yourself with the user interface.

You can check out the rest of our "Burp Suite Essentials" playlist on YouTube.

To use Burp for penetration testing, you can either:

Once you have Burp running and have either opened the embedded browser or configured your own external browser, go to the "Proxy" > "Intercept" tab, and ensure that interception is turned on (if the button says "Intercept is off" then click it to toggle the interception status). Then, go to your browser and visit any URL.

Each HTTP request made by your browser is displayed in the "Intercept" tab. You can view each message, and edit it if required. When you are done making changes, click the "Forward" button to send the request on to the destination web server. If at any time there are intercepted messages pending, you will need to forward all of these in order for your browser to complete loading the pages it is waiting for.

You can toggle the "Intercept is on / off" button in order to browse normally without any interception, if you require. For more help, see Getting started with Burp Proxy.

Penetration testing: Intercepting a request

As you browse an application with Burp running, the "Proxy" > "HTTP history" tab keeps a record of all requests and responses, even while the intercept feature is turned off. From this tab, you can review the series of requests you have made.

Select an item in the table to view the full request and response in the message editor panel.

Penetration testing: Proxy history

You can use the message inspector to quickly access various features that help you analyze potentially interesting items found in messages. For example, if you drill down into an encoded item in the inspector, it will apply the appropriate sequence of decoding steps so that you can study the value in a more human-readable form.

For editable messages, such as in Burp Repeater, you can also make changes to this decoded value in the inspector. The relevant encodings will automatically be reapplied to the value as you type.

Penetration testing: Inspector

As you browse, Burp also builds up a site map of the target application by default. You can view this on the "Target" > "Site map" tab.

The site map contains all of the URLs you have visited in your browser, and also all of the content that Burp has inferred from responses to your requests (e.g. by parsing links from HTML responses). Items that have been requested are shown in black, and other items are shown in gray. You can expand branches in the tree, select individual items, and view the full requests and responses (where available).

For more help, see Using the Target tool. You can control which content gets added to the site map as you browse by configuring a suitable live scanning task.

Penetration testing: Site map

Burp Suite is designed to be a hands-on tool, where the user controls the actions that are performed. At the core of Burp's penetration testing workflow is the ability to pass HTTP requests between the Burp tools in order to carry out particular tasks.

You can send messages from the "Proxy" > "Intercept", "HTTP history", or "Site map" tabs, and indeed anywhere else in Burp that you see HTTP messages. To do this, select one or more messages, and use the context menu to send the request to another tool.

Penetration testing: Send requests to manual tools

The Burp tools you will use for particular tasks are as follows:

  • Scanner - This is used to automatically scan websites for content and security vulnerabilities.
  • Intruder - This allows you to perform customized automated attacks, to carry out all kinds of testing tasks.
  • Repeater - This is used to manually modify and reissue individual HTTP requests over and over.
  • Collaborator client - This is used to generate Burp Collaborator payloads and monitor for resulting out-of-band interactions.
  • Clickbandit - This is used to generate clickjacking exploits against vulnerable applications.
  • Sequencer - This is used to analyze the quality of randomness in an application's session tokens.
  • Decoder - This lets you transform bits of application data using common encoding and decoding schemes.
  • Comparer - This is used to perform a visual comparison of bits of application data to find interesting differences.

You can combine Burp's different tools in numerous ways, to perform testing tasks ranging from very simple to highly advanced and specialized.

Testing workflow

Burp lets you combine manual and automated techniques effectively, gives you complete control over all of the actions that Burp performs, and provides detailed information and analysis about the applications you are testing.

Some users may not wish to use Burp in this way, and only want to perform a quick and easy vulnerability scan of their application. If this is what you need, please refer to Scanning web sites.

The diagram below is a high-level overview of the key parts of Burp's penetration testing workflow:

Burp Suite testing workflow

Recon and analysis

The Proxy tool lies at the heart of Burp's workflow. It lets you use Burp's embedded browser, or your own external browser, to navigate the application, while Burp captures all relevant information and lets you easily initiate further actions. In a typical test, the recon and analysis phase involves the tasks described below.

Manually map the application

Using your browser while proxying traffic through Burp, manually map the application by following links, submitting forms, and stepping through multi-step processes. This process will populate the Proxy history and Target site map with all of the content requested, and (via live scanning) will add to the site map any further content that can be inferred from application responses (via links, forms, etc.). You should then review any unrequested items (shown in gray in the site map), and request these using your browser.

Perform automated mapping where necessary

You can optionally use Burp to automate the mapping process in various ways. You can:

Note that before performing any automated actions, it may be necessary to update various aspects of Burp's configuration, such as target scope and session handling.

Analyze the application's attack surface

The process of mapping the application populates the Proxy history and Target site map with all the information that Burp has captured about the application. Both of these repositories contain features to help you analyze the information they contain, and assess the attack surface that the application exposes. Further, you can use Burp's Target Analyzer to report the extent of the attack surface and the different types of URLs the application uses.

Tool configuration

Burp contains a wealth of configuration options, which it is often necessary to use at different stages of your testing, to ensure that Burp works with your target application in the way you require. For example:

Vulnerability detection and exploitation

After completing your recon and analysis of the target application, and any necessary configuration of Burp, you can begin probing the application for common vulnerabilities. At this stage, it is often most effective to use several Burp tools at once, passing individual requests between tools to perform different tasks, as well as going back to your browser to perform additional tests. Throughout Burp, you can use the context menu to pass items between tools and carry out other actions.

In Burp's default configuration, it automatically performs live passive scanning of all requests and responses that pass through the Proxy. So before you begin actively probing the application, you might find that Burp Scanner has already recorded some issues that warrant closer investigation.

Burp's tools can be used in numerous different ways to support the process of actively testing for vulnerabilities. Some examples are described below for different types of issues.

Input-based bugs

For issues like SQL injection, cross-site scripting, and file path traversal, you can use Burp in various ways:

Logic and design flaws

For issues like unsafe use of client-side controls, failure to enforce account lockout, and the ability to skip key steps in multi-stage processes, you generally need to work manually:

Access control issues

Burp contains several features that can help when testing for access control vulnerabilities:

Other vulnerabilities

Burp contains functions that can be used to deliver, and often automate, virtually any task that arises when probing for other types of vulnerabilities. For example:

Read more

There is extensive documentation for all of Burp's tools and features, and the typical workflow you need to use when testing with Burp.

Use the links below for help about using each of the main Burp tools:

You can also check out some of our additional Support Center articles on using Burp Suite.