1. Support Center
  2. Documentation
  3. Desktop editions
  4. Tools
  5. Proxy
  6. Getting started

Getting started with Burp Proxy

Burp Proxy lies at the heart of Burp's user-driven workflow. It operates as a web proxy server between your browser and target applications, and lets you intercept, inspect, and modify the raw traffic passing in both directions. In this section, we'll take you through some of the core features of Burp Proxy so that you can familiarize yourself with how it works.

Note: Using Burp Proxy may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Proxy against non-production systems.

Burp Proxy works in conjunction with the browser that you are using to access the target application. You can either:

Once you have confirmed that your browser is successfully proxying traffic through Burp, you can perform the following steps to help you understand how to use Burp Proxy:

In Burp, go to the "Proxy" > "Intercept" tab, and ensure that interception is on (if the button says "Intercept is off" then click it to toggle the interception status).

Intercept is off

In your browser, visit any URL. The browser will send a request but will then be stuck waiting for a response.

Proxy intercepted request

In Burp, go back to the "Proxy" > "Intercept" tab. You should see your browser's request displayed for you to view and edit. Click through each of the message editor tabs (Raw, Headers, etc.) to see the different ways of analyzing the message.

Proxy message editor tabs

Click the "Forward" button to send the request to the server. In most cases, your browser will make more than one request in order to display the page (for images, etc.). Look at each subsequent request and then forward it to the server. When there are no more requests to forward, your browser should have finished loading the URL you requested.

Forwarding a request

In your browser, click the "Refresh" button to reload the current page.

In Burp, this time edit the request on the "Proxy" > "Intercept" tab. Change the URL in the first line of the request so that a non-existent item is requested. Forward the request (and any subsequent ones) to the server, then look back in your browser. Although your browser requested the same URL as before, you should see a "Not found" message. This is because you changed the outgoing request on the fly within Burp.

Requesting a non-existent item

In Burp, go to the "Proxy" > "HTTP history" tab. This contains a table of all HTTP messages that have passed through the Proxy. Select an item in the table, and look at the HTTP messages in the request and response tabs. If you select the item that you modified, you can choose to display either the original or modified requests.

Original and edited request

Click on a column header in the Proxy history. This sorts the contents of the table according to that column. Click the same header again to reverse-sort on that column, and again to clear the sorting and show items in the default order. Try this for different columns.

Sorting columns in the proxy history

Within the history table, click on a cell in the leftmost column, and choose a color from the drop-down menu. This will highlight that row in the selected color.

Annotating the proxy history

In another row, double-click within the "Comment" column and type a comment. You can use highlights and comments to annotate the history and identify interesting items.

Adding a comment

Above the history table there is a filter bar. Click on the filter bar to show the options available. Try changing the filter settings in various ways, and see the effect on what is shown in the history table. When the Proxy history has become very large, you can use the filter to hide certain types of items, to help find items you are looking for.

Applying a filter

Select an item in the history, and show the context menu (usually, by right-clicking your mouse). The options on the context menu are used to drive your testing workflow within Burp. Choose "Send to Repeater", and go to the "Repeater" tab.

Sending an item to Repeater

In Burp Repeater, you will see the selected request has been copied into the Repeater tool for further testing. For more details on sending items between Burp tools, and the overall testing workflow, see Using Burp Suite.

Studying the request in Burp Repeater

Go to the "Proxy" > "Options" tab, and look at all the options that are available. These can be used to change the behavior of the Proxy listeners, define rules to determine what request and response messages are intercepted by the Proxy, perform automatic modification of messages, and control the Proxy's behavior in other ways. For more details, see Burp Proxy Options.

Proxy options

Use the links below for further help on starting to use Burp Proxy: