The following tutorials will guide you through the main features and tools of Burp Suite Professional. We'll show you how to perform both manual and automated testing of targets using Burp Suite.
Intercepting HTTP requests and responses
Intercepting HTTP traffic is the foundation of manual testing using Burp Suite. In this tutorial, you'll learn how to intercept HTTP requests and responses using Burp Proxy and Burp Suite's embedded browser. We'll also show you how to configure Burp Proxy so that you intercept the traffic you are most interested in.
Resending individual requests with Burp Repeater
Once you've identified an interesting request, you'll want to experiment with different inputs to see what effect this has on the response.. Burp Repeater is a tool for examining, editing, and resending HTTP requests. In this tutorial, you'll learn how to send a request to Repeater, edit it, and then resend it as often as you like. We'll also show you how to work with multiple requests in tabs, and how to configure Burp Repeater.
Scanning a website for vulnerabilities
Scanning for vulnerabilities is the core of Burp Suite's automated testing capability. Burp Scanner can crawl a target to discover content and functionality, and then audit what it finds for vulnerabilities. Alternatively, you can use it to audit items that you have found manually.
In this tutorial, you'll learn how to scan a target by performing a crawl and audit. We'll also show you how to manage the scope of your scan and interpret the results. The tutorial will teach you how to configure both crawls and audits, to find the vulnerabilities most relevant to your work or to work within the constraints you have.
Using live tasks in Burp Suite
Live tasks are used to process traffic from specific Burp Suite tools and perform defined actions on it. Live tasks are most often used to take traffic from a Burp Suite tool (such as Proxy, Repeater or Intruder) and scan it: auditing it or adding it to a site map. This tutorial will show you how to create and work with live tasks, and to choose predefined tasks to perform common testing functions.
Using Burp Suite projects
Burp Suite uses project files to save and organize your work. Once you have created a project file, Burp Suite will continuously save your work to it. This tutorial will teach you how to create new projects and open existing projects. You'll also learn how to copy and import project files.
Using Burp Suite project options
Burp Suite is highly configurable, and you can configure a wide range of options on a project-by-project basis. This tutorial will show you how to save your options to a configuration file for use in other projects, or to keep multiple configurations for a single project. You'll also learn how to set a preferred configuration as a default for new projects.
Touring the Burp Suite user interface
Burp Suite is made up of a number of powerful, integrated tools. This tutorial provides a tour of Burp Suite's user interface, demonstrating the major tools. You'll learn about the context menu, contextual inline documentation, and some of Burp Suite's many configuration options.
Using Burp Proxy's interception rules
Burp Proxy is a tool to intercept, view, and modify the traffic passing between Burp Suite and the target application. If you are working with a great deal of traffic, the number of interceptions can become overwhelming. Burp Proxy interception rules allow you to filter traffic so that you only intercept messages that are relevant to your work.
In this tutorial, you'll learn how to define a series of rules to control which HTTP messages are intercepted or ignored.
Using target scope in Burp Suite
You can use target scope to tell Burp Suite what you're currently interested in testing. Defining a target scope lets you include only what you need to test right now, and exclude content that is outside your work or likely to be boring or fragile. Defining a target scope can also improve performance and memory usage. Many of Burp Suite's tools can be set to only consider items that are within scope.
This tutorial will show you how to define a target scope, both including and excluding URLs. We'll also show you how to use several Burp tools to only view and/or process items that are in scope.
Testing WebSockets with Burp Suite
WebSockets are long-lived connections that support asynchronous communication in both directions. Burp Suite has a rich set of tools to support security testing WebSockets. This tutorial will show you how to intercept, view, and modify WebSocket messages. We will also teach you how to manipulate the messages that start up a WebSocket connection.