Burp Suite is an integrated platform for performing security testing of web applications. It is designed to be used by hands-on testers to support the testing process. With a little bit of effort, anyone can start using the core features of Burp to test the security of their applications. Some of Burp's more advanced features will take further learning and experience to master. All of this investment is hugely worth it - Burp's user-driven workflow is by the far the most effective way to perform web security testing, and will take you way beyond the capabilities of any conventional point-and-click scanner. Burp is intuitive and user-friendly, and the best way to start learning is by doing. These steps will get you started with running Burp and using its basic features. You can then read on deeper into the documentation to become more proficient in using this supremely powerful tool.
Note: Using Burp Suite may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Suite against non-production systems.
Each HTTP request made by your browser is displayed in the Intercept tab. You can view each message, and edit it if required. You then click the "Forward" button to send the request on to the destination web server.
If at any time there are intercepted messages pending, you will need to forward all of these in order for your browser to complete loading the pages it is waiting for.
For more help, see Getting started with Burp Proxy.
As you browse an application via Burp, the Proxy history keeps a record of all requests and responses.
In the Proxy tab, go to the HTTP History tab and review the series of requests you have made. Select an item in the table and view the full messages in the Request and Response tabs.
Also, as you browse, Burp builds up a site map of the target application. Go to the Target tab, and the Site Map sub-tab, to view this.
The site map contains all of the URLs you have visited in your browser, and also all of the content that Burp has inferred from responses to your requests (e.g. by parsing links from HTML responses).
Items that have been requested are shown in black, and other items are shown in gray.
You can expand branches in the tree, select individual items, and view the full requests and responses (where available). For more help, see Using the Target tool.
Burp Suite is designed to be a hands-on tool, where the user controls the actions that are performed.
At the core of Burp's user-driven workflow is the ability to pass HTTP requests between the Burp tools, to carry out particular tasks.
You can send messages from the Proxy intercept tab, the Proxy history, the site map, and indeed anywhere else in Burp that you see HTTP messages.
To do this, select one or more messages, and use the context menu to send the request to another tool.
You can combine Burp's different tools in numerous ways, to perform testing tasks ranging from very simple to highly advanced and specialized. For more detailed help on using Burp, please refer to the links below.