A Beginner's Guide to Burp Suite for Web App Pentesting
Burp Suite by PortSwigger is the most widely used tool for web application security testing. Whether you're a beginner just starting your AppSec journey or transitioning from another domain, mastering Burp Suite is essential. This guide walks you through the complete setup and your first vulnerability discovery.
What You'll Need
- Burp Suite Community Edition (free) or Professional
- A modern browser (Firefox recommended for proxy configuration)
- FoxyProxy extension for easy proxy switching
- A deliberately vulnerable web application (DVWA, Juice Shop, or PJ Bank)
Step 1: Configure the Proxy
Burp Suite works by acting as an intermediary (proxy) between your browser and the target web application. All HTTP/HTTPS traffic flows through Burp, allowing you to inspect, modify, and replay requests.
# Default Burp Suite Proxy Settings
Proxy Listener: 127.0.0.1:8080
# Firefox FoxyProxy Configuration
Proxy Type: HTTP
Proxy IP: 127.0.0.1
Port: 8080Step 2: Intercept Your First Request
With the proxy configured, enable interception in Burp's Proxy tab. Navigate to your target application in the browser. You'll see the HTTP request appear in Burp — this is where the magic begins. You can now view headers, cookies, POST parameters, and modify anything before forwarding it to the server.
Step 3: Use Repeater to Test Payloads
Right-click any intercepted request and send it to Repeater. This tool lets you manually modify and resend requests — perfect for testing SQL injection payloads, IDOR by changing IDs, or manipulating authentication tokens. The side-by-side request/response view makes it easy to spot anomalies.
Common Beginner Mistakes
- Forgetting to install the Burp CA certificate (causes HTTPS errors)
- Leaving intercept ON and wondering why pages don't load
- Not using scope filters — intercepting every request including CDN assets
- Testing against production systems without authorization
- Ignoring the Target Sitemap — it builds automatically as you browse
Next Steps
Once you're comfortable with Proxy and Repeater, explore Intruder for automated testing, Scanner (Professional only) for automated vulnerability detection, and the Decoder/Comparer utilities. The PortSwigger Web Security Academy is an excellent free resource for hands-on practice labs.