Right now, every HTTPS website you visit is encrypting its traffic — sending your clicks, form submissions, passwords, and session tokens wrapped in a layer of TLS that, by design, nobody except the server should be able to read. Every bug bounty hunter worth their bounty can read every single one of those requests in plain text. Today you join them.
By the end of this session — which you can complete in about 90 minutes — you will have Burp Suite running, Firefox configured to route all its traffic through Burp, your CA certificate installed so HTTPS decrypts cleanly, and your first real HTTP request frozen on screen waiting for you to read it. That moment — seeing your own browser’s request decoded and displayed — is when this stops being abstract. You’ll never look at a web application the same way again.
This is the burp suite setup for bug bounty that every professional uses. No shortcuts. No confusion. Just the exact steps, in order, with screenshots for every single one of them.
✅
Before You Start Day 2 — Quick Day 1 Check
Did you complete Day 1’s action steps? HackerOne account created, 3 Hacktivity reports read, one beginner program selected? If yes — perfect, let’s build your lab. If not — do those first. Foundation before tools. The programme in your head needs to come before the tools on your screen.
What You Need for Your Bug Bounty Hacking Lab — All Free
Before touching a single installation file, let me be clear about one thing: you do not need to spend money today. The professional-grade bug bounty toolkit is almost entirely free. Here’s exactly what we’re installing in this session and why each piece matters:
Tool
Cost
Purpose
Today’s Priority
Burp Suite Community
FREE
Intercept, modify, and replay HTTP/S requests
INSTALL TODAY
Firefox Browser
FREE
Primary testing browser — best proxy support
CONFIGURE TODAY
FoxyProxy Standard
FREE
One-click proxy switching in Firefox
INSTALL TODAY
Burp CA Certificate
FREE
Lets Burp decrypt HTTPS traffic without errors
INSTALL TODAY
Wappalyzer + others
FREE
Fingerprint technologies running on target sites
OPTIONAL TODAY
This setup works on Windows, macOS, and Linux. I’ll note any OS-specific differences as we go. One important thing: create a dedicated Firefox profile for bug bounty testing — separate from your personal browsing. We’ll set this up as part of the process. You don’t want your bank’s session cookies flowing through Burp Suite during a testing session.
STEP 1
Installing Burp Suite Community Edition — The Free Version That Does Everything You Need
Burp Suite is made by PortSwigger — a company entirely dedicated to web security research and education. The Community Edition is genuinely free, not a crippled trial. For bug bounty beginners, Community Edition is all you need for the first six months at minimum. The Professional version ($449/year) adds an automated scanner and faster intruder — features that become relevant once you’re earning consistently.
📥 Download Instructions
1
Go to portswigger.net/burp/communitydownload
2
Click “Download Burp Suite Community Edition” — choose your OS (Windows EXE / macOS DMG / Linux JAR)
3
Run the installer — leave all defaults. Java is bundled. No separate Java install needed.
Configure your browser to use proxy 127.0.0.1:8080 then visit a website to see requests appear here
Proxy listening on: 127.0.0.1:8080 | Burp Suite Community Edition
Burp Suite Community Edition — Freshly launched. Intercept is ON (green button) but no traffic yet. The proxy listener is running on 127.0.0.1:8080. Next step: connect Firefox to this listener.
💡 Mr Elite’s Tip: Every time you start Burp Suite, choose “Temporary project” for daily bug bounty work. Only create saved projects when you’re doing a multi-session deep dive on a single program. Temporary projects launch faster and stay cleaner.
STEP 2
FoxyProxy — Configure Firefox to Route Traffic Through Burp Suite
FoxyProxy is a Firefox extension that adds a one-click proxy switcher to your browser toolbar. Without it, you’d need to dive into Firefox settings and manually change the network configuration every time you want to start or stop intercepting. With FoxyProxy, it’s one click. Every real bug bounty hunter uses this or an equivalent.
⚙️ FoxyProxy Installation & Configuration
1
In Firefox: go to addons.mozilla.org → search “FoxyProxy Standard” → click Add to Firefox
2
Click the FoxyProxy icon in your toolbar (fox icon) → click Options
3
Click Add → fill in exactly:
Title: Burp Suite
Proxy type: HTTP
Proxy IP address: 127.0.0.1
Port: 8080
4
Click Save. Now click the FoxyProxy icon → select “Burp Suite” to activate. The icon turns orange — you’re now routing through Burp.
Tip: When FoxyProxy shows “Burp Suite” as active, all Firefox traffic routes through Burp on port 8080. Click the fox icon and select “Disable FoxyProxy” to stop intercepting and browse normally.
FoxyProxy configured with Burp Suite proxy (127.0.0.1:8080) showing as ACTIVE in green. The proxy entry is correctly configured. When this is active, all Firefox HTTP/HTTPS traffic flows through Burp Suite’s proxy listener.
At this point if you try to visit an HTTPS website with FoxyProxy active and Burp running, Firefox will show a security warning — something like “Your connection is not secure.” Don’t panic. That’s expected. It means Burp is successfully intercepting traffic but Firefox doesn’t yet trust Burp’s certificate. The next step fixes this permanently.
STEP 3
Installing the Burp CA Certificate — How to Fix the HTTPS Warning
Here’s what’s happening technically: Burp Suite intercepts HTTPS traffic by acting as a proxy between your browser and the real server. It decrypts the HTTPS, lets you read it, then re-encrypts it for the real server. But to do this, Burp generates its own SSL certificates on the fly — and Firefox will reject any certificate it doesn’t recognise as trustworthy. Installing Burp’s CA certificate tells Firefox: “Trust Burp to vouch for certificates.” Once you do this, HTTPS interception works silently.
⚠️
Important: Only install this Burp CA certificate in your dedicated testing Firefox profile — not your personal browser. Installing it in your daily browser creates unnecessary risk. We’re installing it in the profile you use only for bug bounty testing.
🔐 CA Certificate Installation (Firefox)
1
Make sure Burp Suite is running AND FoxyProxy is active (pointing to Burp)
2
In Firefox, navigate to: http://burp (not https — plain http)
3
You’ll see the Burp Suite Web Interface page. Click “CA Certificate” in the top right. This downloads cacert.der
4
In Firefox: Menu (☰) → Settings → Privacy & Security → scroll down to Certificates → “View Certificates”
5
Click the Authorities tab → click Import → select the cacert.der file you downloaded
6
Tick “Trust this CA to identify websites” → click OK. Done. ✅
7
Test it: Visit https://google.com — no security warning = certificate working perfectly ✅
securityelites.com
🔒
Downloading Certificate
You have been asked to trust a new Certificate Authority (CA).
Certificate Details
Name: PortSwigger CA
Issuer: Burp Suite Community CA
Valid until: 2037-12-31
← Click “OK” and the HTTPS warning disappears. Burp can now read all encrypted traffic.
Firefox Certificate Import Dialog — Tick “Trust this CA to identify websites” and click OK. After this, visiting any HTTPS site with FoxyProxy active and Burp running will show no security warnings — all traffic decrypted and visible in Burp.
STEP 4
Your First Intercepted HTTPS Request — The Moment Everything Changes
This is the moment. Your burp suite setup for bug bounty is about to show you something that most people who use websites every day have never seen — what their own browser is actually saying to servers. Let’s intercept your first real request right now.
🎯 Intercept Your First Request
1
In Burp Suite: Proxy tab → Intercept sub-tab → Make sure the button reads “Intercept is on”
2
In Firefox (with FoxyProxy on Burp): visit https://example.com
3
Firefox will freeze — the page won’t load. Switch back to Burp Suite. You’ll see the request waiting in the Intercept panel.
4
Read the request (we’ll decode it in the next section). Then click “Forward” to send it to the server. Firefox loads the page.
securityelites.com
B
Burp Suite Community — INTERCEPTED REQUEST
Proxy
Repeater
Intercept
HTTP history
Intercept is on
Forward →
Drop
⬆ Send to Repeater
▶ REQUEST INTERCEPTED — example.com
GET / HTTP/2
Host:example.com
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
← This request is frozen. The server hasn’t received it yet. You can read, modify, or drop it.
Your First Intercepted HTTP Request — This is a real GET request to example.com, frozen mid-flight. You can read every header, modify any value, then click Forward to send it. This is the foundation of every bug bounty technique you’ll learn in this course.
Understanding What You’re Seeing — Anatomy of an HTTP Request
That request you just intercepted? Every single line matters for bug bounty hunting. Let me decode each component because understanding HTTP at this level is what separates effective hunters from button-clickers.
GET /dashboard?user_id=1043 HTTP/2
The Request Line: Method (GET/POST/PUT/DELETE) + Path (the URL path and any parameters) + HTTP version. The user_id=1043 parameter? On Day 8 you’ll learn how changing that number to another user’s ID is an IDOR vulnerability worth $300–$2,000.
The Cookie Header: Session cookies are what keep you logged in. They’re sent with every request. In bug bounty, this is where you’ll find JWT tokens, session identifiers, and authentication data. On Day 15 you’ll learn how to decode and test these for vulnerabilities.
The Authorization Header: The API authentication token. This is often a JWT (JSON Web Token) — a Base64-encoded structure containing your user ID, role, and expiry. On Day 22 you’ll learn exactly how to decode these and test for JWT signature vulnerabilities.
Content-Type:application/json
Content-Type: Tells the server what format the request body is in. Bug bounty hunters change this header deliberately — switching from application/json to application/xml can sometimes trigger XXE vulnerabilities (Day 28). Small changes, large impact.
Intro to Burp Repeater — Your Testing Sandbox
Once you intercept a request, you’ll want to test it — change a value, see what the server responds with, change it again, compare the responses. That’s Repeater. Right-click any intercepted request → Send to Repeater. Then click the “Repeater” tab. You can now fire that request as many times as you want with any modifications.
securityelites.com
Burp Suite — Repeater Tab
Proxy
Repeater
REQUEST
▶ Send
GET /api/users/1043 HTTP/2
Host:api.target.com
Authorization:Bearer eyJ…
↑ Change 1043 to 1042 and click Send.
If you see different user data → IDOR found!
RESPONSE
HTTP/2 200 OK
Content-Type:application/json
{
“user_id”: 1042,
“email”: “other@example.com”,
“name”: “Another User”
}
✓ IDOR! Another user’s data returned to us.
Burp Repeater — Request on the left, Response on the right. We changed user_id from 1043 to 1042 and the server returned a different user’s data. That’s an IDOR vulnerability. This is exactly the workflow you’ll use from Day 8 onwards for real bug finding.
💡 Mr Elite’s Tip: Right-click any interesting request in Burp’s HTTP history → “Send to Repeater.” Then in Repeater, use Ctrl+Shift+↑ and Ctrl+Shift+↓ to navigate through previous requests. Repeater becomes your note-taking tool for anything worth investigating.
5 Essential Firefox Extensions for Bug Bounty Hunters
Beyond FoxyProxy, your browser itself becomes a more powerful testing tool with the right extensions. These five are standard in every professional hunter’s Firefox profile:
🔍
Wappalyzer — Technology Fingerprinter
Shows you exactly what technologies a website uses — framework, CMS, JavaScript libraries, CDNs, analytics, server software. Essential for understanding your attack surface. If Wappalyzer shows “Drupal 7,” you immediately know what CVEs to check.
🍪
Cookie-Editor — Visual Cookie Management
View, edit, add, and delete cookies directly in your browser. Perfect for testing cookie-based authentication, session hijacking scenarios, and modifying cookie values without having to go through Burp for simple cookie tests.
🧩
DotGit — Exposed .git Directory Finder
Automatically checks every website you visit for an exposed .git directory. An exposed .git directory means you can potentially download the application’s entire source code — a Critical finding that pays $1,000–$10,000+.
🔓
JWT Editor (formerly JWT-Debugger)
Decode JSON Web Tokens directly in your browser. Shows the header, payload, and signature in plain text. You’ll use this constantly when testing authentication on Day 22–25. Understanding JWT structure is prerequisite for JWT attacks.
📋
HackerOne Reporter — Bug Report Helper
Formats your bug reports properly while you’re investigating. Takes screenshots, records your steps, and structures them into HackerOne’s report format. Reduces the time between finding a bug and submitting a report — critical because platforms deduct points for duplicate reports when someone submits before you.
Kali Linux vs Windows — Which Should You Use for Bug Bounty?
This question comes up constantly and the internet gives needlessly dramatic answers. Here’s the practical reality from someone who has used both professionally:
✗ Not ideal as your only OS if you also work normally
Best approach: Run Kali in a VirtualBox or VMware VM on your existing computer. Get the best of both worlds.
🪟
Windows
✓ You already know it
✓ Burp Suite runs natively and well
✓ WSL2 gives you Linux tools when needed
✓ No VM overhead
✗ Some tools require extra steps to install
✗ Path separators in commands occasionally differ
Windows + WSL2 (Windows Subsystem for Linux) is a very practical setup for beginners. You get Linux tools without leaving Windows.
📌 Mr Elite’s Honest Verdict
Use whatever you’re already comfortable with for the first 30 days of this course. Everything in Days 1–30 works perfectly on Windows, macOS, or Linux. When we get to advanced recon tools in Day 25+ that work better on Linux, I’ll tell you exactly then and give you the Kali setup steps. Don’t let OS analysis paralysis delay you from starting. Your methodology matters more than your operating system.
🎯 Day 2 Task — Verify Your Lab is Working
📋 DAY 2 CHECKLIST — All Steps Required
Burp Suite Community Edition installed and launches successfully
FoxyProxy installed in Firefox and configured with 127.0.0.1:8080
Burp CA Certificate downloaded, imported into Firefox, HTTPS working
First HTTPS request intercepted and visible in Burp (any website works)
Sent an intercepted request to Repeater and clicked Send successfully
Installed Wappalyzer and Cookie-Editor Firefox extensions
Can toggle FoxyProxy ON/OFF without restarting browser (one click)
⭐ BONUS — Intercept a Login Request
Create a free account on any website — a forum, newsletter, anything. With Burp intercepting, submit the login form. Watch the POST request appear in Burp Intercept. Find the username and password fields in the request body. Can you see your own password in plain text? This is exactly why HTTP (not HTTPS) login pages are a security bug. Understanding what you just saw is 20% of understanding web security. Share your (redacted) screenshot in #Day2Done 🟢
⚠️ Only do this on accounts you own. Never attempt this on others’ accounts or without permission.
🔬
Your lab is live. Burp Suite is running. Every HTTPS request is now visible to you.
Day 3 is where the real education begins. You’re going to learn exactly how the web works at the protocol level — HTTP, DNS, how browsers talk to servers, what happens between typing a URL and seeing a page. Understanding this at depth is what makes great bug hunters. It’s the difference between knowing a technique and knowing why the technique works.
Yes — 100% free, no trial expiry. Burp Suite Community Edition is available permanently at no cost and includes the Proxy, Repeater, Decoder, Comparer, and Intruder (with rate limiting). Professional adds the automated scanner and unlimited Intruder speed. Community Edition covers everything in this 60-day course.
Why do I need to install a CA certificate for Burp Suite?
Without the CA cert, Firefox rejects Burp’s dynamically generated SSL certificates and shows a security error for every HTTPS site. Installing the cert tells Firefox to trust Burp as a certificate authority, allowing it to silently decrypt and re-encrypt HTTPS traffic. This is standard MITM proxy behaviour — perfectly safe in a controlled lab environment for bug bounty testing.
Should I use Kali Linux or Windows for bug bounty hunting?
Start with whatever OS you know. For this 60-day course, everything through Day 35 works equally on Windows, macOS, and Linux. The best setup long-term is your current OS as the host + Kali Linux in a virtual machine (VirtualBox is free). This course tells you exactly when and why to switch to Kali — don’t worry about it today.
What is FoxyProxy and why is it better than system proxy settings?
FoxyProxy adds a one-click proxy toggle to Firefox’s toolbar. System proxy settings require multiple menu clicks to change and affect your entire computer’s network traffic (including Slack, email, etc.). FoxyProxy only affects Firefox and switches in under one second. For bug bounty work where you’re constantly turning interception on and off, this convenience matters significantly.
What is the difference between Burp Suite Intercept and Repeater?
Intercept catches live traffic in real time — you see each request as you browse, before it reaches the server. Repeater is a replay tool — you send a saved request to the server manually, as many times as you want, with any modifications. The typical workflow: use Intercept to find an interesting request, send it to Repeater, then test it repeatedly with Repeater until you find a vulnerability or confirm the endpoint is secure.
I remember the first time I intercepted an HTTPS request and saw the session cookie sitting there in plain text. I’d been using websites my entire life assuming those cookies were somehow protected in transit. The realisation that a proxy makes them completely visible changed how I understood web security in about thirty seconds. That’s what Day 2 does — it doesn’t just give you a tool, it gives you a perspective shift. Welcome to seeing the web differently.
