If websites were buildings, Burp Suite would be the ultimate inspection toolkit used by security experts to find hidden vulnerabilities before attackers do. The Burp Suite Cheat Sheet is one of the most useful learning resources for anyone entering the world of web application security and ethical hacking.
Created by PortSwigger, Burp Suite is a powerful web penetration testing platform used by Ethical hackers, Bug bounty hunters, Security researchers, Red team professionals etc.. You can explore its official documentation on the Burp Suite official website.
The tool acts as a man-in-the-middle proxy, allowing you to intercept, analyze, and modify HTTP and HTTPS traffic between a browser and a web server.
This ability helps security professionals detect vulnerabilities like:
- SQL Injection
- Cross-Site Scripting (XSS)
- Authentication flaws
- Session hijacking
- API vulnerabilities
- File upload vulnerabilities
Beginners often feel overwhelmed when they first open Burp Suite. The interface has many tabs like Proxy, Repeater, Intruder, Scanner, Decoder, Comparer and Sequencer. But once you understand how these modules work together, Burp Suite becomes one of the most powerful cybersecurity tools in the world.
In this Burp Suite Cheat Sheet, you will learn:
- How to install Burp Suite on Kali Linux
- 75+ Burp Suite commands and techniques
- Beginner and advanced penetration testing workflows
- Real-world bug bounty scenarios
- Hands-on security testing labs
- Practical tips used by professional hackers
Whether you are a curious beginner, bug bounty hunter, penetration tester or a cybersecurity student. This Burp Suite Cheat Sheet will become a resource you bookmark and return to again and again.
Let’s begin our comprehensive Burp Suite Cheat Sheet Guide.
Table of Contents
Burp Suite Installation Guide (Kali Linux)
Most cybersecurity professionals run Burp Suite on Kali Linux, the most popular penetration testing operating system.
The good news?
Burp Suite is already included in Kali Linux.
Step 1 — Update Kali Linux
First update your system.
sudo apt update && sudo apt upgrade -y
This ensures all cybersecurity tools are up to date.
Step 2 — Launch Burp Suite
You can launch Burp Suite using the terminal.
burpsuite
Or use the Kali Linux menu:
Applications → Web Application Analysis → Burp Suite
Step 3 — Choose Burp Suite Edition
You will see two versions:
- Community Edition (Free)
- Professional Edition (Paid)
Beginners should start with:
Burp Suite Community Edition
Click Next → Start Burp
Step 4 — Configure Browser Proxy
Burp Suite works as a local proxy server.
Default proxy settings:
127.0.0.1
Port 8080
Configure your browser proxy settings:
Proxy Address: 127.0.0.1
Port: 8080
Now Burp Suite can intercept all browser traffic.
Step 5 — Turn Intercept ON
Go to:
Proxy → Intercept → Intercept ON
Now when you browse websites, Burp Suite will capture requests before they reach the server.
This is where penetration testing begins.
BASIC COMMANDS OF BURP SUITE
Below is the Burp Suite Cheat Sheet for beginners.
These commands represent the most commonly used actions during web penetration testing.
| Command Syntax | Purpose of Command | Description |
|---|---|---|
| Intercept ON | Capture HTTP traffic | Enables Burp Suite proxy interception mode, allowing security testers to capture browser requests before they reach the server. This allows manipulation of parameters, cookies, headers, authentication tokens, and request bodies to test for vulnerabilities during web application penetration testing. |
| Intercept OFF | Forward traffic normally | Disables interception temporarily so browser traffic flows directly to the target server. This is useful after capturing a request so the user can continue browsing normally without manually forwarding each intercepted request during testing sessions. |
| Forward | Send captured request | Sends the currently intercepted request to the target server. Security testers analyze each request before forwarding it to identify vulnerabilities, modify parameters, or observe server responses in real-time. |
| Drop | Block request | Prevents a request from reaching the server. This technique helps testers simulate broken sessions or analyze how applications respond when required parameters or authentication requests are blocked intentionally. |
| Send to Repeater | Manual request testing | Sends a captured HTTP request to the Repeater tool where testers can manually modify parameters, replay requests, and observe server responses to test vulnerabilities like SQL injection or authentication bypass. |
| Send to Intruder | Automated attack testing | Sends a captured request to Intruder, allowing automated attacks such as brute-force login attempts, parameter fuzzing, or payload testing to identify hidden vulnerabilities in web applications. |
| Send to Decoder | Decode encoded data | Transfers selected data to the Decoder module where testers can decode Base64, URL encoding, or other encoded formats commonly used in web requests or tokens. |
| Send to Comparer | Compare responses | Moves data to the Comparer tool to analyze differences between two HTTP responses or request payloads, helping identify subtle variations during penetration testing. |
| Target Scope | Define testing scope | Allows security testers to define which domains and subdomains belong to the penetration testing scope so Burp Suite focuses only on relevant targets. |
| Site Map | View application structure | Displays all discovered endpoints, directories, and API routes during browsing. This helps testers understand the full attack surface of a web application. |
| Proxy History | View captured requests | Logs every HTTP request captured through the Burp proxy. This historical data helps testers review previously accessed endpoints and analyze traffic patterns. |
| HTTP Request Editor | Modify requests | Allows manual editing of request headers, cookies, and parameters to simulate malicious input during vulnerability testing. |
| HTTP Response Viewer | Analyze responses | Displays server responses for each request, helping testers detect error messages, authentication responses, and leaked sensitive data. |
| Filter Requests | Focus testing traffic | Filters captured traffic to show only relevant requests such as POST requests, login endpoints, or API calls. |
| Highlight Request | Mark important traffic | Allows testers to highlight interesting requests such as authentication endpoints or API tokens for easy identification later. |
| Add Comment | Document findings | Enables testers to annotate captured requests with notes explaining vulnerability findings or testing results. |
| Proxy Options | Configure proxy behavior | Allows configuration of interception rules, request modifications, and traffic handling to customize Burp Suite behavior during testing. |
| Match and Replace | Modify outgoing traffic | Automatically replaces values in outgoing requests. Testers use this to modify session tokens or inject payloads. |
| Logger | Record traffic events | Tracks Burp Suite activities and interactions with target applications for debugging and audit purposes. |
| HTTP Headers View | Inspect headers | Displays request and response headers, which often reveal security misconfigurations or missing protections like HSTS. |
| Cookie Editor | Modify session cookies | Allows testers to edit cookies manually to test session fixation or privilege escalation vulnerabilities. |
| Follow Redirect | Analyze redirect behavior | Enables testers to follow HTTP redirects to understand application navigation flows. |
| View Raw Request | Inspect original request | Shows the raw HTTP request exactly as sent to the server for deep analysis. |
| View Raw Response | Inspect server response | Displays the unprocessed HTTP response returned by the server. |
| Decode Base64 | Decode encoded tokens | Converts Base64 encoded values into readable text to reveal hidden parameters or credentials. |
| Encode URL | Encode payloads | Converts characters into URL-safe format used in HTTP requests. |
| Send to Sequencer | Analyze randomness | Sends session tokens to Sequencer to test whether token generation is predictable or secure. |
| Open Inspector | Analyze request structure | Helps testers view parameters, headers, and cookies in a structured interface. |
| Find in Requests | Search traffic | Searches through proxy history to locate specific parameters or endpoints. |
ADVANCED COMMANDS OF BURP SUITE
Advanced testers rely heavily on automation and attack modules.
Below are the advanced Burp Suite Cheat Sheet techniques used in real penetration testing engagements.
| Command Syntax | Purpose | Description |
|---|---|---|
| Intruder Sniper Attack | Test single parameter | Sends payloads to one parameter at a time to discover injection points or validation weaknesses within application inputs. |
| Intruder Battering Ram | Same payload multiple fields | Sends identical payloads across multiple parameters simultaneously to test authentication bypass or multi-field vulnerabilities. |
| Intruder Pitchfork | Parallel payload attacks | Uses multiple payload sets simultaneously to test combinations such as username and password brute-force attacks. |
| Intruder Cluster Bomb | Full brute force | Tests all payload combinations across multiple parameters to discover hidden credential pairs or parameter interactions. |
| Payload Positions | Define attack positions | Marks locations in requests where payloads will be inserted during automated attacks. |
| Payload Sets | Configure attack payloads | Defines wordlists or injection strings used during automated testing. |
| Payload Encoding | Encode attack payloads | Automatically encodes payloads to bypass input validation mechanisms. |
| Payload Processing | Modify payload sequences | Adds prefixes, suffixes, or transformations to payloads during attack automation. |
| Grep Extract | Extract data from responses | Captures specific patterns from server responses during automated attacks. |
| Grep Match | Detect vulnerability indicators | Searches responses for keywords indicating successful exploitation. |
| Intruder Throttle | Control attack speed | Adjusts request rate to avoid detection or blocking by security systems. |
| Session Handling Rules | Automate session tokens | Maintains authentication sessions during automated attacks. |
| Macro Recorder | Record login sequences | Automates login workflows during testing sessions. |
| Turbo Intruder | High speed attacks | Performs extremely fast request attacks used during bug bounty testing. |
| HTTP Smuggling Testing | Test proxy parsing flaws | Detects vulnerabilities where front-end and back-end servers interpret HTTP requests differently. |
| WebSocket Testing | Intercept WebSocket traffic | Captures and manipulates real-time WebSocket communication. |
| Burp Scanner | Automated vulnerability scanning | Detects vulnerabilities like XSS and SQL injection automatically (Professional Edition). |
| Active Scan | Automatic exploitation testing | Sends attack payloads to detect vulnerabilities. |
| Passive Scan | Non intrusive analysis | Identifies potential vulnerabilities without modifying requests. |
| Repeater Attack Loop | Manual exploit testing | Allows repeated request modification to refine exploit payloads. |
| Session Token Analysis | Evaluate randomness | Determines if session IDs are predictable. |
| Decoder Hash Functions | Analyze cryptographic values | Decodes hashes and encoded tokens to reveal sensitive data. |
| Comparer Byte Comparison | Compare binary responses | Detects subtle differences between application responses. |
| Collaborator Client | Detect blind vulnerabilities | Used to identify blind command injection or SSRF vulnerabilities. |
| Scope Control | Prevent accidental testing | Restricts Burp Suite to authorized targets. |
SECURITYELITES HANDS ON LAB – REAL SCENARIOS
Learning theory is helpful. But cybersecurity mastery happens through hands-on labs.
Below are five real-world penetration testing scenarios using the Burp Suite Cheat Sheet techniques.
Scenario 1 — SQL Injection in Login Form
A website login form accepts:
username
password
Intercept the request using Burp Suite.
Send it to Repeater.
Modify the parameter:
username=admin' OR '1'='1
If authentication bypass occurs, the application is vulnerable to SQL injection.
Commands Used:
- Intercept ON
- Send to Repeater
- Modify HTTP Request
- Forward
Scenario 2 — Brute Force Login Testing
Capture login request.
Send it to Intruder.
Choose:
Pitchfork attack
Load a username and password wordlist.
Run automated testing.
Commands Used:
- Send to Intruder
- Payload Sets
- Pitchfork Attack
- Grep Match
Scenario 3 — Discover Hidden API Endpoints
Browse the website while Proxy interception is enabled.
Burp Suite builds a Site Map automatically.
Analyze endpoints such as:
/api/admin
/api/debug
/api/internal
Commands Used:
- Proxy History
- Site Map
- Filter Requests
Scenario 4 — Testing Cross Site Scripting (XSS)
Capture a request that sends user input.
Modify parameter:
<script>alert(1)</script>
Forward request.
If the script executes in the browser, the application is vulnerable.
Commands Used:
- Send to Repeater
- Modify Request
- Forward
Scenario 5 — Session Token Weakness
Login to application.
Send session cookie to Sequencer.
Burp analyzes token randomness.
If tokens are predictable, attackers could hijack sessions.
Commands Used:
- Send to Sequencer
- Token Analysis
- Randomness Test
FAQ – Burp Suite Cheat Sheet
What is Burp Suite used for?
Burp Suite is a web application security testing platform used by cybersecurity professionals to identify vulnerabilities in websites and APIs. It works by intercepting HTTP and HTTPS traffic between a browser and a server, allowing testers to inspect, modify, and replay requests. Using tools like Intruder, Repeater, and Scanner, security researchers can detect vulnerabilities such as SQL injection, cross-site scripting (XSS), authentication bypass, and insecure session handling. Because of its powerful capabilities, Burp Suite has become one of the most widely used tools in ethical hacking and penetration testing.
Is Burp Suite legal?
Yes, Burp Suite is completely legal when used for authorized security testing. Ethical hackers, penetration testers, and cybersecurity professionals use it to test applications for vulnerabilities with permission from the system owner. However, using Burp Suite against websites without authorization may violate cybersecurity laws and computer misuse regulations. Always perform testing in environments where you have explicit permission, such as bug bounty programs, security labs, or your own applications.
Does Kali Linux include Burp Suite?
Yes, Kali Linux includes Burp Suite Community Edition by default. It can be launched directly from the Kali application menu under Web Application Analysis tools or by typing the burpsuite command in the terminal. The Community Edition provides essential functionality such as Proxy, Repeater, Intruder (limited), Decoder, and Comparer. Professional penetration testers often upgrade to Burp Suite Professional for automated vulnerability scanning and advanced features.
Is Burp Suite used by hackers?
Both ethical hackers and malicious attackers may use Burp Suite. However, the tool was created primarily for legitimate cybersecurity testing and education. Ethical hackers use Burp Suite to discover vulnerabilities before attackers exploit them. Many companies hire penetration testers who use Burp Suite to strengthen application security. When used responsibly, it helps organizations protect their systems and improve web security.
Is Burp Suite difficult to learn?
Burp Suite may appear complex at first because it contains many tools and features. However, beginners can learn it step by step. Start with the Proxy and Repeater modules, which allow you to intercept and modify requests manually. Once comfortable with those tools, move to Intruder for automated testing and Sequencer for session analysis. With consistent practice in security labs and bug bounty platforms, mastering Burp Suite becomes much easier.
Conclusion
You have now explored one of the most complete Burp Suite Cheat Sheet guides available online.
In this guide you learned:
- What Burp Suite is and why cybersecurity professionals rely on it
- How to install Burp Suite on Kali Linux
- 75+ Burp Suite Cheat Sheet commands and techniques
- Practical penetration testing workflows
- Real-world bug bounty scenarios
Burp Suite is not just a tool.
It is a full web application security testing platform used daily by ethical hackers across the world.
If you want to master cybersecurity:
Practice these skills in:
- penetration testing labs
- bug bounty platforms
- vulnerable applications
- Capture The Flag challenges
Other Cheat Sheet you wish to go thorugh:
NMAP Cheat Sheet
AMASS Cheat Sheet
And most importantly:
⭐ Bookmark this Burp Suite Cheat Sheet
⭐ Practice the commands regularly
⭐ Share it with fellow cybersecurity learners
⭐ Explore more tutorials on SecurityElites
The more you practice, the closer you get to becoming a professional ethical hacker.
