Learn how to use Burp Suite for beginners with a step-by-step practical guide including proxy intercept, request modification, and real hacking workflow.
Authorised targets only. Use Burp Suite against your own DVWA lab, TryHackMe, Hack The Box, or authorised bug bounty targets. Never proxy traffic through Burp and test systems you don’t have permission to test.
Burp Suite is the tool that separates people who have heard of web application security from people who actually do it. Every professional web application penetration tester has Burp open. Every serious bug bounty hunter has Burp configured. The gap between “I’ve heard of Burp Suite” and “I can use Burp Suite to find real vulnerabilities” is a one-time setup and a few hours of hands-on practice. Lets learn How to Use Burp Suite for Beginners from very scratch.
This guide gives you that setup and that practice — completely step by step. By the end, you will have Burp Suite installed and properly configured, you will have intercepted your first HTTPS request, modified it, and sent it to Repeater. Then you will use that workflow to demonstrate a simple IDOR finding on DVWA. Everything practical, everything on your own authorised lab.
On Kali Linux, Burp Suite Community is pre-installed. Launch it from the terminal or the Applications > Web Application Analysis menu. On other systems, download from portswigger.net/burp/communitydownload — free, no account required.
# Launch on Kali Linux burpsuite &
# Or from Applications > Web Application Analysis > burpsuite # On first launch: Temporary project > Use Burp defaults > Start Burp
FoxyProxy is a Firefox extension that lets you switch proxy settings with one click. Without it, you would have to manually change Firefox proxy settings every time you start or stop testing. This is the fastest and cleanest workflow.
1
Install FoxyProxy Standard
Firefox → Extensions (Ctrl+Shift+A) → Search “FoxyProxy Standard” → Add to Firefox. Confirm the permissions.
2
Add Burp Proxy Configuration
Click the FoxyProxy icon → Options → Add. Set: Title = “Burp Suite”, Proxy Type = HTTP, Host = 127.0.0.1, Port = 8080. Save.
3
Activate when testing
Click FoxyProxy icon → select “Burp Suite” to route traffic through Burp. Click “Disable FoxyProxy” when browsing normally. One click toggles your testing session on and off.
Step 3 — Install Burp’s CA Certificate (HTTPS Interception)
Without the CA certificate, Firefox blocks HTTPS traffic with security warnings and Burp cannot see encrypted content. This is the step most beginners miss — and why they think Burp only works on HTTP. The certificate tells Firefox to trust Burp as an intermediate certificate authority.
1
Enable FoxyProxy (Burp Suite selected)
2
Visit http://burpsuite in Firefox
This loads Burp’s web interface. Click “CA Certificate” in the top right to download cacert.der.
3
Import into Firefox
Firefox → Settings → Privacy & Security → scroll to Certificates → View Certificates → Authorities → Import → select cacert.der → check “Trust this CA to identify websites” → OK.
✓
Test: visit any HTTPS site with Intercept On
If the request appears in Burp’s Proxy tab without a browser security warning, the certificate is installed correctly. You can now see and modify all HTTPS traffic.
Proxy — Intercept, Modify & Forward
securityelites.com
Burp Suite Community Edition
Proxy
Repeater
Intruder
Decoder
Intercept
HTTP History
WebSockets
Options
Forward
Drop
Intercept is ON
Action ▾
GET /dvwa/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1
Host: 192.168.56.101
Cookie: PHPSESSID=abc123; security=low
User-Agent: Mozilla/5.0 (X11; Linux x86_64)
▲ Request paused — modify id=1 before forwarding
Burp Suite Proxy — Intercept ON. A GET request to the DVWA SQL injection endpoint is paused before reaching the server. The id parameter is highlighted — change it here to test for SQL injection or IDOR before clicking Forward. The Cookie header shows the session token and security level. This is the core Burp workflow: browse → intercept → modify → forward → analyse response.
💡 Pro workflow tip: Leave Intercept OFF while browsing the application normally to populate HTTP History. Only turn Intercept ON when you want to pause and modify a specific request. Most professionals browse with intercept off and use HTTP History to find interesting requests to send to Repeater.
HTTP History — Map the Application’s Attack Surface
With Intercept OFF, browse every page of the target application while FoxyProxy routes traffic through Burp. Click every button. Submit every form. Use every feature. Burp’s HTTP History tab records every single request — this becomes your attack surface map.
What to Look for in HTTP History
🎯 POST requests — form submissions and data modifications
🔢 Numeric IDs in URLs — potential IDOR vectors
🔑 API endpoints — /api/, /v1/, /graphql/
🔀 Redirects (302) — may be bypassable
📝 Parameters reflecting in responses — XSS candidates
🔒 Authorisation headers — Bearer tokens, session cookies
Right-click any interesting request → Send to Repeater → begin manual testing
Repeater — The Heart of Manual Testing
Repeater is where you spend most of your testing time. It shows the raw HTTP request on the left and the server’s raw response on the right. Modify any part of the request — parameters, headers, body, method — and click Send to see exactly how the application responds to each change.
securityelites.com
Proxy
Repeater
Intruder
Request ✎
GET /api/v1/user?id=2850 HTTP/1.1
Host: target.com
Cookie: session=abc123
Change id to 2849 to test IDOR →
Response — 200 OK
HTTP/1.1 200 OK
{
“user_id”: 2849,
“email”: “alice@example.com”,
“phone”: “+1 555-0124”
}
IDOR confirmed — another user’s PII returned
Burp Suite Repeater — Left panel: the request with id changed from 2850 (our account) to 2849. Right panel: the server’s response — returning another user’s email and phone number with HTTP 200. This is a textbook IDOR finding. Repeater makes this kind of manual testing fast and systematic. Send, observe, modify, send again.
Intruder — Automated Payload Testing
Intruder automates sending many request variations by substituting payload values into marked positions. In Community Edition it is rate-limited — use it for focused tests, not large wordlists. Four attack types:
Sniper (Most Used)
One payload set, cycles through each marked position individually. Best for testing a single parameter with a wordlist. Use for: fuzzing one parameter, brute-forcing a login password field.
Pitchfork
Multiple payload sets, one per position, iterated in parallel. Use for: username:password combinations where you have a known user list matched to a password list.
Cluster Bomb
All combinations of multiple payload sets — every value from list 1 with every value from list 2. Use for: credential stuffing where both username and password are unknown.
Battering Ram
Same payload value inserted into all marked positions simultaneously. Less commonly used — handy when the same value needs to appear in multiple request positions.
Decoder & Comparer — Quick Reference
# Decoder — Encode/Decode on the fly: URL encode: admin+password → admin%2Bpassword Base64 decode: eyJhbGciOiJ… → {“alg”:”HS256″,”typ”:”JWT”} HTML decode: <script> → <script> Hex encode: A → 41
# Tip — Decode JWT tokens in Decoder to check algorithm and claims # Comparer — paste two responses to diff them side-by-side # Critical for: comparing responses to true/false SQLi conditions
Your First IDOR Test Using Burp Suite — On DVWA
This is the complete IDOR workflow using Burp Suite — the same methodology used in real authorised bug bounty testing. On DVWA with two test accounts:
1
Browse DVWA with Intercept OFF — populate HTTP History
Log in as test account A. Browse to your profile page. Note the URL contains your user ID. Burp has captured this request in HTTP History.
2
Find the profile request in HTTP History → Send to Repeater
In Proxy → HTTP History, find the GET request to /profile or /user?id=X. Right-click → Send to Repeater.
3
In Repeater — change the ID value
Change id=1 to id=2 (Account B’s ID). Click Send.
✓
Observe response — Account B’s data returned → IDOR confirmed
If Account B’s username, email, or other data appears in the response while using Account A’s session — IDOR confirmed. Screenshot both the request and response for your report. See Bug Bounty Hunting Methodology for report writing next steps.
Burp Suite Is Day 2 & 12 — All Free, All Practical
Frequently Asked Questions – How to use Burp Suite for Beginners
Is Burp Suite free?
Community Edition is free — includes Proxy, Repeater, Intruder (rate-limited), Decoder, Comparer, basic scanner. Professional ($449/year) adds full automated scanner and unlimited Intruder. Community is sufficient for most learning and bug bounty work.
What is Burp Suite Proxy?
A web proxy intercepting all HTTP/S traffic between your browser and servers. Route Firefox traffic through 127.0.0.1:8080 (with FoxyProxy) to see, modify, and replay every request. Foundation of all other Burp tools.
What is the difference between Proxy and Repeater?
Proxy: captures live traffic in real-time as you browse. Repeater: manually send/modify a single request as many times as needed. Proxy is passive capture. Repeater is active testing. Most testing happens in Repeater after finding interesting requests in Proxy HTTP History.
What is Burp Suite Intruder used for?
Automates sending many request variations — brute-forcing logins, fuzzing parameters for injection, enumerating numeric IDs (IDOR). In Community Edition it is rate-limited. Use Sniper attack type for focused single-parameter testing.
How do I install Burp’s CA certificate in Firefox?
Enable FoxyProxy → visit http://burpsuite → download CA Certificate → Firefox Settings → Privacy & Security → View Certificates → Authorities → Import → trust for websites. Restart Firefox. You can now intercept HTTPS.
The Burp Suite setup in this guide — FoxyProxy, CA certificate, HTTP History, Repeater — takes about 20 minutes to complete and then you use it for the rest of your security career. Every serious web application tester I know has this exact setup. The tool is not magic; it just makes every request and response visible and modifiable. Everything interesting you find in web application testing, you find through this lens.
