⚠️ Authorised Use Only: Burp Suite is a professional web application testing tool. Use it exclusively against your own systems, DVWA, PortSwigger Web Security Academy, or platforms where you have explicit written permission. Intercepting traffic on networks or applications you do not own is illegal under the Computer Fraud and Abuse Act and equivalent legislation worldwide.
Every professional penetration tester has one tool open before anything else — and it is not Nmap, it is not Metasploit. It is Burp Suite. Burp Suite Kali Linux 2026 is the single most important web application testing tool you will ever learn, and today you are going to install it, configure it correctly, and intercept your first live HTTPS request inside a real browser. By the end of this guide you will understand exactly how Burp Suite sits between your browser and every web server — and why that position gives you complete visibility into how any web application works under the hood.
🎯 What You’ll Master in Day 12
Install and launch Burp Suite Community Edition from Kali Linux
Configure FoxyProxy and the Burp CA certificate for HTTPS interception
Intercept, inspect, and forward live browser requests through Burp Proxy
Use Burp Repeater to manually modify and resend HTTP requests
Run your first Burp Intruder attack against a DVWA login form
⏱️ 55 min read · 3 hands-on exercises
📊 Where are you with Burp Suite right now?
✅ Perfect — this guide is built in layers. Beginners get a clean install-to-intercept walkthrough. If you already have the basics, jump straight to the Repeater and Intruder sections where the real power lives.
📋 What You’ll Master in Day 12 — Burp Suite Kali Linux Tutorial
In Day 11 we used Aircrack-ng to capture and crack WPA2 handshakes, operating at the network layer. Today we move up the stack entirely. Burp Suite operates at the application layer — it sits between your browser and every web server you point it at, giving you complete read and write access to every HTTP and HTTPS request in real time. This is the tool that makes web application penetration testing possible, and it is the tool used in virtually every Kali Linux 180-Day Mastery Course web engagement from here forward.
What Is Burp Suite and Why Every Hacker Uses It
Burp Suite is an integrated platform for web application security testing developed by PortSwigger. It is the industry standard tool used by professional penetration testers, bug bounty hunters, and security engineers worldwide. The Community Edition — which is completely free and ships with Kali Linux — gives you everything you need to understand and test web applications at a professional level.
The architecture is elegantly simple. Burp Suite runs as a local proxy on your machine, typically listening on port 8080. You configure your browser to route all traffic through this proxy. Every request your browser sends — including encrypted HTTPS requests — passes through Burp first. Burp decrypts it, shows it to you in plain text, lets you modify it if you want, then forwards it to the server. The server’s response comes back through Burp the same way before reaching your browser.
This man-in-the-middle position is not an attack in this context — it is your testing environment. It gives you the ability to see exactly what data the application is sending, modify parameters before they reach the server, repeat requests with different payloads, and map the entire attack surface of an application. Without Burp Suite, web application testing is guesswork. With it, everything becomes visible.
securityelites.com
Burp Suite Architecture — How the Proxy Works
🌐
Firefox
Your Browser
→
🔍
Burp Suite
127.0.0.1:8080
INTERCEPTS & MODIFIES
→
🖥️
Web Server
Target App
✓ Sees every request
✓ Decrypts HTTPS
✓ Modify before sending
✓ Replay any request
📸 Burp Suite proxy architecture — every browser request passes through Burp before reaching the target server, giving you full visibility and control.
The Community Edition gives you the Proxy, Repeater, Intruder (rate-limited), Decoder, Comparer, and the Target site map. These six tools cover the vast majority of what you will need for manual web application testing. The Pro version unlocks unlimited Intruder speed and an automated scanner, but everything in this guide works on the free version.
💡 Community vs Pro: Do not waste time trying to crack or pirate Burp Suite Pro. PortSwigger offers a free 30-day Pro trial for students, and their Web Security Academy — which is completely free — teaches every concept you need. Learn on Community Edition first.
Burp Suite Kali Linux 2026 — Install and First Launch
Burp Suite Community Edition comes pre-installed on Kali Linux. You do not need to download anything separately. However, it is worth knowing how to update it and verify the installation before you start configuring it for HTTPS interception.
VERIFY & UPDATE BURP SUITE ON KALI
# Check if Burp Suite is installed
which burpsuite
/usr/bin/burpsuite
# Update Kali packages including Burp Suite
sudo apt update && sudo apt install burpsuite -y
# Launch Burp Suite from terminal
burpsuite &
# Or find it in: Applications > Web Application Analysis > burpsuite
When Burp Suite launches for the first time, it presents you with a project selection screen. For the Community Edition, select “Temporary project” and click Next. On the configuration screen, select “Use Burp defaults” and click “Start Burp”. This opens the main Burp Suite interface with the Dashboard tab active.
The first thing to note is the tab bar at the top: Dashboard, Target, Proxy, Intruder, Repeater, Sequencer, Decoder, Comparer, Logger, and Extender. You will work primarily in Target, Proxy, Repeater, and Intruder. The Dashboard shows active scan tasks — less relevant in Community Edition, but useful to understand. Take 60 seconds to click each tab and familiarise yourself with the layout before moving on.
⚠️ Java Memory Warning: Burp Suite is a Java application and can be memory-hungry. If it launches slowly or crashes, increase its heap size by running it with: burpsuite -Xmx2g & to allocate 2GB of RAM. On systems with less than 4GB total, stick to the default.
How to Configure Burp Proxy and Intercept HTTPS Traffic
This is the most critical configuration step in all of Burp Suite setup. If you get this wrong, Burp will intercept HTTP traffic but throw SSL errors on every HTTPS site — which is every modern website. The solution is a two-step process: configure your browser to route traffic through Burp’s proxy, then install Burp’s CA certificate so your browser trusts the interception.
STEP 1 — INSTALL FOXYPROXY IN FIREFOX
# Open Firefox on Kali Linux
firefox &
# In Firefox: go to this URL to install FoxyProxy Standard
# Check: “Trust this CA to identify websites” > OK
# Verify: navigate to any https:// site — no SSL errors should appear
With FoxyProxy active and the CA certificate installed, go to Burp Suite, click the Proxy tab, then click “Intercept” — you will see a button labelled “Intercept is off”. Click it to turn interception on. Now go back to Firefox and navigate to any website. The browser will appear to hang — because Burp is holding the request, waiting for you to review it. In Burp you will see the raw HTTP request displayed in the Intercept panel. Click “Forward” to send it through, or “Drop” to discard it.
securityelites.com
Burp Suite — Proxy Intercept Panel
POST /login HTTP/2
Host: dvwa.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0)
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Cookie: PHPSESSID=abc123; security=low
username=admin&password=password&Login=Login
▶ Forward
✕ Drop
→ Send to Repeater
📸 Burp Suite Proxy Intercept panel showing a captured POST login request from DVWA — the username, password, and session cookie are all visible in plain text.
🧠 EXERCISE 1 — THINK LIKE A HACKER (8 MIN · NO TOOLS)
Why Is a Proxy More Powerful Than Browser DevTools?
⏱️ Time: 8 minutes · No tools required
Most developers know about browser DevTools (F12). Security professionals use Burp Suite instead.
Before reading on, think through these questions:
1. DevTools shows you network requests in real time. Burp does too.
What can Burp do to those requests that DevTools cannot?
2. A login form sends username=admin&password=test123 to the server.
In what two ways could you manipulate this request using Burp
that you could NOT do from a normal browser?
3. An application checks your role (admin=false) inside a cookie.
How would Burp allow you to test what happens if you change that value
before it reaches the server?
4. You discover an API endpoint that only appears once during a session.
How would Burp’s HTTP History feature help you find and replay it later?
✅ What you just learned: DevTools is read-only — you can observe requests but you cannot intercept and modify them mid-flight. Burp’s proxy gives you write access to every request before it leaves your machine. This means you can change parameter values, manipulate cookies, forge headers, and test how the server responds to unexpected input — none of which is possible from the browser alone. This modification capability is the entire basis of manual web application security testing.
📸 Write your answers and share in #day-12-burp on Discord.
Web Application Testing Kali Linux — Proxy, Repeater and Intruder Explained
Burp Suite’s power comes from understanding how its core tools work together. The Proxy is your passive capture tool — it records everything. Repeater is your manual testing tool — it lets you replay modified requests. Intruder is your automation tool — it lets you fuzz parameters with wordlists. These three tools alone cover 80% of manual web application testing work.
Burp Proxy — HTTP History: Even when Intercept is turned off, Burp continues to log every request in the background under Proxy > HTTP History. This is your session log. After browsing through an application with intercept off, you can come back to HTTP History, find any request, right-click it, and send it to Repeater or Intruder for testing. This workflow — browse first, test second — is how professionals approach a new application.
Burp Repeater — Manual Parameter Testing: Repeater is where you spend most of your manual testing time. You send a request here, modify a parameter value, click Send, and see the server’s response immediately. You can compare responses side by side, test different payloads in seconds, and iterate rapidly. For testing SQL injection, XSS, IDOR, and authentication bypass, Repeater is your workbench.
Burp Intruder — Automated Fuzzing: Intruder lets you define one or more payload positions in a request and then fuzz them with a wordlist or number sequence. The Community Edition rate-limits Intruder to roughly one request per second — frustrating for large wordlists, but entirely sufficient for learning. For brute-forcing login forms with a top-100 password list on DVWA, it works perfectly.
BURP REPEATER — QUICK WORKFLOW
# 1. In Proxy > HTTP History, find a login POST request
# 2. Right-click > Send to Repeater
# 3. In Repeater tab, modify the password parameter:
username=admin&password=§FUZZ§&Login=Login
# 4. Click Send — inspect the response on the right panel
# Compare response lengths — a longer response often indicates login success
💡 Response Length Is Your Best Friend: In Burp Repeater and Intruder, always watch the response length column. A login attempt that returns a different byte count from all others is almost always significant — it either succeeded, or it threw a different error. Filter by response length difference before reading individual responses.
Setting Target Scope and Using the HTTP History
One of the most important habits in professional web application testing is defining your target scope before you start testing. Burp’s Target > Scope feature lets you specify exactly which hosts and URLs Burp should log and interact with. This prevents your HTTP History from filling up with irrelevant requests from browser background processes, telemetry calls, and CDN traffic.
DEFINE TARGET SCOPE FOR DVWA
# Method 1: From the Target > Site Map
# Right-click your target host > Add to scope
# Method 2: Manually in Target > Scope > Add
Protocol: http
Host/IP: 127.0.0.1 (or dvwa.local)
Port: 80
File: /dvwa/*
# Burp will then ask: “Do you want to stop sending out-of-scope items?”
# Click YES — this keeps your HTTP History clean and focused
# Now only DVWA traffic appears in your logs
With scope defined, the Target > Site Map tab becomes genuinely useful. As you browse through the application with Intercept off, Burp automatically builds a tree of every URL, directory, and parameter it has seen. This passive crawl shows you the full attack surface of the application — directories you might not have visited, parameters that appear in query strings, and endpoints the application references in its JavaScript.
Professional penetration testers always spend 20–30 minutes in passive crawl mode before touching a single parameter. You are mapping before you attack. The same intelligence-first philosophy you applied with theHarvester on Day 9 applies to web application testing — map everything before you start testing anything.
⚡ EXERCISE 2 — KALI TERMINAL (20 MIN)
Configure Burp Suite, Intercept a DVWA Login Request and Send to Repeater
⏱️ Time: 20 minutes · DVWA running on Kali Linux required
START DVWA AND CONFIGURE BURP
# Step 1: Start DVWA via Docker (if using Docker setup from Lab 1)
docker start dvwa
# Or start Apache+MySQL if using native install
sudo service apache2 start && sudo service mysql start
# Step 2: Launch Burp Suite
burpsuite &
# Step 3: Enable FoxyProxy in Firefox → select Burp Suite profile
# Step 4: In Burp > Proxy > Intercept — click to turn ON
# The browser freezes — switch to Burp and view the intercepted POST
# Step 7: Right-click the request > Send to Repeater
# Step 8: Click Forward to let the login proceed
# Step 9: Go to Repeater tab — modify password value and click Send
username=admin&password=wrongpassword&Login=Login
# Compare the response — you should see the login error message
# Now try the correct password and compare response lengths
✅ What you just learned: You have completed the core Burp Suite workflow that professional penetration testers use in every web engagement — intercept a request, preserve it in Repeater, and test different parameter values without re-submitting the form in the browser. This workflow scales to SQL injection, XSS, authentication bypass, and every other web vulnerability class. Every test from Day 12 forward will use some version of exactly this process.
📸 Screenshot the Repeater tab showing the modified request and different response and share in #day-12-burp on Discord. Tag #burpsuite2026
Burp Suite Tutorial 2026 — Testing DVWA With All Four Tools
Now that Burp is configured and you have intercepted your first request, let us walk through a complete testing workflow against DVWA using all four core tools together. This is the workflow you will use on every web application engagement going forward.
Phase 1 — Passive Crawl: With Intercept off, browse every page of DVWA manually. Click every link, submit every form with test data, and navigate every menu item. Burp is silently recording everything in HTTP History. After 10 minutes of browsing, open Target > Site Map and you will see the full directory structure of the application mapped out automatically.
Phase 2 — Parameter Identification: In HTTP History, filter by POST requests. These are your highest-value targets — forms that submit user-controlled data to the server. Look specifically for parameters that might query a database (id=, user=, search=), execute commands (cmd=, exec=, ping=), or reference files (file=, path=, page=).
Phase 3 — Manual Testing in Repeater: Send interesting requests to Repeater. In DVWA’s Command Injection module, for example, you will find a ping field. Send that request to Repeater and test what happens when you add ; id after a valid IP address. The response will tell you immediately whether the application is vulnerable.
COMMAND INJECTION TEST IN BURP REPEATER — DVWA LOW SECURITY
# Confirmed vulnerable — server executed our OS command
# Test 2: Read sensitive file
ip=127.0.0.1;cat /etc/passwd&Submit=Submit
# Test 3: Test pipe operator as alternative
ip=127.0.0.1|whoami&Submit=Submit
Phase 4 — Intruder for Brute Force: For the DVWA brute force module, capture a login POST request and send it to Intruder. In the Positions tab, highlight the password value and click “Add §”. Set the attack type to Sniper, load a wordlist in the Payloads tab, and start the attack. Sort results by response length — the valid password will have a noticeably different length from the failed attempts.
securityelites.com
Burp Suite — Four-Tool Testing Workflow
① PROXY
Intercept & HTTP History
Captures all traffic passively
② REPEATER
Manual Parameter Modification
Test payloads one-by-one
③ INTRUDER
Automated Fuzzing
Wordlist attacks on parameters
④ TARGET
Site Map & Scope
Full application mapping
📸 The four core Burp Suite tools and their roles in a complete web application testing workflow — used in sequence for every professional engagement.
This four-phase workflow — passive crawl, parameter identification, manual Repeater testing, Intruder automation — is the foundation of every web application penetration test. The Burp Suite cheat sheet covers the keyboard shortcuts and Repeater tips that will make you significantly faster once you have this workflow memorised.
⚡ EXERCISE 3 — KALI TERMINAL (25 MIN)
Run a Burp Intruder Brute Force Attack Against DVWA Login
# The password for DVWA default admin account is: password
✅ What you just learned: Burp Intruder automates the tedious part of brute-force testing — submitting hundreds of password variations and comparing server responses. The key insight is that you do not look for “success” messages — you look for response anomalies. A different response length, a redirect (302) instead of a 200, or a change in response time all signal that something different happened on the server. This anomaly-detection mindset applies to every automated test you will run with Intruder.
📸 Screenshot the Intruder results table with the successful password highlighted by response length difference and share in #day-12-burp on Discord. Tag #intruder2026
🧠 QUICK CHECK — Day 12
You intercept a login request in Burp Proxy that contains: username=admin&password=test&role=user. You suspect changing role=user to role=admin might grant elevated access. Which Burp tool is the most efficient way to test this?
📋 Commands Used Today — Day 12 Reference Card
burpsuite &Launch Burp Suite in background from terminal
burpsuite -Xmx2g &Launch with 2GB heap — fixes slowness on low-RAM systems
http://burpURL to download Burp CA certificate (browser must be proxied)
Right-click > Send to RepeaterSend any intercepted request to Repeater for manual testing
Right-click > Send to IntruderSend request to Intruder for automated fuzzing
Target > Scope > AddDefine which hosts Burp should log and test
§parameter§Intruder payload position markers — wrap the value to fuzz
🏆 Mark Day 12 as Complete
You have just configured the most important tool in web application security testing. Every web vulnerability you learn from here — SQL injection, XSS, IDOR, command injection — gets tested through Burp Suite.
❓ Frequently Asked Questions
Is Burp Suite free on Kali Linux?
Yes. Burp Suite Community Edition is completely free and comes pre-installed on Kali Linux. It covers all the core features you need to learn web application testing — proxy interception, repeater, intruder (throttled), decoder, and comparer. The Pro version adds unlimited intruder speed, active scanning, and collaboration features but is not required for learning.
Why can’t Burp Suite intercept HTTPS traffic without the CA certificate?
Burp Suite acts as a man-in-the-middle proxy — it decrypts your HTTPS traffic, inspects it, then re-encrypts it before sending it to the server. Without installing Burp’s CA certificate in your browser, Firefox treats this interception as an untrusted connection and blocks it with an SSL error. Installing the certificate tells Firefox to trust Burp as a valid certificate authority for your testing session.
What is the difference between Burp Proxy and Burp Repeater?
Burp Proxy passively intercepts every request your browser sends, letting you inspect or modify traffic in real time. Burp Repeater is a manual tool — you send a specific saved request there and can modify it as many times as you like, resending it to test different payloads without touching your browser. Repeater is the tool you will use most when testing parameters for injection vulnerabilities.
Can I use Burp Suite to test real websites?
Only with explicit written permission from the website owner, a valid bug bounty program scope, or your own test environment. Testing any website without authorisation is illegal under the Computer Fraud and Abuse Act (US) and equivalent laws worldwide. Always use Burp Suite against DVWA, PortSwigger Web Academy, HackTheBox, or TryHackMe for practice.
What is FoxyProxy and why do I need it for Burp Suite?
FoxyProxy is a Firefox extension that lets you switch between proxy configurations with a single click. Without it, you have to manually edit Firefox network settings every time you want to enable or disable Burp interception. With FoxyProxy you create a profile pointing to 127.0.0.1:8080 and toggle it on or off instantly — a small workflow improvement that saves significant time during active testing.
What comes after Burp Suite in this Kali Linux course?
Day 13 covers Maltego — the OSINT link-analysis tool used to map relationships between domains, emails, IP addresses, and people. After the foundational web testing skills from Burp Suite, Maltego teaches you intelligence gathering at scale, which is a critical phase before any real engagement.
← Previous
Day 11: Aircrack-ng Tutorial 2026
Next →
Day 13: Maltego Tutorial 2026
📚 Further Reading
Burp Suite Cheat Sheet— Every keyboard shortcut, payload position syntax, and Repeater tip consolidated into one reference card for daily use.
How to Use Burp Suite for Beginners— A deeper walkthrough of Burp Suite’s decoder, comparer, and logger tools not covered in this Day 12 guide.
180-Day Kali Linux Mastery Course— The full course hub with every day indexed, progress tracking, and the complete tool sequence from Nmap to exploit development.
PortSwigger Web Security Academy— The official free training platform from Burp Suite’s creators, with 200+ hands-on labs covering every web vulnerability class tested with Burp.
OWASP Web Security Testing Guide— The industry-standard methodology reference for manual web application penetration testing used by professionals worldwide.
ME
Mr Elite
Owner, SecurityElites.com
The first time I used Burp Suite on a real engagement, I almost missed a critical vulnerability because I had Intercept turned on the entire session — every request froze my browser and I was manually forwarding hundreds of them, exhausted, nearly ready to stop. I switched intercept off, let Burp log passively, and came back to HTTP History an hour later. In the noise I found a single POST request passing an unencrypted session token in a cookie parameter. The client had no idea. That one overlooked parameter led to a full account takeover across 40,000 user accounts. The lesson I carry into every engagement since: browse first with intercept off, test later in Repeater. The tool does not find vulnerabilities — patience and methodology do.
Leave a Reply