Burp Suite
Industry-leading web application security testing platform with intercepting proxy, automated scanning, and manual testing tools.
Continue your mission
Industry-leading web application security testing platform with intercepting proxy, automated scanning, and manual testing tools.
# Burp Suite
Burp Suite is the de facto standard platform for web application security testing, developed and maintained by PortSwigger Web Security. It exists because HTTP-based applications present an enormous and nuanced attack surface that passive monitoring tools and network scanners cannot adequately assess. The fundamental problem Burp Suite solves is visibility: browsers hide the full complexity of HTTP transactions from end users, and defenders cannot protect what they cannot see. By positioning itself as an intercepting proxy between a browser and a target application, Burp Suite makes every request, response, cookie, header, and parameter observable and modifiable. This transforms the opaque process of web browsing into a structured, repeatable discipline where testers can identify, confirm, and document vulnerabilities with precision.
---
Burp Suite is a multi-module web application security testing platform that operates primarily as an intercepting HTTP/HTTPS proxy. Its core function is to sit between a tester's browser and a target web application, capturing all traffic and allowing the tester to inspect, modify, replay, and automate interactions with that application. It is available in three editions: Community (free, with core proxy and manual testing tools), Professional (commercial, adding the automated scanner, Intruder without rate limiting, and Collaborator infrastructure), and Enterprise (designed for continuous, scheduled scanning at organizational scale).
Burp Suite is not a network vulnerability scanner. Tools such as Nessus or OpenVAS assess network services, operating system configurations, and host-level exposure. Burp Suite is specifically designed for the application layer, operating at the HTTP/HTTPS/WebSocket protocol level. It is also not a web application firewall or a runtime protection tool. It has no defensive function during production operation; it is an offensive and assessment tool used during security testing engagements.
Burp Suite should not be confused with automated-only scanners such as OWASP ZAP in fully automated mode or commercial DAST platforms used solely by developers. While Burp does include an automated scanner, the platform's greatest strength is the combination of automated discovery with deep manual analysis. The tool supports extensions written in Java, Python (via Jython), and Ruby (via JRuby), which allows practitioners to build custom modules for unique testing requirements.
Adjacent concepts include DAST (Dynamic Application Security Testing), which is the broader category of testing running applications to find vulnerabilities, and SAST (Static Application Security Testing), which analyzes source code without execution. Burp Suite is a DAST tool, though it can be augmented with extensions that incorporate elements of code analysis or protocol-specific logic.
---
Burp Suite operates through a set of tightly integrated modules, each addressing a different phase or technique in web application security assessment. Understanding the full workflow requires tracing how a tester moves through these modules during an engagement.
Proxy and Traffic Interception
The first step in any Burp Suite engagement is configuring the browser to route traffic through Burp's local proxy listener, which defaults to 127.0.0.1:8080. The tester installs Burp's Certificate Authority certificate into the browser's trust store so that Burp can perform TLS termination and re-encryption without triggering certificate warnings. Once configured, every HTTP and HTTPS request the browser sends passes through Burp. The tester can pause traffic in intercept mode to inspect and modify individual requests before forwarding them to the server, or allow traffic to flow passively while Burp logs every transaction in the HTTP history.
Site Map and Crawling
As traffic passes through the proxy, Burp automatically builds a site map showing discovered hosts, directories, endpoints, and parameters. The passive crawler infers structure from observed traffic. In Professional and Enterprise editions, an active crawler can authenticate with the application and systematically enumerate content by following links, submitting forms, and parsing JavaScript to extract API endpoints. This automated discovery phase creates the inventory of attack surface that subsequent modules will test.
Scanner
The Burp Scanner module, available in Professional and Enterprise editions, performs automated vulnerability detection against discovered endpoints. It tests for injection vulnerabilities including SQL injection, server-side template injection, and command injection; client-side vulnerabilities including cross-site scripting (both reflected and stored); and server-side issues such as SSRF, XXE, insecure deserialization, and path traversal. The scanner uses a combination of active probing (sending payloads and observing responses) and passive analysis (examining responses for information disclosure and security header absence).
A concrete example: during a professional penetration test of an e-commerce platform, the scanner identifies a product search endpoint that reflects unsanitized user input in error messages. The scanner's XSS detection module sends a payload such as in the search parameter, observes the unescaped reflection in the response, and flags the finding with evidence. The tester then opens the finding in Repeater to confirm exploitability and refine the payload for the report.
Intruder
The Intruder module automates payload-based attacks by marking one or more positions in a captured request and iterating through a list of payloads. This supports several attack types: Sniper (single payload set, single position), Battering Ram (same payload in all positions simultaneously), Pitchfork (parallel payload sets in multiple positions), and Cluster Bomb (all combinations of multiple payload sets). Intruder is commonly used for credential brute-force attacks, parameter fuzzing, and testing enumeration vulnerabilities. A practical example is marking the username and password fields of a login request and running a Cluster Bomb attack with common credential lists to test for weak account credentials.
Repeater
Repeater allows a tester to manually modify and resend individual HTTP requests an arbitrary number of times, observing the response to each variation. This is the primary tool for confirming scanner findings, refining payloads, and testing business logic. For instance, after the scanner flags a potential IDOR (Insecure Direct Object Reference) vulnerability, the tester uses Repeater to systematically change an account ID parameter across multiple requests, confirming whether the application enforces authorization controls or allows access to other users' data.
Collaborator
Burp Collaborator is an out-of-band infrastructure service hosted by PortSwigger (or deployable privately) that provides unique subdomains. When payloads containing these subdomains are injected into application inputs, any DNS lookups or HTTP requests the application makes to those subdomains are logged by Collaborator and reported back to Burp. This is essential for detecting blind vulnerabilities: a blind SSRF vulnerability may never return useful data in the HTTP response, but Collaborator will capture the DNS callback confirming the server attempted to contact the injected address.
Extensions and BApp Store
The Burp Extender API allows community and vendor contributors to publish extensions through the BApp Store. Notable extensions include Active Scan++ (expanded active scan checks), Autorize (automated authorization testing), and Logger++ (advanced logging). Custom extensions can be written to address application-specific protocols, authentication schemes, or business logic patterns that standard Burp modules do not cover.
---
Web applications represent the largest and most accessible attack surface in most organizations' environments. They are publicly reachable, they connect to backend databases and internal services, and they process authentication credentials, financial data, and personal information. Vulnerabilities in web applications are among the most consistently exploited categories in real-world attacks. OWASP's Top 10 list, updated regularly, reflects the persistent recurrence of injection flaws, broken access control, and misconfigured security settings as leading causes of compromise.
Without systematic tooling like Burp Suite, vulnerability assessment of web applications relies on manual browsing, which is slow, inconsistent, and prone to missed coverage. Automated scanners without manual confirmation produce high false-positive rates and miss business logic vulnerabilities entirely, because business logic flaws require understanding the application's intended behavior. Burp Suite addresses both problems: automated discovery creates broad coverage, and manual analysis through Proxy, Repeater, and Intruder confirms findings and uncovers context-dependent flaws.
The consequences of inadequate web application testing are well documented. The 2017 Equifax breach, which exposed personal and financial information for approximately 147 million individuals, originated from an unpatched Apache Struts vulnerability in a public-facing web application. The vulnerability was known; the application had not been tested or patched. A structured testing program using a platform like Burp Suite, integrated into the software development lifecycle, would have identified the vulnerability class during development or before exploitation.
A common misconception is that Burp Suite's automated scanner provides comprehensive coverage on its own and does not require skilled manual follow-up. This is incorrect. The scanner identifies a category of vulnerabilities efficiently, but it cannot evaluate whether an application correctly enforces business rules, whether privilege escalation is possible through workflow manipulation, or whether multi-step transactions can be subverted. These require a trained tester using the manual modules. A second misconception is that Burp Suite is only relevant during penetration tests. The Enterprise edition supports continuous scanning integrated into CI/CD pipelines, meaning organizations can detect regressions as code changes are deployed, not only during periodic assessments.
---
CDA approaches web application security through the Planetary Defense Model, with Burp Suite functioning as a primary instrument within the Vulnerability Surface Discovery (VSD) domain. The governing methodology is Continuous Surface Reduction (CSR): "Every surface you expose is a surface we eliminate." In practice, this means CDA does not treat web application assessment as a point-in-time exercise performed before a go-live date. Instead, web application exposure is treated as a continuously changing condition that must be continuously assessed.
CDA engagements that include web applications begin with authenticated Burp Suite proxy sessions against all application environments, including development, staging, and production where authorized. The site map built during passive and active crawling is treated as a live inventory of exposed surface. Every endpoint identified is evaluated for necessity: endpoints that exist but are not required by the application's business function are flagged for elimination before vulnerability testing continues. This is the CSR principle applied directly: reducing the surface precedes hardening the surface.
During active testing, CDA practitioners use Burp Collaborator extensively for out-of-band detection, particularly in environments where security controls at the network perimeter might suppress inline vulnerability indicators. Blind SSRF and blind injection vulnerabilities are a consistent finding in enterprise applications because they produce no visible error output and are invisible to surface-level scanning. Collaborator-based detection closes this gap.
CDA also mandates the use of Burp's Autorize extension during every authenticated testing engagement. Broken access control is consistently the top OWASP finding and is frequently underreported because testers do not systematically test all endpoints with multiple privilege levels. Autorize automates the retesting of every observed request with a lower-privilege session token, flagging any endpoint that returns the same data regardless of authorization context.
Findings from Burp Suite engagements are integrated directly into CDA's client reporting framework, with each vulnerability mapped to its corresponding MITRE ATT&CK technique, CVSS score, and remediation priority. The goal is not a list of findings but a measurable reduction in exposed surface confirmed by retest.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.