Burp Suite Community Edition Tutorial: Intercepting Web Traffic

Burp Suite is the industry-standard web application security testing tool. It sits between your browser and web servers, allowing you to inspect, modify, and replay HTTP requests. For security professionals, Burp Suite is essential for finding and exploiting web vulnerabilities.

The Community Edition is free and sufficient for learning. This guide covers setup, proxy configuration, interception, and practical testing techniques.

What Is Burp Suite?

Burp Suite is a proxy and testing platform that enables you to:

• Intercept requests: Modify HTTP before it reaches the server
• Intercept responses: Modify server responses before browser displays them
• Replay requests: Resend modified requests to test behavior
• Crawl applications: Map site structure and discover endpoints
• Scan for vulnerabilities: Automated testing (Pro feature, some in Community)
• Intruder attacks: Brute force parameters and discover injection points

Installation

Download:

Visit https://portswigger.net/burp/community-edition

Select your OS (Windows, macOS, Linux).

Linux installation:

chmod +x burpsuite_community_v2024.x_linux_x64.sh
./burpsuite_community_v2024.x_linux_x64.sh

Follow the installer.

macOS:

Download the DMG, drag Burp Suite to Applications.

Windows:

Download the EXE installer, run it.

Launch Burp Suite:

/usr/bin/burpsuite

Or find it in your applications menu.

Initial Setup

First launch:

Burp asks about temporary/persistent projects. For learning:

• Select Temporary project (simplest, no saving required)
• Click Start Burp

You’ll see the main window with four tabs:

1. Proxy: Intercept and modify traffic
2. Target: Site mapping and scope
3. Tools: Scanner, Intruder, Repeater, etc.
4. Extender: Community extensions

Configuring the Proxy

Step 1: Start Burp Proxy

1. Go to Proxy tab
2. Click Proxy settings (gear icon)
3. Ensure Listen on all interfaces is checked
4. Default port: 8080

This makes Burp listen for browser traffic on port 8080.

Step 2: Configure Browser Proxy

Firefox (easiest to configure per-browser):

1. Settings → Network Settings
2. Scroll to Proxy
3. Select Manual proxy configuration
4. HTTP Proxy: 127.0.0.1
5. Port: 8080
6. Check Use this proxy for all protocols
7. Click OK

Chrome/Chromium:

google-chrome --proxy-server="127.0.0.1:8080"

Or use system proxy settings (same as Firefox above, applies system-wide).

Step 3: Accept CA Certificate

First request through Burp:

1. Navigate to any HTTPS website in your configured browser
2. Browser shows certificate warning (Burp MITM certificate)
3. Accept the warning

Install Burp’s CA certificate permanently (to avoid warnings):

1. Navigate to http://burp in browser
2. Click CA Certificate button
3. Download cacert.der or cacert.pem
4. Install as trusted certificate (varies by browser/OS)

Firefox import:

1. Settings → Privacy & Security → Certificates → View Certificates
2. Authorities tab → Import
3. Select the Burp CA certificate
4. Check Trust this CA to identify websites
5. Click OK

Now HTTPS sites work without warnings.

Intercepting Requests

Basic Interception

Enable interception:

1. Proxy → Intercept tab
2. Click Intercept is on (toggle button)
3. Open Firefox and browse normally

Every request gets intercepted before reaching the server.

Example intercepted request:

GET /login.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64)
Accept: text/html,application/xhtml+xml
Accept-Language: en-US,en;q=0.5
Connection: close
Cookie: PHPSESSID=abcd1234efgh5678

[empty body for GET request]

Modify the request:

Click into the request and edit directly. Common modifications:

# Change login parameters
POST /login.php HTTP/1.1
Host: example.com
Content-Length: 35

username=admin&password=any_password_here&login=1

Send the modified request:

Click Forward to send it to the server.

Intercepting Responses

Enable Intercept Response (in Intercept tab options):

The server’s response appears before the browser displays it.

Example response modification:

Original response:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 4523

<html>
<body>
<h1>Access Denied</h1>
<p>You do not have permission to view this page.</p>
</body>
</html>

Modify to:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 4523

<html>
<body>
<h1>Access Granted</h1>
<p>Welcome, admin!</p>
</body>
</html>

Click Forward. Browser displays the modified response.

This demonstrates:

• Client-side validation is meaningless
• Server must enforce security, not the browser
• Trusting the client is always a mistake

The Repeater Tool

For testing requests without interception, use Repeater:

1. Intercept any request
2. Right-click → Send to Repeater
3. Go to Tools → Repeater tab

The request appears in Repeater where you can:

• Modify parameters without browser navigation
• Resend instantly after changes
• Compare responses to different payloads
• Test authentication with different tokens

Practical example - Testing for SQL injection:

Original request:
GET /search.php?q=products HTTP/1.1

Repeat 1 (normal query):
GET /search.php?q=products HTTP/1.1
[Response: 5 products found]

Repeat 2 (with injection):
GET /search.php?q=products' OR '1'='1 HTTP/1.1
[Response: 50 products found - Database error suggests SQLi!]

The Intruder Tool (Community Limitations)

Intruder automates parameter fuzzing and brute-forcing. Community Edition is rate-limited but functional.

Basic workflow:

1. Intercept a request
2. Right-click → Send to Intruder
3. Go to Tools → Intruder
4. Click Positions tab
5. Select target parameter (click to highlight)
6. Click Add (marks this as a variable)
7. Select Payload type: Simple list
8. Enter payloads (one per line)
9. Click Start attack

Example - Brute force login:

Positions:
POST /login.php HTTP/1.1
...
username=admin&password=§password§&login=1
                        ^ marked variable

Payloads:
password123
admin123
letmein
sunshine
password1
qwerty
123456

Intruder sends 7 requests, each with a different password. Responses reveal which one succeeds.

Proxy History

All requests (even without interception) appear in Proxy → HTTP history:

Request  Response  Method  URL                           Status  Length  MIME Type
1        200       GET     http://example.com/           200     5234    HTML
2        304       GET     http://example.com/css/...    304     0       CSS
3        200       GET     http://example.com/api/user   200     1230    JSON
4        302       POST    http://example.com/login      302     120     HTML
5        200       GET     http://example.com/home       200     8945    HTML

Right-click any request:

• Send to Repeater: Edit and resend
• Send to Intruder: Fuzz parameters
• Show request in browser: View in browser
• Copy as cURL: Generate command-line equivalent

Site Mapping

Target → Site map shows the application structure.

With interception disabled but Burp listening:

example.com
├── /
├── /login.php
├── /home.php
├── /api/
│   ├── /api/users
│   ├── /api/posts
│   └── /api/comments
├── /admin/
│   ├── /admin/dashboard
│   └── /admin/users
└── /logout.php

Click endpoints to see requests/responses.

Scope setting:

Define target scope to avoid logging unrelated requests:

1. Target → Scope
2. Click Add and enter domain: example.com
3. Enable Use advanced scoping
4. Now Burp logs only in-scope requests

Practical Testing Workflow

Testing a login form:

1. Configure browser proxy (Firefox)
2. Enable Burp interception
3. Navigate to login form
4. Fill in credentials: username=admin, password=test123
5. Submit (request intercepts)
6. Observe request:

   POST /login.php
   username=admin&password=test123

7. Modify parameter: change admin to admin' OR '1'='1
8. Forward
9. Observe response: SQL injection confirmed
10. Send request to Repeater
11. Test different payloads (UNION, SLEEP, etc.)
12. Document findings

Testing hidden parameters:

1. Right-click page → Inspect Element
2. Look for hidden form fields: <input type="hidden" name="csrf_token" value="abc123">
3. Intercept next request
4. Verify the token is included
5. Modify token, forward
6. Observe if server validates or accepts invalid tokens
7. Indicates CSRF vulnerability if invalid token is accepted

Common Testing Scenarios

Authentication Bypass

Original request:
POST /login.php
username=admin&password=wrongpassword

Intercept, modify:
POST /login.php
username=admin' --&password=&login=1

Parameter Tampering

Original:
GET /profile.php?user_id=123

Modified:
GET /profile.php?user_id=999

Can you see another user’s profile? Indicates Broken Access Control.

Response Manipulation

Modify response to bypass client-side checks:

Original response (client blocks submission):
<input type="hidden" name="price" value="100">
<script>
  function validate() {
    if (price < 50) alert("Price too low!");
  }
</script>

Intercept and modify:
<input type="hidden" name="price" value="1">

Purchase at $1 instead of $100.

Cookie Manipulation

Intercept request, modify session cookie:

GET /admin.php HTTP/1.1
Cookie: PHPSESSID=user_session_123

Intercept, change to admin session:
GET /admin.php HTTP/1.1
Cookie: PHPSESSID=admin_session_456

If you access admin panel, indicates session fixation/hijacking vulnerability.

Best Practices

1. Document everything: Note every finding with request/response
2. Use Repeater: Don’t just intercept, test systematically
3. Enable scope: Don’t log traffic outside your test target
4. Check cookies: Look for weak, unencrypted, or predictable session tokens
5. Test all methods: GET, POST, PUT, DELETE, PATCH
6. Understand flows: Follow authentication, session management, state changes
7. Test error handling: How does app handle invalid input?

Conclusion

Burp Suite transforms web application security testing from guesswork to systematic discovery. The proxy intercepts every request, giving you complete visibility and control over web communication.

Community Edition provides 90% of testing capability. Master the proxy, Repeater, and Intruder, and you can find and exploit web vulnerabilities methodically.

Burp Suite is your X-ray vision for web applications. Use it to see what others miss.