← Return to Ledger

Burp Suite Setup & Workflow

What Burp Suite Actually Is

Burp Suite sits between your browser and the internet as a proxy — every request your browser sends passes through Burp first, where you can see it, pause it, modify it, and replay it. This is the single most important tool in web bug hunting. DevTools showed you traffic; Burp lets you control it.

Step 1 — Install

1. Go to portswigger.net/burp/communitydownload
2. Download Burp Suite Community Edition (free) for your OS
3. Run the installer, accept defaults
4. Launch it → choose "Temporary project" → "Use Burp defaults" → click Start Burp

Step 2 — Configure the proxy

Burp listens on 127.0.0.1:8080 by default. You need your browser to send traffic there.

Easiest method — use Burp's built-in browser:

In Burp, go to the Proxy tab → Intercept sub-tab → click Open Browser. This launches a pre-configured Chromium browser that already routes through Burp. No setup needed. Use this for all your practice.

Alternative — configure your main browser (Brave/Chrome):

1. Install the FoxyProxy extension
2. Add a new proxy: IP 127.0.0.1, Port 8080
3. Switch FoxyProxy to use this proxy when testing
4. Visit http://burpsuite in that browser and install Burp's CA certificate (needed so HTTPS sites work without errors)

I'd recommend the built-in browser for now — fewer moving parts while you're learning.

Step 3 — Understand the core tabs

Tab	What it's for
Proxy → Intercept	Pause every request before it's sent. Toggle "Intercept is on/off."
Proxy → HTTP history	Every request/response that passed through, logged automatically
Repeater	Take any request, edit it, resend it as many times as you want
Intruder	Automated sending many variations of a request (brute-force, fuzzing) — Community Edition is rate-limited but still usable
Decoder	Encode/decode text — Base64, URL encoding, etc.
Comparer	Diff two requests/responses side by side

Step 4 — Your core workflow, every single time

This is the loop you'll repeat for the rest of your bug bounty life:

1. Browse the target normally with Intercept off (so you don't get stuck on every request)
2. When you reach something interesting (a login, a search, a profile update) — turn Intercept on
3. Capture that one request
4. Send it to Repeater (right-click → "Send to Repeater")
5. Turn Intercept back off so browsing isn't interrupted
6. In Repeater, modify the request — change parameters, headers, body values
7. Click Send, study the response
8. Repeat step 6-7 with different payloads until something breaks or reveals a bug

Repeater is where 80% of your actual hacking happens. Get comfortable here.

Step 5 — A concrete first exercise

1. Open Burp's built-in browser
2. Go to any site with a search box (e.g. a Wikipedia search)
3. Search for something normal, like cat
4. In HTTP history, find that request — it'll have ?search=cat or similar in the URL
5. Right-click → Send to Repeater
6. In Repeater, change cat to <script>alert(1)</script>
7. Click Send
8. Look at the response — does your script tag appear unescaped in the HTML? (This is literally testing for reflected XSS — you'll go deep on this in Chapter 7)

Drill Sandbox 06 — Local Proxy Terminal Emulator

Practice intercepting, modifying, and re-routing a live cross-site script payload using this emulated intercept loop before executing it on target arrays.

Your tasks for Chapter 6

Understanding check