🛡️ Methodology Checklist
- Configure browser to proxy: 127.0.0.1:8080
- Add target to scope (right-click in Proxy → Add to scope)
- Intercept baseline request for each feature
- Identify all parameters: URL, body, headers, cookies
- Send to Repeater for manual testing
- Send to Intruder for automated fuzzing
- Use Comparer for response diff analysis
- Check Burp Logger++ or Traffic for missed requests
🎯 Operational Context
Use when: Any web application assessment — Burp Suite is the primary tool for intercepting, modifying, replaying, and fuzzing HTTP/S traffic. Think Dumber First: Set up Burp before touching the application. Every request goes through proxy. Use Repeater for manual testing, Intruder for parameter fuzzing (or ffuf for speed), and Scanner for automated vulnerability detection. Skip when: HTTPS with certificate pinning — bypass required first (mobile app or thick client).
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
set PROXIES HTTP:127.0.0.1:8080 | Route MSF module traffic through Burp for inspection |
ip=127.0.0.1;ls;cat flag.txt | Command injection via POST body — terminate with ; or && |
| Intercept → Send to Repeater | Manual trial-and-error — modify request, resend, inspect |
| Intercept → Send to Intruder | Automated fuzzing — highlight payload position, load wordlist |
| Payload Processing: Add Prefix → Base64 → ASCII Hex | Decode-encode chain for complex cookie fuzzing |
| Do Intercept → Response to this request | Modify HTML response before it reaches browser (enable buttons) |
echo "<BASE64>" | base64 -d | Decode captured Basic Auth header from terminal |
🔬 Deep Dive & Workflow
Intercepting & Repeater Workflow
Burp Proxy intercepts all HTTP/HTTPS traffic between the browser/tool and the server. The core workflow:
- Intercept the request — pause it mid-flight
- Send to Repeater (
Ctrl+R) for manual modification - Modify POST body, headers, cookies, method
- Resend and inspect response body for output
For command injection via a diagnostic form:
POST /ping.php
ip=127.0.0.1;id;cat /etc/passwd
Proxying External Tools
# MSFConsole — route through Burp
set PROXIES HTTP:127.0.0.1:8080
exploit
# Switch to HTTP History tab in Burp to see raw requestsIntruder — Encoded Cookie Fuzzing
When a session cookie is layered (e.g., MD5 → Base64 → ASCII Hex):
- Decode the cookie in Burp Decoder tab (peel ASCII Hex → Base64 → see MD5 hash)
- Send request to Intruder; highlight the cookie value as payload position
- Load wordlist (alphanumeric chars for brute, or SecLists)
- Configure Payload Processing:
- Add Prefix:
<known_prefix> - Encode: Base64
- Encode: ASCII Hex
- Add Prefix:
- Uncheck URL-encode at the bottom — raw Hex/Base64 must not be re-encoded
- Sort results by response length to spot the anomaly
Response Modification (Disabled Buttons)
Cannot edit in HTTP History. Must use live intercept:
- Catch the page request in Intercept tab
- Right-click → Do Intercept → Response to this request
- Edit HTML before forwarding: remove
disabledattribute from<button>
ZAP vs Burp
| Feature | Burp Suite | OWASP ZAP |
|---|---|---|
| Interceptor | Yes | Yes (HUD) |
| Active Scanner | Pro only | Free |
| Fuzzer | Intruder | Built-in |
| API scanning | Pro | Free |
Troubleshooting
- Traffic not capturing: Verify proxy bound to
127.0.0.1:8080and browser points to it - Session invalidated mid-fuzz: Baseline size changes permanently — check response of the anomaly
- CSRF tokens breaking automation: Burp Macros required; static strings in Intruder fail for rotating tokens
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Burp not intercepting HTTPS | CA cert not installed | Export Burp CA from Proxy > Options > CA Certificate; install in browser trusted root store |
| Target loads slowly through Burp | Burp processing overhead | Disable Burp Scanner during manual testing; use Passive Scanner only if needed |
| Intruder too slow | Community edition rate-limited | Use ffuf for brute-force/fuzzing — much faster than Burp Community Intruder |
| Repeater loses session | Session token expired | Re-capture fresh request from Proxy History after re-authenticating in browser |
| WebSocket not visible in Burp | WebSocket upgrade intercepted but not shown | Check Proxy > WebSocket History tab; enable in Proxy Options > Intercept WebSocket |
📝 Reporting Trigger
Finding Title: Web Application Security Assessment Conducted via Burp Suite Impact: Comprehensive web application testing through Burp Suite proxy identifies injection points, authentication weaknesses, and business logic flaws by inspecting and manipulating every HTTP request and response between client and server. Root Cause: N/A — operational assessment tool reference. Recommendation: Integrate Burp Suite into the SDLC — developers should run Burp scans before code review. Implement DAST scanning in CI/CD. Regular penetration testing by qualified assessors using proxy-based methodology.