Terminal GuideBurp Suite: Web Application Security Testing Guide
Master Burp Suite for web application security testing. Learn proxy interception, vulnerability scanning, intruder attacks, CLI automation, and REST API integration for professional penetration testing workflows.
Dai Aoki
CEO at init, Inc. / CTO at US & JP startups / Creator of WebTerm
Quick Reference
Launch & Config
java -jar burpsuite_pro.jarStart Burp Suite Professionaljava -jar burpsuite_community.jarStart Burp Suite Community--project-file=project.burpOpen existing project--config-file=config.jsonLoad configuration fileHeadless & CLI
--unpause-spider-and-scannerAuto-start scanning-Djava.awt.headless=trueRun in headless mode-Xmx2gAllocate 2GB heap memory--diagnosticsRun diagnostics checkProxy Setup
localhost:8080Default proxy listenercurl -x http://127.0.0.1:8080Route curl through Burpexport http_proxy=127.0.0.1:8080Set system proxy (Linux)export https_proxy=127.0.0.1:8080Set HTTPS proxy (Linux)REST API
GET /v0.1/scanList active scansPOST /v0.1/scanLaunch new scanGET /v0.1/scan/{id}Get scan statusDELETE /v0.1/scan/{id}Cancel a scanIntruder Attacks
SniperSingle payload, one position at a timeBattering RamSame payload in all positionsPitchforkParallel payload sets per positionCluster BombAll payload combinationsUseful Extensions
Logger++Advanced HTTP loggingAutorizeAuthorization testingActive Scan++Enhanced scanning checksJSON BeautifierFormat JSON responsesDownloadable Image Preview
Overview
Burp Suite, developed by PortSwigger, is the industry-standard platform for web application security testing. It provides an integrated set of tools for mapping attack surfaces, analyzing requests and responses, discovering vulnerabilities, and exploiting them. Used by security professionals, bug bounty hunters, and development teams worldwide, Burp Suite sits between a browser and the target application as an intercepting proxy, giving you full control over HTTP/HTTPS traffic.
While Burp Suite is primarily a GUI application, it offers significant CLI capabilities including command-line launch options, a REST API for programmatic control, headless scanning for CI/CD pipelines, and extensibility through its API. This guide focuses on leveraging those capabilities for automated and repeatable security testing workflows.
Community vs Professional
| Feature | Community (Free) | Professional |
|---|---|---|
| Intercepting Proxy | Full | Full |
| Repeater & Decoder | Full | Full |
| Intruder | Throttled | Full speed |
| Scanner | Not available | Full (active + passive) |
| REST API | Not available | Full |
| Project Files | Temporary only | Save & restore |
| Extensions (BApp Store) | Limited | Full access |
| CI/CD Integration | Not available | Full (via REST API) |
Installation & Setup
Burp Suite is a Java-based application that runs on Windows, macOS, and Linux. PortSwigger provides standalone installers that bundle a private JRE, but you can also run the JAR file directly with your own Java installation for greater control from the command line.
# Download from the official website
# https://portswigger.net/burp/releases
# On Linux - install using the standalone installer
chmod +x burpsuite_pro_linux_v2024_x.sh
./burpsuite_pro_linux_v2024_x.sh
# On macOS - use the .dmg installer or Homebrew
brew install --cask burp-suite
# Or for Community Edition:
brew install --cask burp-suite-community
# On Kali Linux (pre-installed)
burpsuiteJava Environment Setup
When running the JAR file directly, you need Java 17 or later. This approach gives you full control over JVM arguments and is essential for headless and automated operation.
# Check Java version
java -version
# Install Java 17+ on Ubuntu/Debian
sudo apt update
sudo apt install openjdk-17-jdk -y
# Install Java on macOS
brew install openjdk@17
# Install Java on Fedora/RHEL
sudo dnf install java-17-openjdk -y
# Verify Java is properly configured
java -version
# openjdk version "17.0.x" ...
# Run Burp Suite JAR directly
java -jar /opt/burpsuite/burpsuite_pro.jar
# Run with increased memory allocation (recommended for large projects)
java -Xmx4g -jar burpsuite_pro.jar
# Run with custom temp directory (for large scan data)
java -Djava.io.tmpdir=/tmp/burp -Xmx4g -jar burpsuite_pro.jarCLI Launch Options
Burp Suite accepts various command-line arguments that control startup behavior, project loading, and configuration. These options are critical for automation and scripted workflows.
# Launch with a specific project file
java -jar burpsuite_pro.jar --project-file=webapp-audit.burp
# Launch with a configuration file
java -jar burpsuite_pro.jar --config-file=scan-config.json
# Launch with both project and configuration
java -jar burpsuite_pro.jar \
--project-file=webapp-audit.burp \
--config-file=scan-config.json
# Create a new project with a specific name
java -jar burpsuite_pro.jar \
--project-file=new-project.burp \
--unpause-spider-and-scanner
# Launch with user-level configuration
java -jar burpsuite_pro.jar \
--user-config-file=user-settings.json
# Run diagnostics to check for issues
java -jar burpsuite_pro.jar --diagnostics
# Disable extensions on startup (troubleshooting)
java -jar burpsuite_pro.jar --disable-extensionsCore Components
Burp Suite is organized into several core tools that work together as an integrated testing platform. Understanding each component and how they interconnect is essential for effective web application testing.
Proxy
The Proxy is the heart of Burp Suite. It operates as an intercepting HTTP/HTTPS proxy between your browser and the target application, allowing you to inspect, modify, and replay every request and response. All traffic flowing through the proxy is logged in the HTTP history, building a comprehensive map of the application.
# Test proxy connectivity with curl
curl -x http://127.0.0.1:8080 http://example.com
# Send HTTPS traffic through Burp (after installing CA certificate)
curl -x http://127.0.0.1:8080 --cacert burp-ca.pem https://target.example.com
# Download Burp's CA certificate
curl -o burp-ca.der http://127.0.0.1:8080/cert
# Convert DER to PEM format
openssl x509 -inform DER -in burp-ca.der -out burp-ca.pem
# Install CA certificate on Linux (system-wide)
sudo cp burp-ca.pem /usr/local/share/ca-certificates/burp-ca.crt
sudo update-ca-certificates
# Use wget through Burp proxy
wget --proxy=on -e http_proxy=127.0.0.1:8080 http://target.example.com
# Set proxy for an entire terminal session
export http_proxy=http://127.0.0.1:8080
export https_proxy=http://127.0.0.1:8080
export no_proxy=localhost,127.0.0.1Scanner
The Scanner (Professional edition only) automatically discovers security vulnerabilities through both passive and active techniques. Passive scanning analyzes traffic that flows through the proxy without sending additional requests. Active scanning probes the application with crafted payloads to detect vulnerabilities like SQL injection, cross-site scripting (XSS), and command injection.
# Export scan configuration for automation
# In Burp: Burp menu > Configuration Library > Export
# Example scan configuration JSON
cat > scan-config.json << 'EOF'
{
"scanner": {
"active_scanning_optimization": {
"scan_speed": "normal",
"scan_accuracy": "normal"
},
"active_scanning_areas": {
"sql_injection": true,
"xss_reflected": true,
"xss_stored": true,
"command_injection": true,
"path_traversal": true,
"file_upload": true
},
"passive_scanning_areas": {
"headers": true,
"cookies": true,
"forms": true,
"links": true,
"content": true
}
}
}
EOF
# Launch Burp with scanner auto-start
java -jar burpsuite_pro.jar \
--project-file=scan-project.burp \
--config-file=scan-config.json \
--unpause-spider-and-scannerIntruder
Intruder is a tool for automating customized attacks against web applications. It allows you to define payload positions within HTTP requests and run various attack types such as brute-forcing, fuzzing, and parameter enumeration. In the Professional edition, Intruder runs at full speed; the Community edition throttles request rates.
Repeater
Repeater is a manual tool for crafting and reissuing individual HTTP requests. It provides a simple interface where you can modify any part of a request, send it to the server, and analyze the response side by side. Repeater is invaluable for testing individual parameters, verifying vulnerabilities, and crafting proof-of-concept exploits. You can send any request from the proxy history or other tools to Repeater for further investigation.
Proxy Configuration
Proper proxy configuration is the first step in any Burp Suite testing session. You need to configure both Burp Suite's listener and your browser or client application to route traffic through the proxy.
Browser Setup
Burp Suite includes a built-in Chromium browser (Burp's Browser) that is pre-configured to route traffic through the proxy and trust Burp's CA certificate. For external browsers, you need to configure the proxy settings manually or use a browser extension.
# Launch Chrome with Burp proxy settings
google-chrome --proxy-server="http://127.0.0.1:8080" \
--ignore-certificate-errors \
--user-data-dir=/tmp/burp-chrome
# Launch Firefox with proxy (use FoxyProxy extension for easier management)
firefox -P burp-profile
# Configure proxy with environment variables (for CLI tools)
export http_proxy="http://127.0.0.1:8080"
export https_proxy="http://127.0.0.1:8080"
# Use Python requests through Burp proxy
python3 -c "
import requests
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
r = requests.get('https://target.example.com', proxies=proxies, verify=False)
print(r.status_code)
"
# Route Node.js HTTP traffic through Burp
HTTP_PROXY=http://127.0.0.1:8080 \
HTTPS_PROXY=http://127.0.0.1:8080 \
NODE_TLS_REJECT_UNAUTHORIZED=0 \
node app.jsIntercept Rules
Intercept rules control which requests and responses Burp Suite pauses for manual inspection. By default, Burp intercepts all requests, but you can configure rules to focus on specific domains, file types, or request parameters. Well-configured rules reduce noise and let you concentrate on the traffic that matters.
# Export proxy configuration with intercept rules
cat > proxy-config.json << 'EOF'
{
"proxy": {
"intercept_client_requests": {
"do_intercept": true,
"rules": [
{
"enabled": true,
"match_type": "domain_name",
"match_relationship": "matches",
"match_condition": "target\.example\.com"
},
{
"enabled": true,
"match_type": "url",
"match_relationship": "does_not_match",
"match_condition": "\.(css|js|png|jpg|gif|ico|woff2?)$"
}
]
},
"intercept_server_responses": {
"do_intercept": false,
"rules": [
{
"enabled": true,
"match_type": "content_type",
"match_relationship": "matches",
"match_condition": "HTML"
}
]
}
}
}
EOF
# Launch Burp with this proxy configuration
java -jar burpsuite_pro.jar \
--config-file=proxy-config.jsonScanner Usage
The Burp Scanner uses a combination of passive analysis and active probing to discover vulnerabilities. Understanding the difference between passive and active scanning, and knowing how to tune scanner settings, is critical for efficient and thorough assessments.
Passive Scanning analyzes HTTP traffic that has already been captured without sending any additional requests. It detects issues like missing security headers, insecure cookies, information disclosure in responses, and sensitive data exposure. Passive scanning is safe to run against any target since it generates no additional traffic.
Active Scanning sends crafted requests to detect server-side vulnerabilities like SQL injection, XSS, command injection, path traversal, and more. Active scanning generates significant additional traffic and may modify application state, so it should only be performed with proper authorization.
# Configure scanner via REST API (Professional edition)
# Start a scan against a specific URL
curl -s -X POST "http://127.0.0.1:1337/v0.1/scan" \
-H "Content-Type: application/json" \
-d '{
"urls": ["https://target.example.com"],
"scope": {
"include": [
{"rule": "https://target.example.com/"}
],
"exclude": [
{"rule": "https://target.example.com/logout"}
]
}
}'
# Check scan progress
curl -s "http://127.0.0.1:1337/v0.1/scan/1" | python3 -m json.tool
# List all active scans
curl -s "http://127.0.0.1:1337/v0.1/scan" | python3 -m json.tool
# Export scanner results
# In Burp: Target > Site map > right-click > Issues > Report issues
# Supports HTML, XML, and custom formatsIntruder Attacks
Intruder supports four attack types, each suited to different testing scenarios. Understanding when to use each type is key to efficient fuzzing and brute-force testing.
| Attack Type | Positions | Behavior | Use Case |
|---|---|---|---|
| Sniper | Multiple | Inserts each payload into one position at a time, others stay default | Testing each parameter individually |
| Battering Ram | Multiple | Inserts the same payload into all positions simultaneously | CSRF tokens, same value in multiple fields |
| Pitchfork | Multiple | Uses parallel payload lists, iterating through them in lockstep | Username/password pairs from credential lists |
| Cluster Bomb | Multiple | Tests all permutations of payload lists across all positions | Full brute-force of username + password combinations |
# Prepare payload lists for Intruder
# Common usernames
cat > usernames.txt << 'EOF'
admin
administrator
root
user
test
guest
EOF
# Common passwords
cat > passwords.txt << 'EOF'
password
123456
admin
Password1
letmein
welcome
EOF
# Common XSS payloads for fuzzing
cat > xss-payloads.txt << 'EOF'
<script>alert(1)</script>
"><script>alert(1)</script>
'><script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
javascript:alert(1)
EOF
# Common SQL injection test payloads
cat > sqli-payloads.txt << 'EOF'
' OR '1'='1
' OR '1'='1'--
" OR "1"="1
1' ORDER BY 1--
1 UNION SELECT NULL--
'; DROP TABLE users--
EOF
# Directory brute-force wordlist
# Use with Intruder Sniper mode on path parameter
cat > dirs.txt << 'EOF'
admin
login
dashboard
api
config
backup
test
debug
EOFCLI & Automation
Burp Suite Professional provides powerful automation capabilities through command-line options, a REST API, and headless operation mode. These features enable integration with CI/CD pipelines, scripted testing workflows, and programmatic scan management.
Command-Line Options
| Option | Description |
|---|---|
| --project-file=FILE | Open or create a project file |
| --config-file=FILE | Load project-level configuration from JSON file |
| --user-config-file=FILE | Load user-level configuration from JSON file |
| --unpause-spider-and-scanner | Automatically start the spider and scanner |
| --disable-extensions | Start without loading extensions |
| --diagnostics | Run startup diagnostics and exit |
# Full automated launch with project, config, and auto-scan
java -Xmx4g -jar burpsuite_pro.jar \
--project-file=automated-scan.burp \
--config-file=scan-config.json \
--user-config-file=user-prefs.json \
--unpause-spider-and-scanner
# Launch with custom proxy listener port
cat > custom-listener.json << 'EOF'
{
"proxy": {
"request_listeners": [
{
"listen_mode": "loopback_only",
"listener_port": 9090,
"running": true
}
]
}
}
EOF
java -jar burpsuite_pro.jar --config-file=custom-listener.jsonREST API
Burp Suite Professional includes a REST API that allows you to manage scans programmatically. The API server runs on a configurable port (default 1337) and provides endpoints for launching, monitoring, and retrieving results from scans.
# Enable the REST API in Burp:
# User options > Misc > REST API > Enable
# Configure the API port (default: 1337)
# Optionally set an API key for authentication
# Launch a new scan via the REST API
curl -s -X POST "http://127.0.0.1:1337/v0.1/scan" \
-H "Content-Type: application/json" \
-d '{
"urls": ["https://target.example.com/app"],
"scope": {
"include": [
{"rule": "https://target.example.com/app/"}
]
},
"scan_configurations": [
{"type": "NamedConfiguration", "name": "Crawl and Audit - Fast"}
]
}'
# Returns: {"task_id": "1"}
# Check scan status and progress
curl -s "http://127.0.0.1:1337/v0.1/scan/1" | python3 -m json.tool
# Poll scan status in a script until complete
while true; do
STATUS=$(curl -s "http://127.0.0.1:1337/v0.1/scan/1" | python3 -c "
import sys, json
data = json.load(sys.stdin)
print(data.get('scan_status', 'unknown'))
")
echo "Scan status: $STATUS"
if [ "$STATUS" = "succeeded" ] || [ "$STATUS" = "failed" ]; then
break
fi
sleep 30
done
# Retrieve scan issues (vulnerabilities found)
curl -s "http://127.0.0.1:1337/v0.1/scan/1" | python3 -c "
import sys, json
data = json.load(sys.stdin)
for issue in data.get('issue_events', []):
i = issue.get('issue', {})
print(f"[{i.get('severity', 'N/A')}] {i.get('name', 'Unknown')}")
print(f" URL: {i.get('origin', '')}{i.get('path', '')}")
print()
"
# Cancel an active scan
curl -s -X DELETE "http://127.0.0.1:1337/v0.1/scan/1"Headless Mode
Running Burp Suite in headless mode enables fully automated scanning without a graphical interface. This is essential for CI/CD integration, server-based scanning infrastructure, and batch processing of multiple targets.
# Run Burp Suite in headless mode (no GUI)
java -Djava.awt.headless=true -Xmx4g \
-jar burpsuite_pro.jar \
--project-file=headless-scan.burp \
--config-file=scan-config.json \
--unpause-spider-and-scanner
# Headless scan with REST API polling script
#!/bin/bash
# headless-scan.sh - Automated headless Burp Suite scan
TARGET_URL="https://target.example.com"
BURP_JAR="/opt/burpsuite/burpsuite_pro.jar"
API_PORT=1337
# Start Burp in headless mode (background)
java -Djava.awt.headless=true -Xmx4g \
-jar "$BURP_JAR" \
--config-file=api-config.json &
BURP_PID=$!
# Wait for Burp to start
echo "Waiting for Burp Suite to initialize..."
sleep 30
# Wait for API to become available
until curl -s "http://127.0.0.1:$API_PORT/" > /dev/null 2>&1; do
sleep 5
done
echo "Burp Suite REST API is ready"
# Launch scan
TASK_ID=$(curl -s -X POST "http://127.0.0.1:$API_PORT/v0.1/scan" \
-H "Content-Type: application/json" \
-d "{"urls": ["$TARGET_URL"]}" | python3 -c "
import sys, json
print(json.load(sys.stdin).get('task_id', ''))
")
echo "Scan started with task ID: $TASK_ID"
# Poll until complete
while true; do
RESULT=$(curl -s "http://127.0.0.1:$API_PORT/v0.1/scan/$TASK_ID")
STATUS=$(echo "$RESULT" | python3 -c "
import sys, json
print(json.load(sys.stdin).get('scan_status', 'unknown'))
")
echo "Status: $STATUS"
if [ "$STATUS" = "succeeded" ] || [ "$STATUS" = "failed" ]; then
echo "$RESULT" | python3 -m json.tool > scan-results.json
break
fi
sleep 60
done
# Shutdown Burp
kill $BURP_PID
echo "Scan complete. Results saved to scan-results.json"Practical Examples
Web App Assessment Workflow
A structured web application security assessment with Burp Suite follows a methodical process from reconnaissance through exploitation and reporting. Here is a typical workflow using both the GUI and CLI capabilities.
# Step 1: Set up the project with scope
java -Xmx4g -jar burpsuite_pro.jar \
--project-file=webapp-assessment.burp \
--config-file=scope-config.json
# scope-config.json - Define target scope
cat > scope-config.json << 'EOF'
{
"target": {
"scope": {
"advanced_mode": true,
"include": [
{
"enabled": true,
"protocol": "https",
"host": "target.example.com",
"port": "443",
"file": "/"
}
],
"exclude": [
{
"enabled": true,
"protocol": "any",
"host": "target.example.com",
"port": "any",
"file": "/logout"
}
]
}
}
}
EOF
# Step 2: Manual browsing to build site map
# Use Burp's browser or configure your browser with the proxy
# Browse through all application functionality
# Step 3: Review site map and identify attack surface
# In Burp: Target > Site map > review endpoints and parameters
# Step 4: Run passive scan on captured traffic
# Passive scanning happens automatically on all proxied traffic
# Step 5: Run active scan on specific areas
# Right-click items in site map > "Actively scan this host"
# Step 6: Export findings
# Target > Site map > right-click > Issues > Report issues
# Choose HTML format for client-ready reportsAPI Testing
Burp Suite is highly effective for API security testing. You can import API definitions, replay requests through Repeater, fuzz parameters with Intruder, and scan for API-specific vulnerabilities.
# Import API requests by proxying CLI tools through Burp
# Test REST API endpoints through Burp proxy
curl -x http://127.0.0.1:8080 \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
https://api.example.com/v1/users
# Send POST request through Burp
curl -x http://127.0.0.1:8080 \
-X POST \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"name": "test", "email": "test@example.com"}' \
https://api.example.com/v1/users
# Import OpenAPI/Swagger definition
# In Burp: Target > Site map > right-click > "Import from file"
# Supports OpenAPI 2.0/3.0, WSDL, and WADL formats
# Fuzz API parameters with Intruder
# 1. Capture a request in Proxy history
# 2. Send to Intruder (Ctrl+I)
# 3. Mark payload positions in JSON body
# 4. Load appropriate payload list
# 5. Start attack
# Test for IDOR (Insecure Direct Object References)
# Use Intruder Sniper mode with numeric payloads
# on ID parameters: /api/v1/users/PAYLOAD
# Monitor response codes and body lengths for anomalies
# Test authentication endpoints
curl -x http://127.0.0.1:8080 \
-X POST \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "test"}' \
https://api.example.com/v1/auth/loginCI/CD Integration
Integrating Burp Suite into CI/CD pipelines enables automated security testing as part of the development workflow. Using the REST API and headless mode, you can trigger scans on every deployment and fail builds when critical vulnerabilities are found.
# GitLab CI example (.gitlab-ci.yml)
cat > .gitlab-ci.yml << 'EOF'
security-scan:
stage: test
image: openjdk:17-slim
script:
# Start Burp in headless mode
- java -Djava.awt.headless=true -Xmx2g
-jar /opt/burpsuite/burpsuite_pro.jar
--config-file=ci-scan-config.json &
- sleep 45
# Launch scan via REST API
- |
TASK_ID=$(curl -s -X POST "http://127.0.0.1:1337/v0.1/scan" -H "Content-Type: application/json" -d "{"urls": ["$TARGET_URL"]}" | python3 -c "import sys,json; print(json.load(sys.stdin)['task_id'])")
# Wait for scan completion
- |
while true; do
STATUS=$(curl -s "http://127.0.0.1:1337/v0.1/scan/$TASK_ID" | python3 -c "import sys,json; print(json.load(sys.stdin)['scan_status'])")
[ "$STATUS" = "succeeded" ] || [ "$STATUS" = "failed" ] && break
sleep 30
done
# Check for high/critical severity issues
- |
CRITICAL=$(curl -s "http://127.0.0.1:1337/v0.1/scan/$TASK_ID" | python3 -c "
import sys, json
data = json.load(sys.stdin)
issues = [e['issue'] for e in data.get('issue_events', [])
if e['issue']['severity'] in ['high', 'critical']]
print(len(issues))
for i in issues:
print(f" [{i['severity']}] {i['name']}")
")
echo "Critical/High issues found: $CRITICAL"
[ "$CRITICAL" -gt "0" ] && exit 1
artifacts:
paths:
- scan-results.json
when: always
EOF
# GitHub Actions example
cat > .github/workflows/security-scan.yml << 'EOF'
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
burp-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Run Burp Suite scan
env:
TARGET_URL: ${{ secrets.TARGET_URL }}
run: |
java -Djava.awt.headless=true -Xmx2g \
-jar burpsuite_pro.jar \
--config-file=ci-config.json &
sleep 45
./scripts/run-scan.sh "$TARGET_URL"
- name: Upload scan results
uses: actions/upload-artifact@v4
with:
name: burp-scan-results
path: scan-results.json
EOFTips & Best Practices
Performance & Configuration
- Allocate sufficient memory: Use
-Xmx4gor higher for large applications. Insufficient memory causes scan failures and UI freezes. - Define scope early: Always configure the target scope before scanning to avoid testing out-of-scope systems and reduce noise.
- Use project files: Save your work in project files to preserve proxy history, scan results, and configuration between sessions.
- Tune scanner speed: For stable, production-adjacent environments, use "Thorough" mode. For development environments, "Fast" mode provides quicker results.
- Exclude logout URLs: Always exclude logout endpoints from scope to prevent your session from being invalidated during scanning.
Testing Methodology
- Start passive, then go active: Begin with manual browsing and passive scanning to understand the application before launching active scans.
- Use Repeater for validation: Always verify scanner findings manually in Repeater to confirm true positives and eliminate false positives.
- Leverage extensions: Install extensions like Logger++, Autorize, and Active Scan++ from the BApp Store to extend Burp's capabilities.
- Test authentication thoroughly: Use Intruder to test login forms, session management, and access controls systematically.
- Document as you go: Use Burp's built-in notes and comments on requests, and organize findings in the Target tab for clean reporting.
Security & Ethics
- Always get written authorization: Never test systems without explicit, documented permission from the system owner.
- Avoid production data exposure: Be cautious with scan results that may contain sensitive data. Store project files securely.
- Monitor scan impact: Watch for signs that your scanning is affecting the target application's performance or availability.
- Follow responsible disclosure: Report vulnerabilities through proper channels and give the organization time to fix issues before any public disclosure.
- Protect your Burp project files: Project files contain full HTTP history including credentials and tokens. Encrypt and secure them appropriately.
Related Tools
Burp Suite works best as part of a broader security testing toolkit. These complementary tools are often used alongside Burp Suite in web application assessments:
| Tool | Purpose | Complements Burp By |
|---|---|---|
| Nmap | Network discovery and port scanning | Identifying web servers and services before testing |
| Nikto | Web server vulnerability scanning | Quick server-level checks and misconfigurations |
| sqlmap | Automated SQL injection testing | Deep exploitation of SQL injection found by Burp Scanner |
| Metasploit | Exploitation framework | Exploiting vulnerabilities discovered during assessment |
| Wireshark | Network protocol analysis | Low-level traffic analysis beyond HTTP/HTTPS |
# Combine Burp Suite with other tools in a workflow
# 1. Discover web servers with Nmap
nmap -sV -p 80,443,8080,8443 target.example.com
# 2. Quick server scan with Nikto
nikto -h https://target.example.com -output nikto-results.txt
# 3. Route sqlmap through Burp for deeper SQL injection testing
# Export a request from Burp (right-click > Copy to file)
sqlmap -r burp-request.txt --proxy=http://127.0.0.1:8080 --batch
# 4. Use Burp Suite for comprehensive web app testing
java -Xmx4g -jar burpsuite_pro.jar \
--project-file=full-assessment.burp
# 5. Combine Burp findings with Metasploit for exploitation
# Export Burp scan results and import relevant findings into MetasploitOfficial Documentation
For authoritative information, refer to the official documentation:
Related Articles
Nikto: Web Server Vulnerability Scanner Guide
Complete guide to Nikto web server scanner. Learn vulnerability scanning, SSL testing, authentication bypass detection, and automated security assessments.
sqlmap: SQL Injection Testing Tool Guide
Complete guide to sqlmap for automated SQL injection detection and exploitation. Learn database enumeration, data extraction, and advanced tamper techniques.
Metasploit Framework: Penetration Testing Guide
Complete guide to the Metasploit Framework for penetration testing. Learn msfconsole, exploit modules, payloads, and post-exploitation techniques.
Nmap: Network Scanner & Security Auditing Tool Guide
Comprehensive guide to Nmap for network discovery and security auditing. Learn port scanning, OS detection, NSE scripts, and practical penetration testing workflows.