Burp Suite Web Application Testing
This skill should be used when the user asks to "intercept HTTP traffic", "modify web requests", "use Burp Suite for testing", "perform web vulnerability scanning", "test with Burp Repeater", "analyze HTTP history", or "configure proxy for web testing". It provides comprehensive guidance for using B
Documentation
Burp Suite Web Application Testing
Purpose
Execute comprehensive web application security testing using Burp Suite's integrated toolset, including HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows. This skill enables systematic discovery and exploitation of web application vulnerabilities through proxy-based testing methodology.
Inputs / Prerequisites
Required Tools
- Burp Suite Community or Professional Edition installed
- Burp's embedded browser or configured external browser
- Target web application URL
- Valid credentials for authenticated testing (if applicable)
Environment Setup
- Burp Suite launched with temporary or named project
- Proxy listener active on 127.0.0.1:8080 (default)
- Browser configured to use Burp proxy (or use Burp's browser)
- CA certificate installed for HTTPS interception
Editions Comparison
| Feature | Community | Professional |
|---|---|---|
| Proxy | ✓ | ✓ |
| Repeater | ✓ | ✓ |
| Intruder | Limited | Full |
| Scanner | ✗ | ✓ |
| Extensions | ✓ | ✓ |
Outputs / Deliverables
Primary Outputs
- Intercepted and modified HTTP requests/responses
- Vulnerability scan reports with remediation advice
- HTTP history and site map documentation
- Proof-of-concept exploits for identified vulnerabilities
Core Workflow
Phase 1: Intercepting HTTP Traffic
Launch Burp's Browser
Navigate to integrated browser for seamless proxy integration:
- Open Burp Suite and create/open project
- Go to Proxy > Intercept tab
- Click Open Browser to launch preconfigured browser
- Position windows to view both Burp and browser simultaneously
Configure Interception
Control which requests are captured:
Proxy > Intercept > Intercept is on/off toggle
When ON: Requests pause for review/modification
When OFF: Requests pass through, logged to history
Intercept and Forward Requests
Process intercepted traffic:
- Set intercept toggle to Intercept on
- Navigate to target URL in browser
- Observe request held in Proxy > Intercept tab
- Review request contents (headers, parameters, body)
- Click Forward to send request to server
- Continue forwarding subsequent requests until page loads
View HTTP History
Access complete traffic log:
- Go to Proxy > HTTP history tab
- Click any entry to view full request/response
- Sort by clicking column headers (# for chronological order)
- Use filters to focus on relevant traffic
Phase 2: Modifying Requests
Intercept and Modify
Change request parameters before forwarding:
- Enable interception: Intercept on
- Trigger target request in browser
- Locate parameter to modify in intercepted request
- Edit value directly in request editor
- Click Forward to send modified request
Common Modification Targets
| Target | Example | Purpose |
|---|---|---|
| Price parameters | price=1 | Test business logic |
| User IDs | userId=admin | Test access control |
| Quantity values | qty=-1 | Test input validation |
| Hidden fields | isAdmin=true | Test privilege escalation |
Example: Price Manipulation
POST /cart HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
productId=1&quantity=1&price=100
# Modify to:
productId=1&quantity=1&price=1
Result: Item added to cart at modified price.
Phase 3: Setting Target Scope
Define Scope
Focus testing on specific target:
- Go to Target > Site map
- Right-click target host in left panel
- Select Add to scope
- When prompted, click Yes to exclude out-of-scope traffic
Filter by Scope
Remove noise from HTTP history:
- Click display filter above HTTP history
- Select Show only in-scope items
- History now shows only target site traffic
Scope Benefits
- Reduces clutter from third-party requests
- Prevents accidental testing of out-of-scope sites
- Improves scanning efficiency
- Creates cleaner reports
Phase 4: Using Burp Repeater
Send Request to Repeater
Prepare request for manual testing:
- Identify interesting request in HTTP history
- Right-click request and select Send to Repeater
- Go to Repeater tab to access request
Modify and Resend
Test different inputs efficiently:
1. View request in Repeater tab
2. Modify parameter values
3. Click Send to submit request
4. Review response in right panel
5. Use navigation arrows to review request history
Repeater Testing Workflow
Original Request:
GET /product?productId=1 HTTP/1.1
Test 1: productId=2 → Valid product response
Test 2: productId=999 → Not Found response
Test 3: productId=' → Error/exception response
Test 4: productId=1 OR 1=1 → SQL injection test
Analyze Responses
Look for indicators of vulnerabilities:
- Error messages revealing stack traces
- Framework/version information discl
Quick Info
- Source
- antigravity
- Category
- Security & Systems
- Repository
- View Repo
- Scraped At
- Jan 26, 2026
Tags
Related Skills
Active Directory Attacks
This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
anti-reversing-techniques
Understand anti-reversing, obfuscation, and protection techniques encountered during software analysis. Use when analyzing protected binaries, bypassing anti-debugging for authorized analysis, or understanding software protection mechanisms.
API Fuzzing for Bug Bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.