Burp Suite is a commercial web application security testing platform developed by PortSwigger. It is the de facto industry standard for manual and semi-automated web application testing, and forms the backbone of most penetration tests involving HTTP/HTTPS traffic.
Core components
Proxy intercepts traffic between the browser and the target application. The tester can pause, inspect, and modify requests and responses in flight, which is essential for testing authorisation, validation, and trust boundaries.
Repeater takes a captured request and lets the tester edit and resend it manually as many times as needed, ideal for probing how the server handles edge cases.
Intruder automates parameterised attacks: brute-forcing parameters, fuzzing inputs, enumerating user IDs, and testing for injection patterns at scale.
Scanner (Pro only) performs automated active and passive scans for common vulnerabilities. It is fast at known issues but cannot replace manual testing for business-logic flaws.
Decoder, Comparer, Sequencer, and Collaborator handle encoding, response diffing, randomness analysis, and out-of-band callbacks for blind vulnerabilities.
Editions
Burp Suite Community is free, single-threaded, and lacks Scanner and Intruder throttling. Burp Suite Professional is the commercial edition used by working pen testers. Burp Suite Enterprise is a server-based, scheduled scanning product aimed at internal security teams running continuous coverage rather than ad-hoc engagements.
Typical workflow
A tester configures the browser to route through the Burp proxy, walks the application as a normal user to populate the site map, runs a passive scan to surface low-hanging issues, then manually probes individual endpoints for authorisation flaws, input validation, and business logic problems. Findings are reproduced in Repeater, exploited where appropriate, and screenshotted for the report.
Certification
PortSwigger offers the Burp Suite Certified Practitioner (BSCP) qualification, which is increasingly recognised as proof of competent web application testing alongside CREST CRT and OSWA. The hands-on lab platform (PortSwigger Web Security Academy) underpins the certification and is free to use.
Related terms
See also: web application penetration testing, SQL injection, and cross-site scripting.
Leave a Reply