Module 8 · Lesson 1 · 40 minutes

🐉 Burp Suite — A "Magnifying Glass" Between Browser and Website

The ultimate tool for any web pentester. See every word the browser says and modify it on the fly. Explained through analogies, jargon-free.

📖 Why You Need to Know This

In 2017, a researcher did this: they opened Facebook, started uploading their own photo, and at that exact moment, used Burp Suite to intercept the request to the server — and changed their profile ID in it to someone else's. The request went through. The photo was uploaded to someone else's profile.

Facebook paid $40,000 for this finding. It took 40 seconds of work.

The program is called Burp Suite. It is the go-to tool for web security testing. You can't do bug bounty, pentesting, or even a training CTF without it. This lesson is about the concept of "standing between the browser and the website to eavesdrop on or modify their conversation."

🔍 What is Burp Suite?

🎯 Explained Simply in 30 Seconds

Burp Suite = a "magnifying glass and editor" between your browser and the website.

Normally, the browser sends requests directly to the website. Burp sits in the middle:

Browser → 🔎 Burp (view, modify) → Website

This is called a "proxy" (an intermediary). Burp catches every request, shows it to you, lets you modify it, and then lets it go through.

Why do you need this?

What you can do	In simple terms
Modify hidden form fields	"Forge the 'invisible' part of a document before handing it in"
Modify session cookies	"Swap wristbands in a locker room"
Change user ID in a request	"Swap the delivery address with someone else's"
Brute-force passwords	"Trying lockpicks one by one"
Test for SQL injection / XSS	"Constantly trying out different payloads"

📦 How to Launch

It is already installed in Kali Linux. Simply run:

burpsuite &

Editions:

Community Edition — free, more than enough for learning and basic bug hunting
Professional — $449/year, for serious work. We don't need it right now

Once launched, select Temporary project → Use Burp defaults → Start Burp.

🌐 Browsing "Through" Burp

For Burp to see the traffic, the browser must route its requests through it.

💡 The Easiest Way

Burp has a built-in browser (a pre-configured Chromium with the proxy already set up). Simply go to: Proxy → Open browser. That's it, no configuration needed.

🗺 Main "Rooms" of Burp

No need to memorize all the tabs. There are only three main ones:

Tab	What it does	In simple terms
Proxy	Interception and request history	"A log of all conversations between the browser and the website"
Repeater	Send a single request multiple times with modifications	"Repeat with tweaks"
Intruder	Automated brute-forcing of values	"A robot trying thousands of options"

The other tabs are "advanced tools" — you'll get back to them after a month of practice.

🎯 Practice 1: Eavesdropping on Your Own Login

Launch Burp → Proxy → Open browser (the built-in browser will open)
In this browser, open DVWA (from Lesson 5.1): http://localhost/dvwa
In Burp, go to the Proxy tab and turn Intercept is on
In the browser, enter admin / password and click Login

The browser will "freeze" because Burp has intercepted the request. In Burp, you will see:

POST /dvwa/login.php HTTP/1.1
Host: localhost
...

username=admin&password=password&Login=Login

Click Forward — the request will go through, and you will be logged in

This is exactly what "eavesdropping on the browser's conversation with the website" means. No magic. Just a middleman.

🪄 Practice 2: Modifying a Password on the Fly

Log out of DVWA, click Login again, but enter an incorrect password: admin / WRONG
Intercept the request in Burp (Intercept is on)
In the intercepted request, manually change password=WRONG to password=password
Forward → you are logged in as admin, even though you entered WRONG in the browser

This is on-the-fly request modification — Burp's ultimate superpower. On real websites, instead of passwords, people modify:

User IDs (IDOR)
Item prices (if poorly secured)
Session cookies (swapping wristbands)
Request methods (GET → POST or vice versa)

🔁 Repeater — "Repeat with Tweaks"

🎯 Explained Simply in 30 Seconds

Repeater = a "canvas" where you can repeatedly send the exact same request, tweaking it slightly each time.

Perfect for testing SQL injection / XSS: you try one payload, see the response, tweak the payload, and send it again. No need to fill out the form in your browser every single time.

In Proxy → HTTP history, find an interesting request (like the login one)
Right-click → Send to Repeater
Go to the Repeater tab → you will see the same request
Modify any parameter (for example, try SQL injection in the username: admin' OR '1'='1)
Click Send → you will see the server's response on the right
If it didn't work, change the payload and click Send again. Repeat until you find a working one.

🤖 Intruder — "A Robot Trying Thousands"

🎯 Explained Simply in 30 Seconds

Intruder = a bulk Repeater. You tell it: "insert words from this list into this position one by one" — and Burp sends thousands of requests and displays the results.

Perfect for brute-forcing passwords, testing 1,000 IDOR IDs, or scanning for hidden files.

In the free version, Intruder is significantly throttled (an artificial limitation). It's enough for learning, but you'll need Pro for serious bug bounty hunting.

📋 Typical Burp Suite Workflow

Launch Burp → Open Browser
Browse the website, clicking everything. Burp automatically logs all requests in the Target Sitemap.
Find interesting entry points (login, search, profile)
Send each one to Repeater and try different inputs
Document any findings for your report (or bug bounty submission)

🎓 Where to Learn for Free

PortSwigger Web Security Academy — portswigger.net/web-security.

This is the website of the creators of Burp Suite themselves. It features:

~200 hands-on labs with real-world vulnerabilities
From "extremely simple" to "expert" level
Full coverage of the OWASP Top 10
Free, forever, without registration

If you complete at least 50 labs, you are basically a junior pentester. This is the best educational resource in the field.

🤔 A Quick Comprehension Check

What does Burp Suite do in one sentence? → It sits between the browser and the website, letting you view and modify requests.
Which tab is used for interception? → Proxy → Intercept
Which tab is used to "repeat with tweaks"? → Repeater
Which tab is used for "a robot trying thousands"? → Intruder
Where can you learn Burp for free? → portswigger.net/web-security

🛠 Optional but Interesting

Burp has a built-in Decoder — it can:

Decode Base64 (text that looks like "aGVsbG8=")
Decode URL-encoded strings (%20 → space)
Calculate MD5/SHA hashes

This is useful when you see an obscure string in a request — just throw it into Decoder to see what's inside.

🤖 Vibe-task: Ask Claude

Open Claude and ask:

I've just started learning Burp Suite. Give me a 4-week plan:

Week 1: Proxy + Repeater on DVWA (what to do every day)
Week 2: Intruder + Decoder (5 practical tasks)
Week 3: PortSwigger Web Academy
   (which 10 labs to complete first and in what order)
Week 4: First deep dive into bug bounty
   (which platforms to register on,
    what to look for first)

Explain it to me like I'm 10 years old. By the end of each week, I should ALREADY be able to —
tell me exactly what.

💡 Key Takeaways from the Lesson

🎓 What to Take Away

Burp Suite = a "magnifying glass and editor" between your browser and the website.
3 main tabs: Proxy (viewing), Repeater (repeating with tweaks), Intruder (automated testing).
Burp's built-in browser is the easiest way to start.
The ultimate superpower: modifying requests on the fly (passwords, user IDs, prices).
PortSwigger Web Academy is the best free web security education resource in the world.

🎬 What's Next

Lesson 8.2 — Metasploit. If Burp is a "magnifying glass for manual work," Metasploit is a massive library of ready-to-use exploits for known vulnerabilities. Once you find a vulnerable application, just choose the right "lockpicking tool" and launch it. One of the primary tools in a hacker's toolkit.

← To Module Lesson 8.2: Metasploit →