PortSwigger Burp Suite Complete Guide 2026: The Ultimate Web Application Security Testing Handbook

Published on January 13, 2026

Table of Contents

1. Introduction to PortSwigger & Burp Suite
2. Burp Suite Editions Comparison
3. System Requirements
4. Installation Guide
5. Initial Configuration & Setup
6. Browser Configuration & Certificate Setup
7. Core Tools Deep Dive
8. Vulnerability Scanning
9. Testing for OWASP Top 10
10. BApp Store & Extensions
11. Mobile Application Testing
12. Command Line & Headless Mode
13. CI/CD & DevSecOps Integration
14. Integration with Other Security Tools
15. Web Security Academy
16. Best Practices & Tips
17. Troubleshooting
18. Pricing & Licensing

1. Introduction to PortSwigger & Burp Suite

1.1 What is PortSwigger?

PortSwigger is a leading cybersecurity company founded by Dafydd Stuttard, author of “The Web Application Hacker’s Handbook.” The company is renowned for developing Burp Suite, the industry-standard toolkit for web application security testing.

1.2 What is Burp Suite?

Burp Suite is a comprehensive, integrated platform for performing security testing of web applications. It is designed to support the entire testing process, from initial mapping and analysis of an application’s attack surface to finding and exploiting security vulnerabilities.

[!IMPORTANT] Current Version (as of January 2026): Burp Suite Professional/Community 2025.12.2

This version includes upgrades to the embedded Chromium browser (version 143.0.7499.147 for Windows/Mac and 143.0.7499.146 for Linux), support for OpenAPI 3.1/3.2 scanning, OAuth 2.0 authentication, OWASP Top 10:2025 reporting, and improvements like scan freeze windows and editable recorded login steps.

1.3 Key Capabilities

1.4 Who Uses Burp Suite?

• Penetration Testers - Professional security assessments
• Bug Bounty Hunters - Discovering vulnerabilities for rewards
• Security Researchers - Investigating new attack techniques
• Development Teams - DevSecOps integration for early vulnerability detection
• Security Teams - Enterprise-wide application security testing
• Students - Learning web security concepts

2. Burp Suite Editions Comparison

2.1 Edition Overview

2.2 Community Edition

Best for: Students, hobbyists, and learning web security fundamentals.

Features:

• Manual penetration testing tools
• HTTP/HTTPS proxy interception
• Basic Intruder functionality (rate-limited)
• Essential testing capabilities

Limitations:

• No vulnerability scanner
• No project file saving
• Throttled Intruder attacks
• No Burp Collaborator for OOB testing
• Limited BApp store extensions

2.3 Professional Edition

Best for: Professional penetration testers, bug bounty hunters, and security researchers.

Features:

• All Community features without limitations
• Advanced vulnerability scanner
• Unlimited Intruder speed
• Project file saving and loading
• Full Burp Collaborator integration
• Complete BApp Store access
• API scanning capabilities
• Collections feature for sharing HTTP messages
• BChecks for custom scan rules

2.4 Enterprise Edition

Best for: Organizations requiring automated, scalable DAST (Dynamic Application Security Testing).

Features:

• All Professional features
• CI/CD pipeline integration
• Automated scheduled scans
• Multi-user collaboration
• Role-based access control
• GraphQL API for automation
• Issue management and tracking
• Jira, GitLab, Trello integration
• Cloud or self-hosted deployment

3. System Requirements

3.1 Minimum Requirements

3.2 Recommended Requirements

[!TIP] For optimal performance, allocate more memory to Burp Suite using the -Xmx JVM argument. For example, -Xmx4g allocates 4 GB of RAM.

4. Installation Guide

4.1 Download Burp Suite

1. Navigate to the official PortSwigger website: https://portswigger.net/burp/releases
2. Click on “Products” → “Burp Suite Community Edition” (or Professional)
3. Select “Go straight to downloads” to skip email registration
4. Choose the installer for your operating system

4.2 Windows Installation

Step 1: Download the Installer

# Navigate to downloads folder
cd $env:USERPROFILEDownloads

# The installer will be named like: burpsuite_community_windows-x64_vX.X.X.exe
# or burpsuite_pro_windows-x64_vX.X.X.exe

Step 2: Run the Installer

# Right-click and "Run as administrator" OR double-click the .exe file

Step 3: Follow the Installation Wizard

1. Click Next on the welcome screen
2. Accept the License Agreement
3. Choose installation directory (default: C:\Program Files\BurpSuiteCommunity or BurpSuitePro)
4. Select Start Menu folder
5. Click Install
6. Click Finish when complete

Step 4: Launch Burp Suite

# Launch from Start Menu or desktop shortcut
# Or from command line:
& "C:Program FilesBurpSuiteCommunityBurpSuiteCommunity.exe"

4.3 macOS Installation

Step 1: Download the Installer

# Navigate to Downloads folder
cd ~/Downloads

# The installer will be a .dmg file like:
# burpsuite_community_macos_x64_vX.X.X.dmg
# or
# burpsuite_community_macos_arm64_vX.X.X.dmg (for Apple Silicon)

Step 2: Install the Application

# Double-click the .dmg file to mount it
# Drag Burp Suite to Applications folder

Step 3: Launch Burp Suite

# Open from Applications folder
open -a "Burp Suite Community Edition"

# Or from command line
/Applications/Burp Suite Community Edition.app/Contents/MacOS/BurpSuiteCommunity

Step 4: Handle Security Warning (first launch)

1. If macOS blocks the application, go to System Preferences → Security & Privacy
2. Click “Open Anyway” next to the Burp Suite entry
3. Confirm opening the application

4.4 Linux Installation

Step 1: Download the Installer

# Navigate to downloads directory
cd ~/Downloads

# Download using wget or curl (replace URL with current version)
wget https://portswigger.net/burp/releases/download?product=community&version=2025.11.6&type=Linux

# Or download the .sh installer from the website
# File: burpsuite_community_linux_x64_vX.X.X.sh

Step 2: Make the Installer Executable

# Make the installer executable
chmod +x burpsuite_community_linux_x64_v*.sh

Step 3: Run the Installer

# Run the installer
./burpsuite_community_linux_x64_v*.sh

# Follow the graphical installation wizard
# OR run in console mode:
./burpsuite_community_linux_x64_v*.sh -c

Step 4: Installation Steps

1. Click Next on the welcome screen
2. Accept the License Agreement
3. Choose installation directory (default: ~/BurpSuiteCommunity)
4. Create desktop/menu shortcuts as desired
5. Click Install
6. Click Finish when complete

Step 5: Launch Burp Suite

# Launch from installation directory
~/BurpSuiteCommunity/BurpSuiteCommunity

# Or from created menu shortcut
# Or create an alias in ~/.bashrc:
echo 'alias burpsuite="~/BurpSuiteCommunity/BurpSuiteCommunity"' >> ~/.bashrc
source ~/.bashrc

4.5 Alternative: JAR File Installation (Any Platform)

For advanced users or specific requirements:

# Ensure Java 17+ is installed (required for Burp Suite 2025+)
java -version

# For Linux (Ubuntu/Debian), install OpenJDK 17:
# sudo apt install openjdk-17-jre

# Download the JAR file from PortSwigger
# Run with:
java -jar -Xmx4g burpsuite_community_vX.X.X.jar

# For Professional:
java -jar -Xmx4g burpsuite_pro_vX.X.X.jar

5. Initial Configuration & Setup

5.1 First Launch Configuration

Step 1: Accept Terms and Conditions

On first launch, you’ll be presented with the Terms and Conditions. Read and accept to proceed.

Step 2: Project Selection

Step 3: Configuration Selection

• Use Burp Defaults - Recommended for beginners
• Use a Configuration File - Load custom settings

Step 4: Click “Start Burp”

5.2 Memory Allocation Configuration

Windows:

# Edit the BurpSuiteCommunity.vmoptions or BurpSuitePro.vmoptions file
# Located in the installation directory
# Add or modify:
-Xms1g
-Xmx4g

macOS:

# Edit the vmoptions file
nano "/Applications/Burp Suite Community Edition.app/Contents/vmoptions.txt"

# Add:
-Xms1g
-Xmx4g

Linux:

# Edit the vmoptions file
nano ~/BurpSuiteCommunity/BurpSuiteCommunity.vmoptions

# Add:
-Xms1g
-Xmx4g

5.3 Essential Settings

Navigate to User options or Settings to configure:

Display Settings:

• Font size and style
• Theme (light/dark mode)
• Character encoding

Project Options:

• Session handling rules
• Macro recording
• Cookie jar management

Connections:

• Upstream proxy configuration
• SOCKS proxy settings
• Platform authentication

6. Browser Configuration & Certificate Setup

6.1 Understanding the Proxy

Burp Suite acts as an intermediary (Man-in-the-Middle proxy) between your browser and target web applications:

Browser → Burp Suite Proxy (127.0.0.1:8080) → Target Web Server

[!NOTE] Burp Suite includes a built-in Chromium browser that is pre-configured with proxy settings and the CA certificate. Access it via Proxy → Intercept → Open Browser. This is the easiest way to start testing.

6.2 Proxy Listener Configuration

1. In Burp Suite, go to Proxy → Options (or Proxy settings)

2. Under Proxy Listeners, ensure a listener is active:

   • Interface: 127.0.0.1:8080 (default)
   • Running: ✓ (checkmark)

3. To add a new listener, click Add:

   • Bind to port: 8080 (or any available port)
   • Bind to address: Loopback only for local testing, or All interfaces for mobile testing

6.3 Firefox Browser Configuration

Step 1: Configure Proxy Settings

1. Open Firefox
2. Click Menu (☰) → Settings → General
3. Scroll to "Network Settings" → Click "Settings..."
4. Select "Manual proxy configuration"
5. HTTP Proxy: 127.0.0.1    Port: 8080
6. Check "Use this proxy server for all protocols"
7. Clear "No proxy for" field
8. Click "OK"

Step 2: Install Burp CA Certificate

1. With Burp Suite running, open Firefox
2. Navigate to: http://burpsuite or http://127.0.0.1:8080
3. Click "CA Certificate" to download cacert.der
4. Go to Firefox: Settings → Privacy & Security
5. Scroll to "Certificates" → Click "View Certificates..."
6. Select "Authorities" tab → Click "Import..."
7. Select the downloaded cacert.der file
8. Check "Trust this CA to identify websites"
9. Click "OK" → Restart Firefox

6.4 Chrome Browser Configuration

Chrome uses the system proxy settings. Configure at the OS level:

Windows:

# Method 1: Through Settings
# Settings → Network & Internet → Proxy
# Enable "Use a proxy server"
# Address: 127.0.0.1    Port: 8080

# Method 2: Registry (Command Prompt as Administrator)
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyServer /t REG_SZ /d "127.0.0.1:8080" /f

macOS:

# System Settings → Network → Select your connection → Details → Proxies
# Enable "Web Proxy (HTTP)" and "Secure Web Proxy (HTTPS)"
# Set both to: 127.0.0.1:8080

# Or via command line:
networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8080
networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8080

Linux:

# Set environment variables
export http_proxy="http://127.0.0.1:8080"
export https_proxy="http://127.0.0.1:8080"

# For system-wide (GNOME):
gsettings set org.gnome.system.proxy mode 'manual'
gsettings set org.gnome.system.proxy.http host '127.0.0.1'
gsettings set org.gnome.system.proxy.http port 8080
gsettings set org.gnome.system.proxy.https host '127.0.0.1'
gsettings set org.gnome.system.proxy.https port 8080

Install CA Certificate in Chrome:

1. Navigate to: http://burpsuite (with Burp running)
2. Download the CA Certificate (cacert.der)
3. Chrome: Settings → Privacy and security → Security → Manage certificates
4. Windows: Import to "Trusted Root Certification Authorities"
5. macOS: Import to Keychain → Trust for SSL
6. Linux: Copy to /usr/local/share/ca-certificates/ and run update-ca-certificates

6.5 Disable Proxy (When Not Testing)

Firefox:

Settings → Network Settings → "No proxy"

Windows:

reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

macOS:

networksetup -setwebproxystate "Wi-Fi" off
networksetup -setsecurewebproxystate "Wi-Fi" off

Linux:

unset http_proxy https_proxy
gsettings set org.gnome.system.proxy mode 'none'

7. Core Tools Deep Dive

7.1 Target Tab

The Target tab provides a comprehensive view of your target application.

Site Map:

• Hierarchical view of discovered content
• Organizes by domain → subdomain → paths
• Color-coded by scan status
• Right-click context menu for actions

Scope:

• Define testing boundaries
• Include/exclude specific URLs or patterns
• Prevents accidentally testing out-of-scope targets

# Example Scope Configuration:
Include in scope:
- Protocol: Any
- Host: *.example.com
- Port: Any
- File: Any

Exclude from scope:
- Host: logout.example.com
- Path: /admin/*

7.2 Proxy Tab

The Proxy is the core of Burp Suite’s functionality.

Intercept:

• Enable/disable request interception
• View, modify, and forward/drop requests
• Forward - Send request to server
• Drop - Discard the request
• Action - Send to other Burp tools

HTTP History:

• Complete log of all proxied traffic
• Filter by host, method, status, MIME type
• Search request/response content
• Highlight specific requests

WebSockets History:

• Log of WebSocket messages
• Similar filtering and analysis capabilities

Options/Settings:

• Proxy listeners configuration
• Request/response interception rules
• Match and replace rules
• TLS pass-through settings

7.3 Intruder Tab

The Intruder automates customized attacks.

Attack Types:

Payload Configuration:

# Example: Brute-force login
1. Capture login request
2. Send to Intruder (Ctrl+I)
3. Mark parameters: §username§ and §password§
4. Configure payloads:
   - Set 1 (username): Simple list → admin, user, test
   - Set 2 (password): Simple list → password, 123456, admin123
5. Start Attack

Payload Types:

• Simple list
• Runtime file
• Numbers
• Dates
• Character substitution
• Case modification
• Recursive grep
• And many more…

7.4 Repeater Tab

Repeater allows manual manipulation and resending of individual requests.

Key Features:

• Edit any part of the request
• Send and analyze responses in real-time
• Compare multiple responses
• Follow redirects or not
• Request history per tab

Common Use Cases:

1. Fine-tuning SQL injection payloads
2. Testing for parameter tampering
3. Analyzing authentication flows
4. Checking rate limiting
5. CSRF token analysis

Keyboard Shortcuts:

• Ctrl+Space - Send request
• Ctrl+Shift+G - Go to request history
• Ctrl+R - New repeater tab with current request

7.5 Decoder Tab

Decoder transforms data between various encoding formats.

Encoding Types: | Type | Example | |------|---------| | URL | %3Cscript%3E | | HTML | <script> | | Base64 | PHNjcmlwdD4= | | ASCII Hex | 3c7363726970743e | | Gzip | Compressed binary | | Hex | 3c 73 63 72 69 70 74 3e |

Smart Decode: Automatically detects and decodes multiple layers of encoding.

7.6 Comparer Tab

Comparer finds differences between two pieces of data.

Use Cases:

• Compare responses before and after parameter modification
• Identify differences in authenticated vs. unauthenticated responses
• Spot subtle changes in error messages

Comparison Modes:

• Word-level - Highlights different words
• Byte-level - Highlights individual byte differences

7.7 Sequencer Tab

Sequencer analyzes the quality of randomness in tokens.

Testing Session Tokens:

1. Capture a request that returns a token
2. Right-click → Send to Sequencer
3. Define token location
4. Click "Start live capture"
5. Collect minimum 100 samples (10,000+ recommended)
6. Click "Analyze now"

Analysis Results:

• Overall entropy
• Character-level analysis
• Bit-level analysis
• FIPS tests

[!WARNING] Tokens with low entropy are predictable and vulnerable to session hijacking attacks.

7.8 Logger Tab

Logger provides detailed logging of all Burp Suite activity.

Features:

• Central log of all tool activity
• Filter by source tool
• Search and filter capabilities
• Export functionality

8. Vulnerability Scanning

8.1 Scanner Overview (Professional Edition)

The Scanner automatically identifies vulnerabilities in web applications.

Scan Types:

8.2 Launching a Scan

Method 1: Right-Click Context Menu

1. In Target Site Map or Proxy History
2. Right-click on target URL
3. Select "Scan" → Choose scan type
4. Configure scan settings
5. Click "OK" to start

Method 2: Scan Launcher

1. Go to Dashboard or Scan tab
2. Click "New Scan"
3. Enter target URL(s)
4. Select scan type:
   - Crawl and audit
   - Audit selected items
   - Crawl
5. Configure options
6. Click "OK"

8.3 Scan Configuration

Crawl Settings:

• Maximum crawl depth
• Maximum time
• Maximum unique locations
• Login handling

Audit Settings:

• Insertion point locations
• Issue types to detect
• Active scanning optimization level
• Handling of application errors

8.4 Understanding Scan Results

Issue Severities:

Confidence Levels:

• Certain - Confirmed vulnerability
• Firm - Highly likely vulnerability
• Tentative - Possible vulnerability, needs verification

8.5 BChecks (Custom Scan Rules)

BChecks allow you to create custom scanning rules using a simple definition language.

Example BCheck:

metadata:
    language: v1-beta
    name: "Custom Header Check"
    description: "Checks for custom security header"
    author: "Your Name"

given request then
    if not {latest.response.headers} matches "X-Custom-Header: .*" then
        report issue:
            severity: low
            confidence: certain
            detail: "Custom security header is missing"
    end if

BCheck Location:

# Windows
%USERPROFILE%.BurpSuiteBCheckDefinitions
# macOS/Linux
~/.BurpSuite/BCheckDefinitions/

9. Testing for OWASP Top 10

9.1 A01:2021 – Broken Access Control

Testing with Burp Suite:

1. Log in as a low-privileged user
2. Capture requests to protected resources
3. Use Repeater to:
   - Modify user IDs in URLs/parameters
   - Change role parameters
   - Access admin endpoints
4. Use Autorize extension for automated testing

Example Test:

# Original request (as user ID 123)
GET /api/users/123/profile HTTP/1.1

# Modify to access another user (IDOR test)
GET /api/users/456/profile HTTP/1.1

9.2 A02:2021 – Cryptographic Failures

Testing Approach:

1. Check for HTTPS enforcement
2. Analyze cookie flags (Secure, HttpOnly)
3. Review password reset mechanisms
4. Check for sensitive data in URLs

Burp Suite Tools:

• Proxy → Check for HTTP vs HTTPS
• Scanner → Detects weak TLS configurations
• Repeater → Test cookie handling

9.3 A03:2021 – Injection

SQL Injection Testing:

1. Identify input points (parameters, headers, cookies)
2. Send to Intruder
3. Use SQL injection payloads:
   - ' OR '1'='1
   - 1; DROP TABLE users--
   - ' UNION SELECT NULL,NULL,NULL--
4. Analyze responses for:
   - Error messages
   - Different response lengths
   - Time delays

Command Injection Testing:

# Test payloads:
; ls -la
| cat /etc/passwd
`whoami`
$(id)

9.4 A04:2021 – Insecure Design

Testing with Burp Suite:

• Analyze business logic flows
• Test for missing rate limiting (Intruder)
• Check for privilege escalation paths
• Review error handling

9.5 A05:2021 – Security Misconfiguration

Checks:

1. Directory listing enabled?
2. Default credentials in use?
3. Verbose error messages?
4. Unnecessary HTTP methods enabled?
5. CORS misconfiguration?

Intruder Test for Default Credentials:

Attack Type: Pitchfork
Positions: username=§admin§&password=§password§
Payload 1: admin, root, administrator
Payload 2: admin, password, 123456

9.6 A06:2021 – Vulnerable and Outdated Components

Using Burp Suite:

1. Analyze response headers for version info
2. Check JavaScript files for library versions
3. Use Retire.js extension
4. Scanner detects known CVEs

9.7 A07:2021 – Identification and Authentication Failures

Testing:

1. Brute-force attack with Intruder
2. Session token analysis with Sequencer
3. Test password reset logic
4. Check for account lockout mechanisms
5. Test "remember me" functionality

Sequencer Analysis:

1. Capture session token
2. Send to Sequencer
3. Collect 10,000+ tokens
4. Analyze entropy
5. Look for patterns

9.8 A08:2021 – Software and Data Integrity Failures

Testing:

1. Check for unsigned/unverified updates
2. Analyze deserialization endpoints
3. Verify CI/CD pipeline security
4. Test for insecure object deserialization

9.9 A09:2021 – Security Logging and Monitoring Failures

Manual Testing:

1. Generate suspicious requests
2. Check if alerts are triggered
3. Test for log injection
4. Verify audit trail completeness

9.10 A10:2021 – Server-Side Request Forgery (SSRF)

Testing with Burp Collaborator:

1. Find parameters accepting URLs
2. Replace with Collaborator payload
3. Check for:
   - DNS lookups
   - HTTP requests
   - SMB connections

Example Payloads:

http://burpcollaborator-subdomain.oastify.com
http://127.0.0.1:8080/admin
http://169.254.169.254/latest/meta-data/

10. BApp Store & Extensions

10.1 Accessing BApp Store

1. In Burp Suite: Extensions → BApp Store
2. Browse or search for extensions
3. Click "Install" to add the extension

10.2 Essential Extensions

Autorize

Purpose: Automated authorization testing

Use Case:
1. Define low-privileged session cookie
2. Browse as high-privileged user
3. Autorize replays requests with low-priv cookie
4. Highlights unauthorized access

Logger++

Purpose: Advanced logging with filters

Features:
- Log all requests/responses
- Advanced search and filter
- Export to various formats
- Color-coded highlighting

Active Scan++

Purpose: Enhanced scanner

Detects:
- Platform-specific vulnerabilities
- Complex injection patterns
- Additional CVE checks

Retire.js

Purpose: JavaScript vulnerability detection

Identifies:
- Vulnerable JavaScript libraries
- Known CVEs in client-side code
- Outdated frameworks

403 Bypasser

Purpose: Bypass 403 Forbidden responses

Techniques:
- HTTP method switching
- Path manipulation
- Header injection
- Request smuggling

Turbo Intruder

Purpose: High-speed attacks

# Example script
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                          concurrentConnections=30,
                          requestsPerConnection=100)
    
    for word in open('/path/to/wordlist.txt'):
        engine.queue(target.req, word.rstrip())

def handleResponse(req, interesting):
    if req.status == 200:
        table.add(req)

InQL (GraphQL Scanner)

Purpose: GraphQL introspection and testing

Features:
- Schema introspection
- Query generation
- Mutation testing
- Authorization bypass detection

JWT Editor

Purpose: JSON Web Token analysis

Capabilities:
- Decode JWT tokens
- Modify claims
- Test algorithm confusion attacks
- Generate signatures

Collaborator Everywhere

Purpose: Automated OOB testing (Pro only)

Injects Collaborator payloads into:
- Headers
- Parameters
- Path components
Detects: SSRF, blind XSS, DNS exfiltration

Upload Scanner

Purpose: File upload vulnerability testing (Pro only)

Tests for:
- Remote code execution
- Path traversal
- MIME type bypass
- Extension bypass

10.3 Installing Extensions Manually

From BApp Store:

Extensions → BApp Store → Select extension → Install

From File:

1. Download the .jar or .py extension file
2. Extensions → Installed → Add
3. Select extension type (Java/Python)
4. Browse to file location
5. Click "Next" → "Close"

Python Extensions Requirement:

# Install Jython for Python extensions
# Download from: https://www.jython.org/download

# Configure in Burp:
# Extensions → Options → Python Environment
# Set path to jython-standalone-X.X.X.jar

11. Mobile Application Testing

11.1 Prerequisites

• Mobile device or emulator
• Same network as Burp Suite host
• Burp Suite configured to listen on all interfaces

11.2 Burp Suite Configuration for Mobile Testing

1. Proxy → Options → Proxy Listeners
2. Edit listener or Add new
3. Bind to address: "All interfaces"
4. Port: 8082 (or any available port)
5. Note your computer's IP address

Get Host IP Address:

Windows:

ipconfig | findstr IPv4
# Example output: 192.168.1.100

macOS:

ipconfig getifaddr en0
# Or
ifconfig | grep "inet " | grep -v 127.0.0.1

Linux:

ip addr show | grep "inet " | grep -v 127.0.0.1
hostname -I

11.3 iOS Device Configuration

Configure Proxy:

1. Settings → Wi-Fi
2. Tap (i) next to your network
3. Scroll to "HTTP Proxy" → Select "Manual"
4. Server: [Your computer's IP, e.g., 192.168.1.100]
5. Port: 8082

Install CA Certificate:

1. Open Safari on iOS
2. Navigate to: http://burp
3. Tap "CA Certificate" to download
4. Go to: Settings → General → VPN & Device Management
5. Install the downloaded profile
6. Enter passcode if prompted
7. Go to: Settings → General → About → Certificate Trust Settings
8. Enable "Full trust" for PortSwigger CA

11.4 Android Device Configuration

Configure Proxy:

1. Settings → Network & Internet → Wi-Fi
2. Long-press your connected network → Modify network
3. Advanced options → Proxy → Manual
4. Proxy hostname: [Your computer's IP]
5. Proxy port: 8082
6. Save

Install CA Certificate (Android 7+):

[!CAUTION] Android 7 (Nougat) and later require the CA certificate to be installed as a system certificate for most apps. This typically requires a rooted device.

For Rooted Devices:

# Export certificate from Burp Suite
# Convert to PEM format
openssl x509 -inform DER -in cacert.der -out cacert.pem

# Get the certificate hash
openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
# Example output: 9a5ba575

# Rename certificate
mv cacert.pem 9a5ba575.0

# Push to device
adb root
adb remount
adb push 9a5ba575.0 /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/9a5ba575.0
adb reboot

For Android Emulators:

# Start emulator with writable system
emulator -avd <avd_name> -writable-system

# Install certificate (similar to above)
adb root
adb remount
adb push 9a5ba575.0 /system/etc/security/cacerts/
adb shell chmod 644 /system/etc/security/cacerts/9a5ba575.0
adb reboot

11.5 Bypassing SSL Pinning

For apps implementing SSL pinning:

Using Frida:

# Install Frida
pip install frida-tools

# Download and push frida-server to device
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell "/data/local/tmp/frida-server &"

# Use SSL unpinning script
frida -U -l ssl-unpin.js -f com.example.app

Using Objection:

# Install objection
pip install objection

# Patch APK with objection
objection patchapk -s app.apk

# Or use at runtime
objection -g com.example.app explore
# Then: android sslpinning disable

12. Command Line & Headless Mode

12.1 Command Line Arguments

Basic Launch:

# Windows
"C:Program FilesBurpSuiteProBurpSuitePro.exe" [options]

# macOS
/Applications/Burp Suite Professional.app/Contents/MacOS/BurpSuitePro [options]

# Linux
~/BurpSuitePro/BurpSuitePro [options]

# JAR file
java -jar -Xmx4g burpsuite_pro.jar [options]

Common Arguments:

12.2 Headless Mode Operation

Launch in Headless Mode:

# Basic headless launch
java -jar -Djava.awt.headless=true -Xmx4g burpsuite_pro.jar

# With configuration and project
java -jar -Djava.awt.headless=true -Xmx4g burpsuite_pro.jar 
  --project-file=/path/to/project.burp 
  --config-file=/path/to/config.json 
  --unpause-spider-and-scanner

12.3 Configuration Files

Export Configuration:

1. Configure Burp Suite as desired via GUI
2. Burp menu → Project options → Save project options
3. Save as .json file

Configuration File Structure:

{
  "project_options": {
    "connections": {
      "platform_authentication": {
        "do_platform_authentication": true
      }
    },
    "http": {
      "redirections": {
        "follow_redirections": true,
        "max_redirections": 10
      }
    }
  },
  "target": {
    "scope": {
      "include": [
        {
          "enabled": true,
          "host": "example.com",
          "protocol": "any"
        }
      ]
    }
  }
}

12.4 Headless Burp Extension

Using the Headless Burp extension for CI/CD:

# Install the Headless Burp extension from BApp Store or GitHub

# Run scan via command line
java -jar -Djava.awt.headless=true -Xmx4g burpsuite_pro.jar 
  --project-file=scan-project.burp 
  --config-file=scan-config.json

# Configuration specifies:
# - Target URLs
# - Scan type
# - Report format (JUnit XML)
# - Output location

12.5 REST API Automation

Enable REST API:

1. User options → Misc → REST API
2. Enable "Service running on..."
3. Set port (default: 1337)
4. Generate API key

Using REST API with Python:

import requests

API_URL = "http://127.0.0.1:1337"
API_KEY = "your_api_key_here"

headers = {
    "Authorization": API_KEY
}

# Get scan status
response = requests.get(f"{API_URL}/v0.1/scan/status", headers=headers)
print(response.json())

# Start a scan
scan_config = {
    "urls": ["https://example.com"],
    "scope": {
        "include": [{"rule": "https://example.com"}]
    }
}
response = requests.post(f"{API_URL}/v0.1/scan", json=scan_config, headers=headers)
print(response.json())

13. CI/CD & DevSecOps Integration

13.1 Enterprise Edition CI/CD Features

Burp Suite Enterprise Edition provides native CI/CD integration capabilities:

Supported CI/CD Platforms:

• Jenkins
• Azure DevOps
• GitLab CI
• GitHub Actions
• Bamboo
• CircleCI
• Any platform supporting Docker

13.2 CI-Driven Scans

Using Docker Container:

# GitLab CI Example
stages:
  - security_scan

burp_scan:
  stage: security_scan
  image: portswigger/burp-suite-enterprise-scanner:latest
  script:
    - /scan         --url https://staging.example.com         --api-key $BURP_API_KEY         --api-url https://burp-enterprise.example.com         --output-junit results.xml
  artifacts:
    when: always
    reports:
      junit: results.xml

13.3 GitHub Actions Integration

name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  burp-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Burp Suite Scan
        uses: portswigger/burp-enterprise-scan-action@v1
        with:
          api-key: ${{ secrets.BURP_API_KEY }}
          api-url: ${{ secrets.BURP_API_URL }}
          target-url: https://staging.example.com
          output-file: scan-results.xml

      - name: Upload scan results
        uses: actions/upload-artifact@v3
        with:
          name: burp-scan-results
          path: scan-results.xml

13.4 Jenkins Integration

pipeline {
    agent any
    
    stages {
        stage('Security Scan') {
            steps {
                script {
                    docker.image('portswigger/burp-suite-enterprise-scanner').inside {
                        sh '''
                            /scan                                 --url ${TARGET_URL}                                 --api-key ${BURP_API_KEY}                                 --api-url ${BURP_API_URL}                                 --output-junit results.xml
                        '''
                    }
                }
            }
            post {
                always {
                    junit 'results.xml'
                }
            }
        }
    }
}

13.5 Site-Driven vs CI-Driven Scans

13.6 Issue Tracking Integration

Jira Integration:

1. Burp Enterprise → Settings → Integrations
2. Add Jira connection
3. Configure:
   - Jira URL
   - API credentials
   - Project key
   - Issue type
4. Set auto-ticket rules:
   - Severity threshold
   - Confidence level
   - Issue states

14. Integration with Other Security Tools

14.1 Nmap Integration

Using Nmap Scanner Extension:

1. Install "Nmap Scanner" from BApp Store
2. Right-click on target in Site Map
3. Select "Scan with Nmap"
4. View results in extension tab

Manual Integration:

# Run Nmap with Burp as proxy
nmap --script http-* --proxy http://127.0.0.1:8080 target.com

# Or configure Nmap to save results, import to Burp
nmap -oX scan-results.xml target.com
# Then use extension to import XML

14.2 OWASP ZAP Integration

Proxy Chain Configuration:

1. Configure ZAP to use Burp as upstream proxy:
   ZAP: Tools → Options → Connection → Outgoing Proxy
   - Address: 127.0.0.1
   - Port: 8080

2. Or configure Burp to use ZAP:
   Burp: User options → Connections → Upstream Proxy Servers
   - Add: *
   - Destination host: *
   - Proxy host: 127.0.0.1
   - Proxy port: 8081 (ZAP's port)

14.3 Metasploit Integration

Route Metasploit through Burp:

# In Metasploit Framework
msf6 > setg Proxies http:127.0.0.1:8080
msf6 > setg ReverseAllowProxy true

# For specific module
msf6 > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > set RHOSTS target.com
msf6 auxiliary(scanner/http/http_version) > set RPORT 80
msf6 auxiliary(scanner/http/http_version) > set Proxies http:127.0.0.1:8080
msf6 auxiliary(scanner/http/http_version) > run

14.4 SQLMap Integration

Use SQLMap with Burp:

# Save request from Burp
# Right-click request → "Copy to file"

# Run SQLMap with request file
sqlmap -r request.txt --proxy=http://127.0.0.1:8080

# Or use request from clipboard
sqlmap -r burp-request.txt --batch --level=5 --risk=3

14.5 Nuclei Integration

Using Nuclei with Burp discovered targets:

# Export targets from Burp Site Map
# Target → Site Map → Right-click → "Save selected items"

# Extract URLs
grep -oP 'https?://[^s]+' saved-requests.txt | sort -u > targets.txt

# Run Nuclei
nuclei -l targets.txt -t nuclei-templates/ -proxy http://127.0.0.1:8080

14.6 Ffuf Integration

Fuzzing through Burp:

# Route ffuf traffic through Burp
ffuf -u https://target.com/FUZZ 
     -w /path/to/wordlist.txt 
     -x http://127.0.0.1:8080

# This allows:
# - Logging in Burp Proxy history
# - Manual inspection of interesting responses
# - Follow-up testing with Repeater/Intruder

14.7 Postman Integration

For API Testing:

1. Postman: Settings → Proxy
2. Enable "Use the system proxy"
3. Or manually set:
   - Proxy Server: 127.0.0.1
   - Port: 8080
4. API requests now visible in Burp

15. Web Security Academy

15.1 Overview

PortSwigger Web Security Academy is a free online training platform for learning web security testing.

Website: https://portswigger.net/web-security

15.2 Learning Paths

15.3 Topic Coverage

All Topics with Interactive Labs:

1. SQL Injection - 18+ labs
2. Cross-Site Scripting (XSS) - 30+ labs
3. Cross-Site Request Forgery (CSRF) - 12+ labs
4. Clickjacking - 5+ labs
5. DOM-based Vulnerabilities - 7+ labs
6. Cross-Origin Resource Sharing (CORS) - 4+ labs
7. XXE (XML External Entity) - 9+ labs
8. Server-Side Request Forgery (SSRF) - 7+ labs
9. HTTP Request Smuggling - 22+ labs
10. OS Command Injection - 5+ labs
11. Server-Side Template Injection - 7+ labs
12. Path Traversal - 6+ labs
13. Access Control - 13+ labs
14. Authentication - 14+ labs
15. WebSockets - 3+ labs
16. Web Cache Poisoning - 13+ labs
17. Insecure Deserialization - 10+ labs
18. Information Disclosure - 5+ labs
19. Business Logic Vulnerabilities - 11+ labs
20. HTTP Host Header Attacks - 7+ labs
21. OAuth Authentication - 6+ labs
22. JWT Attacks - 8+ labs
23. Prototype Pollution - 10+ labs
24. GraphQL API Vulnerabilities - 5+ labs
25. Web LLM Attacks - Latest additions
26. Race Conditions - Latest additions

15.4 Certification

Burp Suite Certified Practitioner (BSCP):

• Format: 4-hour practical exam
• Content: Exploit web vulnerabilities in a real application
• Prerequisites: Completion of Practitioner-level labs
• Validity: Industry-recognized certification

Exam Preparation:

1. Complete all Academy labs
2. Practice with mystery labs
3. Focus on time management
4. Master Burp Suite Professional tools

15.5 Getting Started

1. Create free account at portswigger.net
2. Navigate to Web Security Academy
3. Start with "All learning paths" → Apprentice
4. Each topic includes:
   - Theory explanation
   - Video tutorials
   - Interactive labs
   - Solution walkthroughs

16. Best Practices & Tips

16.1 Performance Optimization

Memory Management:

# Allocate appropriate memory based on task
# Light usage: 2-4 GB
java -jar -Xmx4g burpsuite_pro.jar

# Heavy scanning: 8-16 GB
java -jar -Xmx16g burpsuite_pro.jar

# Clear Proxy history regularly
# Target → Site Map → Right-click → "Delete selected items"

Reduce Noise:

1. Configure scope to include only target
2. Use "Intercept Client Requests" rules
3. Exclude static resources (.jpg, .css, .js)
4. Filter out common noise domains

16.2 Efficient Workflow

Keyboard Shortcuts:

Session Handling:

1. Project options → Sessions → Session Handling Rules
2. Add rule for:
   - Cookie jar updates
   - Macro for re-authentication
   - Token extraction and insertion

16.3 Reporting

Generate Reports (Pro only):

1. Target → Site Map → Right-click target
2. "Issues" → "Report issues for this host"
3. Configure:
   - Report format (HTML, XML)
   - Issue types to include
   - Severity levels
   - Detail level
4. Save report

16.4 Project Organization

Naming Conventions:

project_[client]_[date]_[target].burp
Example: project_acme_2025-01-13_webapp.burp

Notes and Annotations:

# Use Comments in Proxy History
1. Right-click request
2. "Add comment"
3. Use consistent tags: [VULN], [TODO], [REVIEW]

16.5 Security Considerations

[!CAUTION] Legal Compliance:

• Only test systems you have explicit authorization for
• Document scope and permissions
• Remove Burp CA certificate after testing
• Clear project files containing sensitive data

Pre-Engagement Checklist:

• Written authorization obtained
• Scope clearly defined
• Emergency contacts available
• Testing window established
• Notification procedures agreed

17. Troubleshooting

17.1 Common Issues

Issue: Burp Suite won’t start

# Check Java version
java -version

# Minimum required: Java 11+
# If using system Java, ensure compatibility

# Try launching from command line to see errors:
java -jar burpsuite_pro.jar

# If memory error, allocate less memory:
java -jar -Xmx2g burpsuite_pro.jar

Issue: Browser not connecting to Burp

1. Verify Burp proxy listener is running
   Proxy → Options → Check "Running" checkbox

2. Verify browser proxy settings match Burp listener
   Default: 127.0.0.1:8080

3. Check for other applications using port 8080
   # Windows
   netstat -ano | findstr :8080
   
   # Linux/macOS
   lsof -i :8080

4. Try different port (e.g., 8081)

Issue: HTTPS certificate errors

1. Ensure CA certificate is installed correctly
2. Check browser certificate trust settings
3. Re-export and re-install certificate
4. Clear browser certificate cache
5. Restart browser

Issue: Traffic not appearing in Proxy

1. Verify "Intercept is off" (unless you want forced interception)
2. Check Target Scope settings
3. Ensure proxy bypass isn't configured
4. Verify browser isn't using another proxy
5. Check any VPN or firewall settings

17.2 Performance Issues

Slow response times:

1. Reduce concurrent connections
   User options → Connections → Limit concurrent requests

2. Disable unnecessary extensions
   Extensions → Installed → Uncheck "Loaded"

3. Clear Proxy history
   Proxy → HTTP history → Clear all

4. Increase memory allocation
   -Xmx8g or higher

High memory usage:

1. Close unused Repeater tabs
2. Clear Target Site Map
3. Limit scan scope
4. Disable Logger if not needed
5. Use temporary project instead of disk-based

17.3 Extension Issues

Extension not loading:

1. Check extension type (Java vs Python)
2. For Python extensions, install Jython
3. Check error messages in Extensions → Errors
4. Verify compatible Burp Suite version

Installing Jython for Python extensions:

# Download Jython standalone JAR
wget https://repo1.maven.org/maven2/org/python/jython-standalone/2.7.3/jython-standalone-2.7.3.jar

# Configure in Burp:
# Extensions → Options → Python Environment
# Location of Jython standalone JAR file: /path/to/jython-standalone-2.7.3.jar

18. Pricing & Licensing

18.1 Community Edition

• Price: Free
• License: Perpetual
• Best for: Learning and basic testing

18.2 Professional Edition

• Price: $475 per user per year
• License Type: Annual subscription
• Includes: Updates for subscription period
• Best for: Individual security professionals

18.3 Enterprise Edition

Enterprise includes:

• Unlimited users
• CI/CD integration
• Cloud or self-hosted options
• Priority support
• Custom configurations

18.4 Purchase Options

Official Channels:

• PortSwigger website: https://portswigger.net/burp/pro
• Volume licensing available
• Educational discounts for institutions

Conclusion

Burp Suite by PortSwigger remains the industry-standard toolkit for web application security testing. Whether you’re a beginner starting with the free Community Edition or an enterprise utilizing Enterprise Edition for automated DevSecOps scanning, Burp Suite provides the comprehensive tools needed to discover and exploit web vulnerabilities effectively.

Key Takeaways:

1. Start with Community Edition for learning, upgrade to Professional for serious work
2. Master the core tools: Proxy, Repeater, Intruder, Scanner
3. Leverage the BApp Store for extended functionality
4. Integrate with other security tools for comprehensive assessments
5. Use Web Security Academy for continuous learning
6. Follow best practices for legal, ethical, and effective testing

Additional Resources

• Official Documentation: https://portswigger.net/burp/documentation
• Web Security Academy: https://portswigger.net/web-security
• BApp Store: https://portswigger.net/bappstore
• Release Notes: https://portswigger.net/burp/releases
• Research Blog: https://portswigger.net/research
• Support: https://portswigger.net/support
• Twitter/X: @PortSwigger
• GitHub: https://github.com/PortSwigger

Last Updated: January 13, 2026 Burp Suite Version Covered: 2025.12.2