Skip to content

Burpsuite basics, in 5 minutes

What is burpsuite

BurpSuite must be the most popular tool used for the security assessment of web applications. 90% of security professionals use this tool during Pen-Testing. For the novice CTF challenger it’s essential that burpsuite basics are learned early.

There are three versions of the tool available;

  • Community Edition,
  • Professional,
  • Enterprise Edition.

The Community Edition is free and has most features enabled. To get the full use of the full potential of the tool, you need a paid version but unless you are a very serious security professional working for a large company the community edition is fine.

Setup for learning

I will use my BlackArch Linux server that is set up in a previous Post. You can use any Linux flavor but you will also need to install Burpsuite.

Main Components of burpsuite

Burpsuite has a number of components,

  • Proxy,
  • Intruder,
  • Repeater,
  • Sequencer,
  • Decoder,
  • Comparer,
  • Logger
  • Extender.

However for the novice Ethical Hacker or CTF beginner most of these can be ignored for now. In this blog post I cover the 3 important ones for beginning with Burpsuite Basics. That is Proxy, Repeater and Decoder

Burpsuite Proxy

Burp Proxy lies at the heart of Burp’s experience and lets you intercept, view, and modify all requests and responses passing between your browser and destination web servers. This is the component that will used most often.

Burpsuite basics
Proxy Interface

Burpsuite Repeater

After the Proxy, Burp Repeater would the second most used part. It allows the repeating of individual HTTP requests, and analyzing the application’s responses. You can send a request to Repeater from anywhere from burpsuite (CTRL + r), modify the request and issue it over and over.

Burpsuite repeater
Repeater interface

Burpsuite decoder

Burp Decoder is a simple tool for transforming encoded data into clear text and vice versa. Data can be sent to the Decoder with the “CTRL + d” shortcut.

Burpsuite decoder
Decoder Interface

Burpsuite Basics by Example

Best way to learn is by example. Below I have opened a basic web page that displays, something is happening in a few days. But there could be a back door here for someone that’s in the know or that’s looking with “Burpsuite”.

web site
Proof of Concept Website

So I engaged the Interpreter in burpsuite Proxy so I could take a look at the code . There is an interesting cookie that looks like its encoded in “base64“.

Burpsuite proxy

Selecting the cookie text and hitting CTRL + d, will send the code to Burpsuite Decoder.

Burpsuite decoder

The part after the “=” sign is false. What happens if i set this to true in the cookie.

First i need to find out what is “true” encoded into base64. This is easy with the Decoder. Just type in the word “true” in the top box and from the panel in the right click the “Encode As” drop down list and select “Base64”. This will add a second text box below the top one and convert the text to Base64.

Burpsuite decoder

I can select the output from the decoder and CTRL + c to copy the base64 code. Then I can go back to Proxy and replace the part after the “=” sign with my new code. Then all that’s left is to hit the Forward button in the Burpsuite Proxy Panel.

Back to the Proxy

Burpsuite proxy

Final Result

After all that we have a new upload button which allows us all sorts of fun to continue with. Sadly not in this post.

web site
Final Page after Cookie Modification

In Video,

See my demo also on youtube!

Alternatives to burpsuite

Burpsuite is not the only show in town for what it does. There is also proxy which is full opensource and no limitations. I will replicate this blog post using zaproxy at some stage and link it here.


Burpsuite is a very powerful tool and well worth the time investing into learning the basics. Its also fun to mess with some web pages and see what you can do. Bug bounty, Pen-Testing andy CTF challenges are all great place to use and learn Burpsuite.

If you enjoyed my article please leave a comment below.

Published inCTFGetting Started With CTF ChallengesIT & SecurityPen-Testing