Burp Suite Web Application Testing

Burp Suite Web Application Testing

Purpose

Execute comprehensive web application security testing using Burp Suite's integrated toolset, including HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows. This skill enables systematic discovery and exploitation of web application vulnerabilities through proxy-based testing methodology.

Inputs / Prerequisites

Required Tools

• Burp Suite Community or Professional Edition installed
• Burp's embedded browser or configured external browser
• Target web application URL
• Valid credentials for authenticated testing (if applicable)

Environment Setup

• Burp Suite launched with temporary or named project
• Proxy listener active on 127.0.0.1:8080 (default)
• Browser configured to use Burp proxy (or use Burp's browser)
• CA certificate installed for HTTPS interception

Editions Comparison

| Feature | Community | Professional | |---------|-----------|--------------| | Proxy | ✓ | ✓ | | Repeater | ✓ | ✓ | | Intruder | Limited | Full | | Scanner | ✗ | ✓ | | Extensions | ✓ | ✓ |

Outputs / Deliverables

Primary Outputs

• Intercepted and modified HTTP requests/responses
• Vulnerability scan reports with remediation advice
• HTTP history and site map documentation
• Proof-of-concept exploits for identified vulnerabilities

Core Workflow

Phase 1: Intercepting HTTP Traffic

#### Launch Burp's Browser Navigate to integrated browser for seamless proxy integration:

• Open Burp Suite and create/open project
• Go to **Proxy > Intercept** tab
• Click **Open Browser** to launch preconfigured browser
• Position windows to view both Burp and browser simultaneously

#### Configure Interception Control which requests are captured:

Proxy > Intercept > Intercept is on/off toggle

When ON: Requests pause for review/modification
When OFF: Requests pass through, logged to history

#### Intercept and Forward Requests Process intercepted traffic:

• Set intercept toggle to **Intercept on**
• Navigate to target URL in browser
• Observe request held in Proxy > Intercept tab
• Review request contents (headers, parameters, body)
• Click **Forward** to send request to server
• Continue forwarding subsequent requests until page loads

#### View HTTP History Access complete traffic log:

• Go to **Proxy > HTTP history** tab
• Click any entry to view full request/response
• Sort by clicking column headers (# for chronological order)
• Use filters to focus on relevant traffic

Phase 2: Modifying Requests

#### Intercept and Modify Change request parameters before forwarding:

• Enable interception: **Intercept on**
• Trigger target request in browser
• Locate parameter to modify in intercepted request
• Edit value directly in request editor
• Click **Forward** to send modified request

#### Common Modification Targets | Target | Example | Purpose | |--------|---------|---------| | Price parameters | `price=1` | Test business logic | | User IDs | `userId=admin` | Test access control | | Quantity values | `qty=-1` | Test input validation | | Hidden fields | `isAdmin=true` | Test privilege escalation |

#### Example: Price Manipulation

POST /cart HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

productId=1&quantity=1&price=100

# Modify to:
productId=1&quantity=1&price=1

Result: Item added to cart at modified price.

Phase 3: Setting Target Scope

#### Define Scope Focus

<!-- truncated -->