Burp Suite: The Basics TryHackMe

Overview

This room is the foundation for using Burp Suite during web application testing. The focus is understanding the main tools, setting up the proxy correctly, navigating the interface, scoping targets, and using Burp to intercept, inspect, and modify traffic safely.

Core idea: Burp sits between your browser and the target application so you can capture, inspect, modify, repeat, and organize HTTP/HTTPS traffic during testing.

1) What Burp Suite Is

Burp Suite is a Java-based web application security testing framework and is effectively the standard tool for manual web testing, bug bounty workflows, and API assessment.

Community Edition: free, enough for learning and manual testing.
Professional Edition: adds scanner, unrestricted Intruder, reporting, Collaborator, and stronger extension support.
Enterprise Edition: aimed at continuous automated scanning rather than hands-on manual testing.

Most important capability: intercepting requests before they hit the server, then sending them to tools like Repeater or Intruder for controlled testing.

2) Most Important Burp Tools

Proxy: intercept, inspect, edit, and forward requests and responses.
Repeater: resend the same request repeatedly while changing payloads.
Intruder: automate request spraying, fuzzing, and brute force attempts.
Decoder: encode/decode values such as URL, Base64, and hex.
Comparer: compare two responses or datasets at byte/word level.
Sequencer: assess randomness of tokens such as session identifiers.

PT1 exam mindset: you will use Proxy + Repeater constantly. Intruder, Decoder, and the Target site map are the next most useful for room work.

3) Installation and First Launch

Burp is already available on Kali and on the TryHackMe AttackBox. On Linux, macOS, and Windows, you can download Community Edition from PortSwigger.

Choose Temporary Project in Community Edition.
Keep the default configuration unless you have a specific reason to change it.
Launch into the main interface and start with the Dashboard and Proxy tabs.

4) Dashboard and Navigation

Burp can look noisy at first, but the workflow becomes predictable once you know where everything lives.

Dashboard: background tasks, event log, and Pro-only issue panels.
Top tabs: Dashboard, Target, Proxy, Intruder, Repeater, and more.
Sub-tabs: module-specific controls under the main tab row.
Settings: split between User settings and Project settings.

Useful shortcuts: Ctrl + Shift + P for Proxy, Ctrl + Shift + R for Repeater, Ctrl + Shift + T for Target, Ctrl + Shift + D for Dashboard.

5) Proxy Fundamentals

The Proxy is the heart of Burp. When intercept is on, requests are paused before they reach the server so you can inspect or modify them.

Intercept on: browser requests pause until you forward or drop them.
Intercept off: Burp still logs traffic in HTTP history by default.
Right-click actions: send to Repeater, Intruder, Decoder, Comparer, or add to scope.
WebSocket support: Burp can also capture and review WebSocket traffic.

Important: if your browser seems frozen, the usual cause is that intercept is still on and a request is waiting in Proxy.

6) Connecting Firefox via FoxyProxy

A standard setup is Firefox + FoxyProxy sending traffic to Burp on 127.0.0.1:8080.

Proxy IP: 127.0.0.1
Port: 8080
Title: Burp

Install FoxyProxy Basic in Firefox.
Create a proxy entry pointing to 127.0.0.1:8080.
Enable that profile in FoxyProxy.
Turn Intercept on in Burp Proxy.
Browse to the target and inspect the captured request.

Reminder: when FoxyProxy is enabled and Burp is not running, browser requests will fail because traffic still tries to go through the local proxy.

7) Target Tab, Site Map, and Scope

The Target tab is essential for organizing what you have discovered while browsing a web application.

Site map: every visited page and endpoint appears in a tree structure.
Issue definitions: useful Burp reference material for common web vulnerabilities.
Scope: restrict Burp to the hosts and applications you actually want to test.

Best practice: right-click the host in Target and choose Add to scope, then configure Proxy to intercept only in-scope traffic. This keeps noise low and prevents wasting time on irrelevant requests.

8) Burp Browser and HTTPS Proxying

Burp includes a built-in Chromium browser that is already configured to use the proxy, which is often the easiest option for labs.

If running as root on Linux, Burp Browser may fail unless you allow it to run without sandboxing.
For normal Firefox/Chrome use, HTTPS interception requires trusting Burp’s CA certificate.

HTTPS certificate workflow

With Burp running, browse to http://burp/cert.
Download cacert.der.
Import it into Firefox certificate settings.
Trust it to identify websites.

Without this certificate: HTTPS interception will fail with browser trust errors because Burp is presenting its own proxy certificate for TLS sessions.

9) Practical Burp Workflow

A simple Burp workflow is: browse normally, capture a request, send it to Repeater, change one parameter at a time, and compare the response.

Browse the target with Proxy logging enabled.
Find an interesting request in HTTP history or intercept it live.
Right-click and send it to Repeater.
Modify fields, headers, IDs, cookies, or payloads.
Look for behavior differences, errors, hidden content, or missing access controls.

Good starter tests: tamper with IDs, hidden parameters, headers, cookies, and client-side validated form fields. Burp is how you get past browser-side restrictions.

10) Example Attack: Bypassing Client-Side Validation

The room demonstrates a simple reflected XSS test where a support form blocks special characters in the browser, but the server still accepts a modified request if you intercept and edit it in Burp.

<script>alert("Succ3ssful XSS")</script>

Workflow:

Submit a normal request through the form.
Intercept it in Burp Proxy.
Replace the email field with the payload.
URL-encode the payload before forwarding.
Send the modified request and observe the reflected XSS execution.

Key lesson: client-side validation is not security. If the server does not validate and encode input correctly, Burp lets you bypass the browser and test the backend directly.

Exam Notes (PT1)

Use Proxy to intercept and inspect requests, then Repeater for manual payload testing.
Set scope early so Burp only logs and intercepts the target application.
Use the site map to discover hidden endpoints and track application structure.
Remember that browser-side restrictions are often bypassed by editing requests in Burp.
For HTTPS labs, import Burp’s CA certificate or use Burp Browser.