What is Burp Suite?
What is Burp Suite you ask? Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.
In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed. Penetration testers can pause, manipulate and replay individual HTTP requests in order to analyze potential parameters or injection points. Injection points can be specified for manual as well as automated fuzzing attacks to discover potentially unintended application behaviors, crashes and error messages.
1. Setup your machine with Java Runtime Environment required to run Burp Suite and WebGoat
- Learn how to setup JRE required for running Burp Suite and WebGoat.
Install JRE version >= 1.6
- Install JRE on Windows / MacOS
- Install JRE on Linux (Ubuntu)
$ sudo apt install default-jre
2. Installing and running WebGoat
- Download WebGoat from the link given below
- Running WebGoat
$ java -jar webgoat-server-8.0.0.M26.jar
- Running WebWolf
$ java -jar webwolf-8.0.0.M26.jar
- See if the WebGoat is working by visiting
2. Installing and running Burp Suite
- Download Burp Suite free edition
- Open the downloaded file
3. Configuring Burp Proxy and Browser
Configuring Burp Proxy and Browser.
WebGoat and Burp Suite already running.
1. Learn how to setup Proxy.
2. Learn how to use extensions to ease the process of setting up Proxy.
3. Learn how to configure Burp Suite to work with HTTPS sites.
Steps 1. Setting up Proxy
1. Setup Burp Proxy Listener to listen at 127.0.0.1:8081. You can find `Proxy Listeners` in Proxy → Options tab.
2. Forward browsers traffic to 127.0.0.1:8081 by changing proxy settings of the browser. For Firefox, Preferences → Advanced → Network tab → Connection settings
3. Visit `http://localhost:8080/WebGoat/` and see if any traffic is getting forwarded to Burp Proxy. Keep Intercept off and check in HTTP history tab of Burp Proxy.
Steps 2. Setting up FoxyProxy
1. Install `FoxyProxy Basic` extension for Firefox.
2. Go to Options of FoxyProxy Basic.
3. Click `Add New Proxy` and enter all the details with proxy set to 127.0.0.1:8081.
4. Activate this proxy and your browser will be able to forward traffic to Burp Proxy.
Steps 3. Configuring Burp Suite to work with HTTPS sites
1. Visit http://burp/ in the browser and download CA Certificate.
2. Install this CA certificate in Firefox, by going to Preferences → Advanced → Certificates → View Certificates → Import
3. Close the browser and Burp Suite and reopen. Make sure browser is forwarding traffic to 127.0.0.1:8081 and Burp is listening at 127.0.0.1:8081.
4. Visit any https site like https://google.com and it will show up in Burp Proxy.