Burp Suite Cheatsheet 2026

The complete Burp Suite reference — proxy setup, Repeater, Intruder, Decoder, keyboard shortcuts, match & replace, extensions and the full web pentest workflow. For bug bounty, CTFs and authorized web audits.

Last updated:

New to pentesting? Read our complete beginner's guide to see where web proxying fits in the methodology.

Quick Navigation

01 Proxy Setup 02 Keyboard Shortcuts 03 Repeater 04 Intruder 05 Target & Scope 06 Decoder & Comparer 07 Match & Replace 08 Scanner (Pro) 09 Extensions 10 Web Pentest Workflow

# Proxy Setup

The proxy is the heart of Burp — it sits between your browser and the target, letting you intercept and edit every request.

Proxy listener: 127.0.0.1:8080
Default listener — point your browser here (Proxy > Options)
Use the embedded browser (Proxy > Intercept > Open Browser)
Pre-configured Chromium — no manual proxy or cert setup needed
http://burp → CA Certificate → cacert.der
Download Burp's CA cert and trust it to intercept HTTPS cleanly
Intercept is on / off
Toggle request interception; leave OFF and browse, then work from HTTP history
💡 Tip: Most of the time keep Intercept OFF and browse the app normally — every request is logged in Proxy > HTTP history, where you right-click to send interesting ones to Repeater or Intruder.

# Essential Keyboard Shortcuts

Learning these will make you dramatically faster in Burp.

ShortcutAction
Ctrl+RSend request to Repeater
Ctrl+ISend request to Intruder
Ctrl+Shift+RSwitch to the Repeater tab
Ctrl+Shift+ISwitch to the Intruder tab
Ctrl+SpaceSend the request (in Repeater)
Ctrl+UURL-encode the selection
Ctrl+Shift+UURL-decode the selection
Ctrl+BBase64-encode the selection
Ctrl+Shift+BBase64-decode the selection
Ctrl+FForward the intercepted request

# Repeater — Manual Testing

Repeater is where you hand-craft and re-send single requests to probe an endpoint's behaviour.

Right-click request → Send to Repeater (Ctrl+R)
Push a request from history/proxy into Repeater
Ctrl+Space
Send the current request and view the response
Change request method: right-click → Change request method
Flip GET↔POST to test parameter handling
Response → Render tab
See the rendered HTML response, not just raw text
💡 Tip: Duplicate a Repeater tab (Ctrl+drag or right-click > Duplicate) to keep a known-good request while you mutate a copy — perfect for A/B testing payloads.

# Intruder — Automated Attacks

Intruder injects payloads into marked positions across many requests — fuzzing, brute-force and enumeration.

Ctrl+I → Positions tab → Add § markers
Send to Intruder, then mark the injection points with §

Attack Types

TypeUse case
SniperOne payload set, one position at a time — single-param fuzzing
Battering ramSame payload in all positions at once
PitchforkMultiple payload sets in parallel — e.g. user+pass pairs
Cluster bombEvery combination of sets — full credential brute-force
Payloads tab → Simple list / Runtime file / Numbers
Load a wordlist, a file, or generate number/date ranges
Grep - Match: add "Welcome" / "Invalid"
Flag responses containing a keyword to spot hits fast
Sort results by Length / Status
A different response length usually reveals the valid payload
⚠️ Community edition: Intruder is throttled to ~1 req/s. For fast fuzzing, use ffuf or wfuzz instead, or upgrade to Burp Professional.

# Target & Scope

Define scope so Burp only logs and attacks what you're authorized to test.

Target → Site map → right-click host → Add to scope
Add the target to scope
Proxy → Options → Intercept only in-scope items
Stop capturing noise from third-party domains
Site map → filter → Show only in-scope items
Focus the site map on your target

# Decoder & Comparer

Decoder transforms data (encode/decode/hash); Comparer diffs two responses to spot subtle differences.

Decoder → Decode as: URL / Base64 / HTML / ASCII hex
Chain decodings to unwrap layered encodings
Decoder → Hash: MD5 / SHA-1 / SHA-256
Quickly hash a value
Right-click two responses → Send to Comparer → Words / Bytes
Diff a valid vs invalid response to find the tell

# Match & Replace

Automatically rewrite requests/responses passing through the proxy — great for auth headers and client-side flags.

Proxy → Options → Match and Replace → Add
Create a rule (Request header / Response body, etc.)
Type: Request header — Match: ^User-Agent.*$ — Replace: User-Agent: PentestMindmap
Force a custom User-Agent on every request
Type: Response body — Match: "isAdmin":false — Replace: "isAdmin":true
Flip a client-side flag to test broken access control
Type: Request header — Match: (blank) — Replace: Authorization: Bearer TOKEN
Inject an auth header into every request

# Scanner (Professional)

Burp Pro's scanner automates vulnerability discovery. Not available in Community.

Dashboard → New scan → Crawl and audit
Full automated crawl + vulnerability audit of a target
Right-click request → Scan → Audit selected items
Targeted active scan of a single request
Scan configuration: Audit checks - light active
Choose a lighter, faster scan profile to reduce noise

# Essential Extensions (BApp Store)

Install from Extensions > BApp Store. These cover the most common needs.

Autorize
Automatic authorization / access-control testing (IDOR, privilege escalation)
Logger++
Advanced request logging, filtering and export
Param Miner
Discover hidden parameters and headers (great for cache poisoning)
Active Scan++
Extra active scan checks beyond the defaults
JS Link Finder
Extract endpoints and links from JavaScript files

# The Web Pentest Workflow

A repeatable order of operations for testing a web app with Burp.

1. Add target to scope, intercept off, browse the whole app
Populate the site map by using every feature
2. Review Proxy → HTTP history for interesting endpoints
Look for IDs, tokens, admin paths, file params
3. Send candidates to Repeater and probe by hand
Test IDOR, injection, auth bypass one request at a time
4. Use Intruder (or ffuf) to fuzz parameters and brute-force
Automate what you confirmed manually
5. Run Autorize while browsing as a low-priv user
Catch broken access control automatically

❓ Burp Suite FAQ

Burp listens on 127.0.0.1:8080. Point your browser there (or use the built-in embedded browser). Then trust Burp's CA cert from http://burp so HTTPS is intercepted without warnings.

Repeater re-sends a single request you edit by hand. Intruder automates many requests with injected payloads (fuzzing, brute-force). Ctrl+R → Repeater, Ctrl+I → Intruder.

Sniper (one set, one position at a time), Battering ram (same payload everywhere), Pitchfork (parallel sets — user+pass pairs), Cluster bomb (all combinations — full brute-force).

Yes — about 1 request/second and no saved attacks. For fast fuzzing use ffuf/wfuzz, or upgrade to Burp Professional.

A proxy rule that auto-rewrites requests/responses. Common uses: force a User-Agent, inject an Authorization header on every request, or flip isAdmin:false to true in a response.

Ctrl+R → Repeater, Ctrl+I → Intruder, Ctrl+Space send in Repeater, Ctrl+U/Ctrl+Shift+U URL encode/decode, Ctrl+B base64-encode.

From the BApp Store: Autorize, Logger++, Active Scan++, Param Miner and JS Link Finder. Some need Jython/Jruby configured in Extensions settings.

Visit http://burp, download the CA certificate (cacert.der) and import it into your browser's trusted root authorities. HTTPS is then decrypted in Proxy > HTTP history without warnings.

📚 Related Resources

AI-Assisted Pentest Report

Turn your Burp findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want all 12,020+ commands?

This Burp Suite cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.

Start free →