# Proxy Setup
The proxy is the heart of Burp — it sits between your browser and the target, letting you intercept and edit every request.
Proxy listener: 127.0.0.1:8080Use the embedded browser (Proxy > Intercept > Open Browser)http://burp → CA Certificate → cacert.derIntercept is on / off# Essential Keyboard Shortcuts
Learning these will make you dramatically faster in Burp.
| Shortcut | Action |
|---|---|
| Ctrl+R | Send request to Repeater |
| Ctrl+I | Send request to Intruder |
| Ctrl+Shift+R | Switch to the Repeater tab |
| Ctrl+Shift+I | Switch to the Intruder tab |
| Ctrl+Space | Send the request (in Repeater) |
| Ctrl+U | URL-encode the selection |
| Ctrl+Shift+U | URL-decode the selection |
| Ctrl+B | Base64-encode the selection |
| Ctrl+Shift+B | Base64-decode the selection |
| Ctrl+F | Forward the intercepted request |
# Repeater — Manual Testing
Repeater is where you hand-craft and re-send single requests to probe an endpoint's behaviour.
Right-click request → Send to Repeater (Ctrl+R)Ctrl+SpaceChange request method: right-click → Change request methodResponse → Render tab# Intruder — Automated Attacks
Intruder injects payloads into marked positions across many requests — fuzzing, brute-force and enumeration.
Ctrl+I → Positions tab → Add § markersAttack Types
| Type | Use case |
|---|---|
| Sniper | One payload set, one position at a time — single-param fuzzing |
| Battering ram | Same payload in all positions at once |
| Pitchfork | Multiple payload sets in parallel — e.g. user+pass pairs |
| Cluster bomb | Every combination of sets — full credential brute-force |
Payloads tab → Simple list / Runtime file / NumbersGrep - Match: add "Welcome" / "Invalid"Sort results by Length / Statusffuf or wfuzz instead, or upgrade to Burp Professional.# Target & Scope
Define scope so Burp only logs and attacks what you're authorized to test.
Target → Site map → right-click host → Add to scopeProxy → Options → Intercept only in-scope itemsSite map → filter → Show only in-scope items# Decoder & Comparer
Decoder transforms data (encode/decode/hash); Comparer diffs two responses to spot subtle differences.
Decoder → Decode as: URL / Base64 / HTML / ASCII hexDecoder → Hash: MD5 / SHA-1 / SHA-256Right-click two responses → Send to Comparer → Words / Bytes# Match & Replace
Automatically rewrite requests/responses passing through the proxy — great for auth headers and client-side flags.
Proxy → Options → Match and Replace → AddType: Request header — Match: ^User-Agent.*$ — Replace: User-Agent: PentestMindmapType: Response body — Match: "isAdmin":false — Replace: "isAdmin":trueType: Request header — Match: (blank) — Replace: Authorization: Bearer TOKEN# Scanner (Professional)
Burp Pro's scanner automates vulnerability discovery. Not available in Community.
Dashboard → New scan → Crawl and auditRight-click request → Scan → Audit selected itemsScan configuration: Audit checks - light active# Essential Extensions (BApp Store)
Install from Extensions > BApp Store. These cover the most common needs.
AutorizeLogger++Param MinerActive Scan++JS Link Finder# The Web Pentest Workflow
A repeatable order of operations for testing a web app with Burp.
1. Add target to scope, intercept off, browse the whole app2. Review Proxy → HTTP history for interesting endpoints3. Send candidates to Repeater and probe by hand4. Use Intruder (or ffuf) to fuzz parameters and brute-force5. Run Autorize while browsing as a low-priv user❓ Burp Suite FAQ
Burp listens on 127.0.0.1:8080. Point your browser there (or use the built-in embedded browser). Then trust Burp's CA cert from http://burp so HTTPS is intercepted without warnings.
Repeater re-sends a single request you edit by hand. Intruder automates many requests with injected payloads (fuzzing, brute-force). Ctrl+R → Repeater, Ctrl+I → Intruder.
Sniper (one set, one position at a time), Battering ram (same payload everywhere), Pitchfork (parallel sets — user+pass pairs), Cluster bomb (all combinations — full brute-force).
Yes — about 1 request/second and no saved attacks. For fast fuzzing use ffuf/wfuzz, or upgrade to Burp Professional.
A proxy rule that auto-rewrites requests/responses. Common uses: force a User-Agent, inject an Authorization header on every request, or flip isAdmin:false to true in a response.
Ctrl+R → Repeater, Ctrl+I → Intruder, Ctrl+Space send in Repeater, Ctrl+U/Ctrl+Shift+U URL encode/decode, Ctrl+B base64-encode.
From the BApp Store: Autorize, Logger++, Active Scan++, Param Miner and JS Link Finder. Some need Jython/Jruby configured in Extensions settings.
Visit http://burp, download the CA certificate (cacert.der) and import it into your browser's trusted root authorities. HTTPS is then decrypted in Proxy > HTTP history without warnings.
📚 Related Resources
- Reverse Shell Cheatsheet — Turn a web RCE into a shell once Burp confirms the injection
- SQL Injection Cheatsheet — Every SQLi payload to test in Repeater and Intruder
- Nmap Cheatsheet — Find the web ports (80/443/8080) before you proxy them
- Full Pentesting Cheatsheet — 200+ commands for web, network, AD and privesc
- Pentesting Glossary — IDOR, XSS, SSRF, proxy and 60+ key terms defined
Turn your Burp findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 12,020+ commands?
This Burp Suite cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.
Start free →