100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Burp Suite Cheat Sheet

Burp Suite Cheat Sheet

Covers Burp Suite's core web application testing workflow including proxy setup, Repeater, Intruder, and scanning best practices.

2 PagesIntermediateFeb 10, 2026

Core Tools

The main components of Burp Suite used in a typical assessment.

  • Proxy- Intercepts and modifies HTTP/S traffic between browser and server
  • Repeater- Manually resend and edit individual requests to test behavior
  • Intruder- Automates sending many requests with varying payloads (fuzzing, brute force)
  • Scanner- Automated vulnerability scanning (Burp Suite Pro only)
  • Decoder- Encode/decode data (Base64, URL, Hex, HTML entities)
  • Comparer- Diff two requests/responses to spot differences
  • Target/Site map- Tracks discovered site structure and endpoints

Proxy Setup Workflow

Steps to intercept browser traffic through Burp.

  • 1. Configure browser proxy- Point browser to 127.0.0.1:8080 (Burp's default listener)
  • 2. Install CA certificate- Visit http://burp on the proxied browser and install cert to inspect HTTPS
  • 3. Enable/disable intercept- Toggle 'Intercept is on' in the Proxy tab to hold or forward requests
  • 4. Send to Repeater- Right-click a captured request to send it for manual replay/editing

Intruder Attack Types

Payload position strategies for automated request fuzzing.

text
Sniper       # One payload set, cycles through each § position § one at a timeBattering ram # One payload set, same value inserted in all positions simultaneouslyPitchfork    # Multiple payload sets, iterated in parallel (position 1 <-> set 1)Cluster bomb # Multiple payload sets, all combinations tested (position1 x position2)

Common Manual Tests via Repeater

Typical checks performed by editing and resending requests.

  • Auth bypass- Remove/modify session tokens or headers to test access control
  • IDOR- Change object IDs in requests to access other users' data
  • Injection payloads- Insert SQLi/XSS strings into parameters and observe responses
  • HTTP method tampering- Swap GET/POST/PUT to test for inconsistent server-side checks
Pro Tip

Use 'Match and Replace' rules in the Proxy settings to automatically strip or rewrite headers (like Cache-Control or CSP) on the fly across every request, saving repetitive manual edits during long test sessions.

Was this cheat sheet helpful?

Explore Topics

#BurpSuite#BurpSuiteCheatSheet#Cybersecurity#Intermediate#CoreTools#ProxySetupWorkflow#IntruderAttackTypes#CommonManualTestsViaRepeater#WebDevelopment#Testing#CheatSheet#SkillVeris