Burp Suite Cheat Sheet
Covers Burp Suite's core web application testing workflow including proxy setup, Repeater, Intruder, and scanning best practices.
2 PagesIntermediateFeb 10, 2026
Core Tools
The main components of Burp Suite used in a typical assessment.
- Proxy- Intercepts and modifies HTTP/S traffic between browser and server
- Repeater- Manually resend and edit individual requests to test behavior
- Intruder- Automates sending many requests with varying payloads (fuzzing, brute force)
- Scanner- Automated vulnerability scanning (Burp Suite Pro only)
- Decoder- Encode/decode data (Base64, URL, Hex, HTML entities)
- Comparer- Diff two requests/responses to spot differences
- Target/Site map- Tracks discovered site structure and endpoints
Proxy Setup Workflow
Steps to intercept browser traffic through Burp.
- 1. Configure browser proxy- Point browser to 127.0.0.1:8080 (Burp's default listener)
- 2. Install CA certificate- Visit http://burp on the proxied browser and install cert to inspect HTTPS
- 3. Enable/disable intercept- Toggle 'Intercept is on' in the Proxy tab to hold or forward requests
- 4. Send to Repeater- Right-click a captured request to send it for manual replay/editing
Intruder Attack Types
Payload position strategies for automated request fuzzing.
text
Sniper # One payload set, cycles through each § position § one at a timeBattering ram # One payload set, same value inserted in all positions simultaneouslyPitchfork # Multiple payload sets, iterated in parallel (position 1 <-> set 1)Cluster bomb # Multiple payload sets, all combinations tested (position1 x position2)
Common Manual Tests via Repeater
Typical checks performed by editing and resending requests.
- Auth bypass- Remove/modify session tokens or headers to test access control
- IDOR- Change object IDs in requests to access other users' data
- Injection payloads- Insert SQLi/XSS strings into parameters and observe responses
- HTTP method tampering- Swap GET/POST/PUT to test for inconsistent server-side checks
Pro Tip
Use 'Match and Replace' rules in the Proxy settings to automatically strip or rewrite headers (like Cache-Control or CSP) on the fly across every request, saving repetitive manual edits during long test sessions.
Was this cheat sheet helpful?
Explore Topics
#BurpSuite#BurpSuiteCheatSheet#Cybersecurity#Intermediate#CoreTools#ProxySetupWorkflow#IntruderAttackTypes#CommonManualTestsViaRepeater#WebDevelopment#Testing#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance