provocativo_
back to the arsenal
// arsenal·Web AppSecIntermediateFreemium

Burp Suite

PortSwigger's intercepting HTTP proxy — the de facto web app testing platform.

Web AppSec

$ burp-suite --help

Burp Suite

Burp Suite dashboard with target tab
Burp Suite dashboard with target tabPortSwigger

// what it is

Description

PortSwigger's Java-based suite that bundles an intercepting proxy, repeater, scanner, intruder, decoder, comparer, and an extension ecosystem (BApp Store, Burp Extender API). The free Community edition is more than enough for most CTF + bug-bounty work; Pro adds the active scanner and Intruder at full speed.

// use cases

What people use it for

  • Intercept and tamper with any web app request
  • Replay+mutate requests in Repeater for vuln verification
  • Automated scanning of complex modern web apps (Pro only)
  • Burp Collaborator for OAST (out-of-band) interaction tests

// commands

The commands you'll type

Set HTTP proxy for curl

$ curl --proxy http://127.0.0.1:8080 -k https://target.tld

// facts

category
Web AppSec
platforms
LIN · WIN · MAC
license
Freemium
difficulty
Intermediate

// links

// related in Web AppSec

Web AppSecBeginner

OWASP ZAP

The free, OWASP-stewarded alternative to Burp.

FOSS
LIN·WIN·MAC
open entry →
Web AppSecBeginner

Nikto

Loud-but-fast web server scanner — checks for thousands of misconfigurations.

FOSS
LIN·WIN·MAC
open entry →
Web AppSecIntermediate

sqlmap

Automated SQL-injection exploitation — fingerprints DB, dumps tables, opens OS shells.

FOSS
LIN·WIN·MAC
open entry →