Getting comfortable with Burp Suite
- security
- burp
- web
- pentesting
- learning
I've been spending an hour a day with Burp Suite Pro and PortSwigger Academy. This is the post I wish I'd had on day one — the bits that took me longer than they should have.
The mental model
Burp is a proxy. Everything else is a tool sitting on top of that one fact. Your browser sends a request, Burp intercepts it, you do whatever you want with it (replay, mutate, fuzz), and then forward or drop. Once you hold that model, the rest of the UI stops looking intimidating.
What I actually use
- Proxy → HTTP history — the workhorse. Right-click "Send to Repeater" is 80% of my workflow.
- Repeater — the surgical scalpel. One request, edited and re-sent until I learn something.
- Intruder — fuzzing. Slow on the community edition; tolerable on Pro.
- Logger — the search bar I didn't know I needed.
What I haven't touched yet
Macros, session handling rules, the BApp store extensions. I'll get there.
// my Repeater discipline:
// 1. Always work from a known-good baseline.
// 2. Change ONE thing at a time.
// 3. Diff the response, not the screen.The PortSwigger Academy labs are the best onboarding for a security tool I've ever seen, and they're free. If you're starting out, do the SQLi track first — the feedback loop is fast and the wins are loud.
More posts as I work through the labs and start running this on real (consented) targets.