Burp Suite Tutorial: A Beginner's Walkthrough (2026)
June 19, 2001 · by Pentevo
Burp Suite is the go-to tool for web application security testing. At its heart it's an intercepting proxy: it sits between your browser and the target site so you can see — and modify — every request and response. Here's how to get going.
⚠️ Only test applications you own or are explicitly authorized to assess.
Editions
- Community (free) — Proxy, Repeater, Decoder, and manual tools. Perfect for learning.
- Professional (paid) — adds the automated scanner and a faster Intruder.
Start with Community.
Step 1 — Set up the proxy
- Launch Burp and go to Proxy → Options; the listener defaults to
127.0.0.1:8080. - Point your browser at that proxy (the built-in Burp browser is easiest — it's preconfigured).
- Install Burp's CA certificate in the browser so HTTPS traffic decodes cleanly.
With Intercept on, requests pause so you can inspect or edit them before they're sent. With it off, everything still flows through HTTP history, where you can review traffic after the fact.
Step 2 — Read the traffic
Browse the target normally. In Proxy → HTTP history you'll see every request: method, URL, parameters, cookies, and the full response. This alone teaches you an enormous amount about how an app works.
Step 3 — Repeater (the workhorse)
Right-click any request and Send to Repeater. There you can change a parameter, resend, and see exactly how the server responds. This manual, iterative testing — change one thing, observe — is the core skill of web testing.
Step 4 — Intruder (automated input testing)
Intruder repeats a request while substituting values into positions you mark — useful for testing how an endpoint handles many inputs (for example, checking whether a parameter is properly validated). In Community edition it's rate-limited, but it's great for learning the concept.
Step 5 — Scanner (Pro)
Professional adds an automated scanner that crawls and audits for common issues mapped to the OWASP Top 10. It's a force-multiplier — but remember a scanner reports potential issues; a human (or AI agent) still has to verify what's real.
A sensible learning workflow
- Map the app with Nmap and a browse-through.
- Watch traffic in Burp's HTTP history.
- Pick interesting requests → Repeater → experiment.
- Confirm findings against the OWASP categories.
- Write up what you found and how to fix it.
Practice safely and learn the method
Spin up an intentionally vulnerable app in a VM and point Burp at that. To learn the methodology behind the tool — not just the clicks — our free Pentevo Academy covers web app testing as part of the complete CEH syllabus.
Related reading
Best Penetration Testing Tools in 2026
The essential penetration testing tools every ethical hacker should know — scanners, proxies, exploitation frameworks and more, with what each is best for.
ToolsBest Vulnerability Scanners in 2026
A practical comparison of the best vulnerability scanners — what they do, free vs commercial options, and how scanning fits into real security.
ToolsMetasploit Tutorial for Beginners (2026)
Understand the Metasploit Framework — what it is, its core concepts (modules, payloads, sessions), and how to use it for authorized learning.
ToolsKali Linux for Beginners: Getting Started in 2026
What Kali Linux is, who it's for, how to install it safely, and the essential commands and tools to begin your ethical-hacking journey.
Practice this hands-on
Pentevo Academy turns these concepts into guided lessons, videos and quizzes — free.
Start learning free