100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Burp Suite

By PortSwigger

AdvancedTool10.3K learners

Burp Suite is an integrated platform for web application security testing, widely used by penetration testers and security researchers to discover and exploit vulnerabilities.

Definition

Burp Suite is an integrated platform for web application security testing, widely used by penetration testers and security researchers to discover and exploit vulnerabilities.

Overview

At its core, Burp Suite runs as an intercepting HTTP(S) proxy, sitting between a browser and a target web application so every request and response can be inspected and modified. Its Repeater tool lets testers manually resend and tweak individual requests, while Intruder automates sending large numbers of crafted requests for fuzzing and brute-force-style testing; the paid Professional and Enterprise editions add an automated vulnerability Scanner that crawls and tests an application for common issues. Developed by PortSwigger, Burp Suite has become one of the two most widely used tools — alongside OWASP ZAP — in professional web application penetration testing, and the categories of issues it's used to find map closely to what's covered in Cybersecurity for Developers: The OWASP Top 10 Explained. Its functionality can be extended through the BApp Store, a marketplace of community-built extensions, and it's frequently used alongside identity and access tools like Auth0 or Keycloak when testing authentication and session-handling flaws.

Key Features

  • Intercepting HTTP(S) proxy for inspecting and modifying traffic
  • Repeater for manual request manipulation and replay
  • Intruder for automated fuzzing and brute-force-style attacks
  • Automated vulnerability Scanner (Professional/Enterprise editions)
  • Extensibility through the BApp Store plugin marketplace
  • Session handling rules and macro recording for authenticated testing
  • Comparer and Sequencer tools for analyzing tokens and session data

Use Cases

Manual web application penetration testing
Automated vulnerability scanning of web applications
API security testing
Bug bounty hunting
Security training and capture-the-flag (CTF) practice

Frequently Asked Questions