So far in this series, we've learned:
✓ What Burp Suite is
✓ How to install it
✓ How the Proxy works
✓ How HTTPS certificates work
At this point, Burp can see traffic.
But now we're about to do something much more powerful.
We're going to stop traffic.
Before it reaches the website.
For many beginners, this is the exact moment they realize:
"Oh... this is how security researchers think."
The Normal Way Websites Work
Imagine you're sending a text message.
Normally:
You
↓
Send
↓
Friend
Once you hit send:
Too late.
The message is gone.
You can't stop it halfway.
Web browsers behave similarly.
When you click a button:
Browser
↓
Website
The request immediately leaves your computer.
You don't get a chance to inspect it.
You don't get a chance to modify it.
You don't get a chance to stop it.
What Intercept Does
Intercept changes the rules.
Instead of:
Browser
↓
Website
Burp creates:
Browser
↓
Burp
↓
Website
And when Intercept is enabled:
Browser
↓
Burp
[PAUSED]
↓
Website
The request stops inside Burp.
Waiting for your decision.
Now you are in control.
Think of It Like Airport Security
Imagine boarding a flight.
Normally:
Passenger
↓
Plane
Simple.
But airports add a checkpoint:
Passenger
↓
Security Checkpoint
↓
Plane
At the checkpoint security can:
✓ Inspect
✓ Allow
✓ Reject
✓ Question
✓ Redirect
Burp's Intercept feature works the same way.
Every request must pass through your checkpoint.
Where Is Intercept?
Open Burp.
Navigate to:
Proxy
↓
Intercept
You'll see:
Intercept is ON
or
Intercept is OFF
This tiny button controls one of Burp's most important features.
What Happens When Intercept Is On?
Let's visit:
https://example.com/login
Enter:
Username: user
Password: password123
Click:
Login
Instead of reaching the server immediately:
The request appears inside Burp.
Something similar to:
POST /login HTTP/1.1
Host: example.com
username=user
password=password123
The website is now waiting.
The request has not reached the server yet.
Burp has paused it.
The First Time You See A Request
For many beginners, this is the first time they've ever seen what a login actually looks like.
Instead of:
Login Form
You now see:
POST /login HTTP/1.1
Instead of:
Username Box
You see:
username=user
Instead of:
Password Box
You see:
password=password123
Suddenly the website feels less mysterious.
You are seeing the raw conversation.
Forward: Let The Request Continue
The most common action is:
Forward
When you click:
Forward
Burp sends the request to the server.
The flow becomes:
Browser
↓
Burp
↓
Website
The website processes the request normally.
The user sees the expected response.
Think of Forward as:
"Looks good. Let it go."
Drop: Destroy The Request
Sometimes you don't want the request to reach the server.
That's where:
Drop
comes in.
When you click:
Drop
The request is discarded.
Browser
↓
Burp
X
Website
The server never receives it.
It's as if the request never existed.
When Would Someone Use Drop?
Imagine clicking:
Delete Account
The browser creates a request.
Burp intercepts it.
Instead of forwarding it:
Drop
The deletion request never reaches the server.
This is useful when analyzing how applications behave.
Modify: Change The Request
This is where things become really interesting.
Because Burp doesn't just allow viewing requests.
It allows editing them.
Example: Changing a Username
Suppose Burp intercepts:
POST /login HTTP/1.1
username=user
password=password123
Before forwarding it:
Change:
username=user
to:
username=admin
Result:
POST /login HTTP/1.1
username=admin
password=password123
Then click:
Forward
The server receives your modified version.
Not the original one.
What Just Happened?
You changed the request while it was in transit.
Think of mailing a letter.
Normally:
Write Letter
↓
Mail It
Done.
Burp gives you a chance to reopen the envelope before delivery.
Edit it.
Then reseal it.
And send the new version.
That's incredibly powerful.
Why Security Researchers Do This
Applications often trust information they receive.
Researchers ask questions like:
- What happens if this value changes?
- What happens if this parameter disappears?
- What happens if this role becomes admin?
- What happens if this ID changes?
Example:
Original:
role=user
Modified:
role=admin
Or:
Original:
user_id=1001
Modified:
user_id=1002
Testing begins with curiosity.
And Intercept enables that curiosity.
Viewing Headers
Intercept doesn't only show form data.
You'll also see headers:
Host: example.com
Cookie: session=abc123
User-Agent: Chrome
These contain important information about the request.
Later in the series we'll explore headers in detail.
For now, simply recognize that they're part of the conversation.
Intercept Is Not Just For Logins
Burp can intercept:
✓ Login requests
✓ Search requests
✓ API requests
✓ File uploads
✓ Account updates
✓ Password changes
✓ Shopping cart actions
✓ Almost any browser request
If it travels through your browser, Burp can usually see it.
The Most Common Beginner Mistake
Every beginner experiences this.
You open a website.
Nothing loads.
Every page hangs forever.
You panic.
Then eventually realize:
Intercept is ON
Burp is waiting for you to click:
Forward
The traffic isn't broken.
It's paused.
When Should Intercept Be On?
Use Intercept ON when:
✓ Studying requests
✓ Learning HTTP
✓ Inspecting login forms
✓ Understanding application behavior
✓ Performing manual testing
When Should Intercept Be Off?
Use Intercept OFF when:
✓ Browsing normally
✓ Collecting traffic
✓ Mapping applications
✓ Gathering requests for later analysis
Many professionals keep:
Intercept OFF
most of the time and use:
HTTP History
to review requests later.
A Simple Workflow
A beginner-friendly workflow:
Enable Intercept
↓
Perform Action
↓
Request Appears
↓
Inspect Request
↓
Modify (Optional)
↓
Forward
↓
Observe Response
This cycle forms the foundation of web application testing.
Key Takeaways
✓ Intercept pauses requests before they reach the server
✓ Forward sends the request normally
✓ Drop discards the request completely
✓ Requests can be modified before forwarding
✓ Intercept helps researchers understand how applications work
✓ Every major Burp feature starts with understanding requests
✓ The ability to modify traffic is one of Burp's most powerful capabilities
What's Next?
Now that you can capture, inspect, forward, drop, and modify requests, it's time to learn where Burp stores everything.
In the next chapter, we'll explore HTTP History, the feature that records every request and response flowing through Burp.
Top comments (0)