📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 12 OF 100
PHASE 2: WEB SECURITY
🟢 Day 12 — Burp Suite Setup
Day 100 — Professional Pentester
12
Yesterday you learned what web applications are made of. Today you get the tool that lets you grab any piece of that structure, freeze it mid-flight, and change it. Burp Suite is the closest thing to a superpower in web application security testing — and in 15 minutes, you’ll have it configured and intercepting your first real HTTPS request.
From Day 12 forward, Burp Suite is open in your lab every single day. It’s not a tool you learn once — it’s a tool you get better at continuously. Let’s start from zero and build the setup that professionals use.
Burp Suite is made by PortSwigger and has been the industry standard web application security testing platform for over 15 years. The Community Edition is free, fully functional for manual testing, and pre-installed on Kali Linux. Professional penetration testers use it on every single web application engagement — for mapping, intercepting, manipulating, and analysing HTTP traffic.
📋 Day 12 Contents
- What Burp Suite Actually Does
- Step 1 — Launch Burp Suite
- Step 2 — Configure the Browser Proxy
- Step 3 — Install the CA Certificate
- Step 4 — Your First Intercept
- HTTP History — Passive Reconnaissance
- Repeater — Where the Real Testing Happens
- Decoder — Unmasking Obfuscated Data
- Setting Target Scope — Professional Discipline
- Day 12 Practical Task
What Burp Suite Actually Does — The Mental Model
Burp Suite is a proxy — it sits between your browser and the internet. When you configure your browser to route traffic through Burp, every HTTP and HTTPS request your browser makes passes through Burp first, and every response from the server passes back through Burp before your browser renders it.
How Burp Intercepts Traffic
🌐
YOUR BROWSER
Sends requests
→ port 8080 →
YOU ARE HERE
🔍
BURP SUITE
Sees everything
Can freeze, modify,
replay any request
→ forwarded →
🖥️
WEB SERVER
Receives requests,
sends responses
Without a proxy: Browser ↔ Server directly. With Burp: Browser → Burp (reads/modifies) → Server. Server cannot tell the difference.
This intercepting position gives you extraordinary power. You can read every request — including the POST body with login credentials, the session cookie in every header, the JSON payload in an API call. You can modify any of it before forwarding. Change a user ID. Add a SQL injection payload. Remove a security header. And you can replay any request as many times as you want with different modifications. That’s the testing workflow.
STEP 1 Launch Burp Suite
Burp Suite is pre-installed on every Kali Linux distribution. Launch it from the terminal or the Applications menu.
Launching Burp Suite on Kali Linux
From terminal (recommended — keeps terminal available)
burpsuite &
Or with Java arguments for more memory (helps on low-RAM systems)
java -jar /usr/share/burpsuite/burpsuite.jar &
From Applications menu:
Applications → 03 – Web Application Analysis → burpsuite
When Burp opens:
- “Temporary project” → Next
- “Use Burp defaults” → Start Burp # Always use Temporary project for day-to-day practice # Saved projects are for long-running engagements (Pro feature)
You’ll see Burp’s main interface with the Dashboard tab open. The critical tabs are: Proxy (intercept and history), Repeater (manual request replay), Decoder (encoding utilities), Intruder (automated fuzzing — throttled in Community Edition), and Target (site map and scope). We’ll use all of these today.
STEP 2 Configure the Browser Proxy
Burp listens by default on 127.0.0.1:8080. You need to tell Firefox to send its traffic to that address instead of directly to the internet. I recommend installing FoxyProxy — it lets you switch the proxy on and off instantly with one click, rather than digging into Firefox settings every time.
Two ways to configure browser proxy
── OPTION A: Firefox built-in proxy (manual) ──────────────
Firefox → ≡ Menu → Settings → scroll to “Network Settings”
→ Settings → Manual proxy configuration
HTTP Proxy: 127.0.0.1 Port: 8080
✓ Also use this proxy for HTTPS
No proxy for: localhost, 127.0.0.1
→ OK
── OPTION B: FoxyProxy (recommended — toggle in one click) ──
Firefox → Add-ons (Ctrl+Shift+A) → search “FoxyProxy Standard”
→ Add to Firefox → FoxyProxy icon appears in toolbar
→ Click icon → Options → Add new proxy:
Title: Burp Suite
Host: 127.0.0.1
Port: 8080
Type: HTTP
→ Save → click FoxyProxy icon → select “Burp Suite”
Now: click icon → “Burp Suite” = proxy ON | “Disabled” = direct
One click toggle. Much faster in daily use.
💡 Professional habit: Always verify Burp is listening before testing. Go to Burp → Proxy → Proxy settings → confirm “Running” next to 127.0.0.1:8080. If it’s not running, your browser will throw a “connection refused” error. Also — when you’re done testing, remember to turn the proxy off in FoxyProxy or your normal browsing will break.
STEP 3 Install Burp’s CA Certificate — Critical for HTTPS
Without this step, Burp can intercept HTTP but every HTTPS site will throw a certificate warning. Burp generates its own TLS certificate for each HTTPS site you visit — signed by Burp’s own Certificate Authority. By installing Burp’s CA cert in Firefox, you’re telling Firefox to trust those dynamically generated certificates. This is what enables seamless HTTPS interception.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)