📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 5 OF 60
BUG BOUNTY MASTERY COURSE
FREE — ALL 60 DAYS
🟢 Day 5 — Burp Suite Deep Dive
Day 60 — Pro Hunter $$$$
Day 6: Sub Domain Enumeration →
✅
Days 1–4 Quick Check
By now you should have: a HackerOne account with a program selected, Burp Suite installed and working with Firefox + FoxyProxy + CA certificate, core HTTP knowledge (methods, status codes, cookies, SOP), and all 10 OWASP categories memorised. If you’re missing any of these — do the earlier days first. Day 5 builds directly on the Burp Suite setup from Day 2.
05
On Day 2 you installed Burp Suite and intercepted your first HTTP request. That was the introduction. Today is the masterclass. Every professional bug bounty hunter — every single one who earns consistently — lives in Burp Suite. They know its tabs the way a surgeon knows their instruments. Not just what each tool does in theory, but exactly when to reach for it and how to use it to get the result they need.
Today you will learn every major Burp Suite tab in operational depth — not surface-level descriptions but actual workflows. Scanner, Repeater, Intruder with all four attack types, Decoder, and Comparer. Then you will use everything you just learned to find a real vulnerability in a practice environment. By the end of this session you will have demonstrated your first web vulnerability — a finding that, in a real bug bounty programme, would earn you a real bounty.
This is the burp suite tutorial for beginners that professional hunters wish they had when they started. No skipped steps. No assumed knowledge. Let’s go.
📋 Day 5 Contents
- Burp Suite Interface Overview
- Step 1 — Proxy & HTTP History
- Step 2 — Repeater (Deep Dive)
- Step 3 — Intruder: All 4 Attack Types
- Step 4 — Decoder: Encoding & Decoding
- Step 5 — Comparer: Diff Two Responses
- Step 6 — Scanner: Passive vs Active
- Step 7 — Find Your First Vulnerability
- The Professional Burp Workflow
- Day 5 Task + Challenges
Burp Suite Interface Overview — All the Tabs, All Their Purposes
When Burp Suite opens, beginners are often overwhelmed by the tab bar. Every professional hunter has had that moment of “where do I even start?” Let’s eliminate that feeling permanently with a clear map of every major component and its exact role in a bug bounty workflow.
securityelites.com
B
Burp Suite Community Edition — Temporary Project
Proxy
Repeater
Intruder
Scanner
Decoder
Comparer
Sequencer
Target
Logger
USE DAILY
PROXY
Intercept & History. Your window into all browser traffic. Set Intercept ON to pause requests, OFF to passively capture them.
USE DAILY
REPEATER
Manually modify and resend any request. Your primary testing workspace — tweak parameters, headers, bodies and observe how the application responds.
POWERFUL
INTRUDER
Automated payload delivery. Send a wordlist through any parameter. Used for brute force, fuzzing, and enumeration. 4 attack types covered today.
SCANNER
Passive (free): analyses traffic already captured. Active (Pro only): actively sends attack payloads to find vulnerabilities automatically.
DECODER
Convert between encodings: Base64, URL, HTML, hex, gzip. Decode JWT tokens, cookies, hidden fields. Essential for understanding obfuscated data.
COMPARER
Side-by-side diff of two requests or responses. Find the exact difference between a successful login and a failed one — crucial for authentication testing.
Burp Suite Interface Map — The three tabs highlighted with colour borders (Proxy, Repeater, Intruder) are the ones you will use in every single testing session. Decoder and Comparer are used frequently but situationally. Scanner passive mode runs automatically. All covered in depth today.
STEP 1 Proxy and HTTP History — The Foundation of All Testing
The Proxy tab has two operational modes that you will switch between constantly. Understanding when to use each is the single most important Burp Suite habit to build from Day 5 onwards.
INTERCEPT OFF — Browse Mode
Browser works normally. Every request still flows through Burp and appears in the HTTP History tab — but nothing is paused. Use this mode for initial reconnaissance and mapping the application’s surface. Browse the entire target with Intercept OFF first, then use History to pick interesting requests for testing.
Use for: initial mapping, passive capture
INTERCEPT ON — Pause Mode
Every request pauses in Burp before reaching the server. You read, modify, or drop it, then click Forward. Use this when you want to intercept and modify a specific request in real time — for example, to change a parameter the moment you click a button in the browser.
Use for: real-time modification, specific requests
📋 HTTP History — Your Hunting Ground
Every request in HTTP History is a potential finding. Here is the professional’s approach to reviewing History:
1.
Filter by Method = POST — POST requests submit data and are primary injection targets
2.
Filter by URL contains “id” — any parameter containing an ID is a potential IDOR target
3.
Look for status codes 302 redirects — redirects can indicate authentication bypasses
4.
Look for large response sizes — unusually large responses may contain more data than intended
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)