Burp Suite Notes
The Burp config I default to. None of this is exotic; all of it has paid off.
Project settings I always change
- Scope — define it before the first request. Then turn on “Drop all out-of-scope requests” in Proxy → Misc to keep history clean.
- Logging — enable “Log all out-of-scope traffic” temporarily during recon. Disable for the engagement.
- Hotkeys — assign:
Ctrl+Shift+R→ Send to RepeaterCtrl+Shift+I→ Send to IntruderCtrl+T→ New Repeater tabCtrl+R→ Replay current Repeater tab
These four save more time than any extension.
Extensions worth installing
| Extension | What it does |
|---|---|
| Logger++ | Searchable, scriptable history. Lets me grep across every request in a session. |
| Param Miner | Finds hidden parameters, headers, and cookies the server accepts. |
| Backslash Powered Scanner | Smart server-side bug discovery. |
| Active Scan++ | Adds CRLF, header injection, hidden parameters, and a few other checks. |
| Autorize | Authorization testing — replay requests as two different users automatically. |
| JWT Editor | JWT manipulation in a sane UI. |
| HTTP Request Smuggler | Detects + exploits desync. |
| Collaborator Everywhere | Adds Collaborator pingbacks to every request automatically — catches blind SSRF. |
| Hackvertor | In-line encoding/decoding inside request tabs. |
| Turbo Intruder | High-volume attacks (race conditions, password spraying). |
Burp + Collaborator
For blind SSRF, blind XSS, and out-of-band SQLi, Burp Collaborator is the oracle. Two habits:
- Paste a fresh Collaborator domain into every form field that takes a URL, even ones that “look like” they only accept image paths.
- Set Collaborator domain in Param Miner so it auto-injects into hidden parameters too.
The Collaborator URLs include the request that triggered them. Read the HTTP request the Collaborator received — it tells you whether the SSRF fired from the web server (likely image fetcher) or a worker queue (likely something different and more impactful).
The settings most people miss
- Proxy → HTTP history → Filter → set “Hide items without responses” on. Half the noise gone.
- Proxy → Match and Replace → add rules for:
Set-Cookie: ...HttpOnly...→ stripHttpOnly(only for your own testing context, lets you read cookies in DevTools)User-Agent: ...→ set to your own marker, makes log review easy
- Project options → Sessions → Macros — for any auth flow longer than one form, capture a macro and chain it. Refreshes tokens automatically during Intruder runs.
- Intruder → Resource pool — set max concurrent requests per host (3–10 for live targets) so you don’t DOS the box you’re testing.
Project file hygiene
- Save the project file named after the engagement.
burp-${target}-${date}.burp - Periodically run Project → Save State.
- Keep project files on disk encryption. They contain credentials, cookies, and unredacted client traffic.
Burp project files are the highest-sensitivity artifact you produce during an engagement. Treat them like raw incident response data — encrypted at rest, deleted on the retention schedule, never on shared cloud drives.
Repeater tricks worth knowing
Ctrl+Spaceinside Repeater opens autocomplete on common headers.- Right-click → Insert Collaborator payload places a fresh OAST domain at the cursor.
Send group in sequence (single connection)is for desync research.Send group in parallelis for race condition testing — fire 30 of the same request at once.
Intruder modes
- Sniper — one payload, one position. Default. Use for parameter fuzzing.
- Battering ram — same payload in all positions. Rarely useful.
- Pitchfork — paired payloads (e.g., username + matching password).
- Cluster bomb — all combinations. For unknown credentials, this is what you want — but be mindful of count.
Performance
- Burp does not love huge projects. After ~50k requests in history, search slows down. Start a new project per assessment.
- Disable Live audit / passive scan during recon if you’re sending tens of thousands of requests — re-enable later for active testing.