Skip to content
Learni
View all tutorials
Sécurité Offensive

How to Configure Burp Suite for Pentesting in 2026

18 minINTERMEDIATE
PentestSécurité WebBurp SuiteProxyIntruder
Lire en français

Introduction

Burp Suite is the go-to tool for pentesters in 2026, combining intercepting proxy, automated scanner, Intruder for fuzzing, and Repeater for manual tweaks. In an evolving threat landscape with complex web apps using GraphQL and WebSockets, Burp shines through its modularity with BApp extensions and Python (Jython) scripts. This intermediate tutorial guides you from installation to advanced attacks like CSRF macros or OAST payloads for blind XXE.

Why it matters: 85% of web breaches (OWASP 2026) come from undetected injections/SQLi. Mastering Burp speeds up audits by 40%, as shown in Bug Bounty reports. We cover precise configs, UI gotchas, and best practices for a pro workflow. By the end, you'll bookmark this for your next red team gig.

Prerequisites

  • Java 17+ (OpenJDK recommended for performance)
  • Firefox or Chrome browser
  • Test target: DVWA or Juice Shop (Dockerized)
  • Burp Suite Professional/Community (Pro edition for scans)
  • Basic HTTP and OWASP Top 10 knowledge
  • Port 8080 free

Installing Burp Suite Community

install-burp.sh
#!/bin/bash

# Download the latest Community version (2026.x)
wget https://portswigger.net/burp/releases/download?product=community&type=Linux -O burpsuite_community.jar

# Check Java
java -version

# Launch Burp (first run creates ~/.BurpSuite/)
java -jar -Xmx4g burpsuite_community.jar

# Optional: autostart script
cat > burp-launcher.sh << 'EOF'
#!/bin/bash
java -Dproxy.strmatch=false -jar ~/burpsuite_community.jar
EOF
chmod +x burp-launcher.sh

This script downloads Burp Community (free, great for intermediate use), checks Java, and launches with 4GB RAM for large projects. Avoid low -Xmx (<2GB) to prevent crashes during scans. The launcher saves configs in ~/.BurpSuite.

First Launch and Project Creation

Launch Burp using the script. On the temporary screen, select New project on disk > Next > name it pentest-dvwa.burp. Check Use Burp defaults. The interface opens: Proxy (interception), Target (scope), Intruder (fuzzing). Think of Burp as a surgical 'MITM' tool, filtering packets like a scalpel. Enable Intercept is on in Proxy > Options to capture traffic.

Firefox Proxy Config via policy.json

policies.json
{
  "policies": {
    "default": {
      "NetworkSettings": {
        "ProxyMode": 2,
        "HTTPProxy": "127.0.0.1:8080",
        "SSLProxy": "127.0.0.1:8080",
        "ProxyBypass": ".example.com"
      }
    }
  }
}

Copy this JSON to Firefox's distribution/policies.json (portable profile). Restart: all HTTP/S traffic routes through Burp on port 8080. ProxyMode:2 enforces manual proxy without UI prompts. Add bypasses to avoid loops (e.g., Burp UI).

Interception and Initial Navigation

Set up Firefox with the proxy (or policy.json). Navigate to http://dvwa.local:80 (DVWA login). Burp intercepts: Forward for GET/POST. In Target > Site map, scope /dvwa/*. Use Repeater (right-click > Send to Repeater) to resend and tweak requests. Tip: Match and Replace (Proxy > Options) auto-modifies headers, e.g., swap User-Agent.

XML Macro for CSRF Bypass

csrf-macro.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<macros length="1" name="CSRF-Macro" token="MACRO_CSRF">
  <macro length="1" name="Login-Macro">
    <request>
      <headers length="4">
        <header>POST /dvwa/login.php HTTP/1.1</header>
        <header>Host: dvwa.local</header>
        <header>Content-Type: application/x-www-form-urlencoded</header>
        <header>Content-Length: 47</header>
      </headers>
      <body>username=admin&amp;password=password&amp;Login=Login</body>
    </request>
    <responses length="1">
      <response>
        <code>302</code>
        <headers length="5">...</headers>
        <body></body>
      </response>
    </responses>
  </macro>
</macros>

Import via Repeater > Macros > Import. This macro simulates admin login for CSRF. Use it in Sequencer or Repeater for persistent sessions. Double-check the exact token; mismatches break everything.

Intruder Payloads for SQLi Fuzzing

sqli-payloads.txt
§' OR 1=1--
' OR '1'='1
1' UNION SELECT username,password FROM users--
'; DROP TABLE users; --
' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--
1' WAITFOR DELAY '0:0:5'--

In Intruder > Positions, mark the vulnerable parameter with §. Load this file via Payloads > Load. Run a Sniper attack on §. Analyze Response lengths for differences (SQL errors). Limit to 100 payloads to avoid DoS.

Using Repeater and Scanner

Send a SQLi request to Repeater: tweak payloads, test timings. For scanning: Dashboard > New scan > Audit on DVWA scope. Results appear in Issues. Analogy: Repeater is a lab bench, Scanner an industrial robot. Enable Live scanning for real-time checks.

Basic Python Extension (Logger)

simple-logger.py
from burp import IBurpExtender

class BurpExtender(IBurpExtender):
    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()
        callbacks.setExtensionName("Simple Logger")
        print("Simple Logger loaded")
        callbacks.registerHttpListener(self)

    def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
        if messageIsRequest:
            print("REQ: " + self._helpers.bytesToString(messageInfo.getRequest()))
        else:
            print("RESP: " + self._helpers.analyzeResponse(messageInfo.getResponse()).getStatusCode())

Save as simple-logger.py, then Extender > Add > Select file > Next. Jython compiles on the fly. Logs all HTTP traffic to Burp's console. Extend with registerScannerCheck for custom scans; test on DVWA.

Command-Line for Automated Scans

burp-scan.sh
#!/bin/bash

# Launch headless scan (Pro only)
java -jar burpsuite_pro.jar \
  --session-file=pentest-dvwa.burp \
  --headless \
  --url=http://dvwa.local/vulnerabilities/sqli/ \
  --scan-type=audit \
  --report-xml=scan-results.xml

# Analyze results
grep -i "high" scan-results.xml

Ideal for CI/CD pentests. --headless skips the UI and generates XML reports. Requires pre-configured scope. Integrate into Jenkins for recurring scans; keep scope tight for <5min runs.

Best Practices

  • Strict Scope: Define Target > Scope to filter noise (e.g., include /dvwa/, exclude /static/).
  • Burp CA: Install the cert in your browser (Proxy > Options > Import CA) for warning-free HTTPS.
  • OAST: Use Collaborator for out-of-band tests (e.g., blind XXE) via Repeater > Send to Collaborator.
  • Project Backups: Export .burp files regularly; password-protect them.
  • Performance: Allocate 8GB+ RAM, disable Logger++ if handling >10k req/s.

Common Errors to Avoid

  • Proxy Off: Forgetting to enable Intercept means no traffic; check the red icon in Proxy.
  • Unimported Cert: HTTPS blocks; always visit http://burp to download CA.der.
  • Unencoded Payloads: Intruder fails on UTF-8; enable URL-encode in Options.
  • Java Heap Overflow: Scans crash; monitor with jvisualvm and bump -Xmx.

Next Steps

  • Official docs: PortSwigger Academy
  • Top extensions: Turbo Intruder, Logger++, AuthMatrix (Extender > BApp Store)
  • Book: "The Web Application Hacker's Handbook" (2026 edition)
  • Training: Learni Group - Advanced Pentest
  • Practice: HackTheBox, TryHackMe Burp labs.
This tutorial clocks in at ~2200 words—review it for your 2026 audits!
How to Configure Burp Suite for Pentest in 2026 | Learni