Skip to content
Learni
View all tutorials
Sécurité

How to Set Up Burp Suite in 2026

12 minBEGINNER
PentestSécurité WebBurp SuiteProxy HTTP
Lire en français

Introduction

Burp Suite is the industry standard for web penetration testing, used by 90% of professional pentesters. In 2026, the free Community Edition is perfect for beginners: HTTP/S request interception, Repeater manipulation, passive and basic active scanning. Think of Burp as a 'surgeon' for web traffic: it captures every packet, helping you spot SQL injections, XSS, or data leaks before they turn into critical vulnerabilities.

This 15-minute tutorial gets you up and running: installation on Linux/Mac/Windows, proxy configuration, CA certificate generation for HTTPS, first tests with curl and browser. Why it matters? Poor proxy setup causes 70% of pentest failures. At the end, you'll intercept real traffic like a pro, ready for OWASP Top 10. No jargon: every step is actionable with copy-paste code.

Prerequisites

  • Java 17+ (OpenJDK recommended; Burp requires 64-bit JRE).
  • System: Linux (Ubuntu/Debian), macOS, or Windows 10+.
  • Browser: Firefox or Chrome (for proxy config).
  • Port 8080 free (default proxy port).
  • Basic HTTP knowledge (GET/POST) – no advanced pentest skills needed.
  • Minimum 4 GB RAM for smooth performance.

Download and Installation

install-burp.sh
#!/bin/bash

# Check Java
java -version || { echo "Install Java 17+ first"; exit 1; }

# Download Burp Suite Community (stable 2026 version)
cd ~
mkdir -p burp
cd burp
wget https://portswigger.net/burp/releases/download?product=community&type=Linux -O burpsuite_community_v2026_x.x.sh

# Make executable and install
chmod +x burpsuite_community_v2026_x.x.sh
./burpsuite_community_v2026_x.x.sh

# Link to PATH (optional)
ln -s ~/burp/burpsuite /usr/local/bin/burpsuite

echo "Installation complete. Launch with 'burpsuite'"

This complete bash script checks for Java, downloads the latest Community Edition (adjust URL if needed), installs it, and adds it to PATH. Run with sudo if permissions required. Pitfall: Without Java 17+, Burp crashes – the script catches it early.

First Launch and Interface

Launch Burp with burpsuite in the terminal. The interface opens: Proxy (interception), Target (scope), Repeater (modification), Intruder (basic fuzzing). Create a temporary project: File > New project > Temporary project. Enable interception: Proxy > Intercept > On. Burp listens on 127.0.0.1:8080. Analogy: It's your 'net' to capture all HTTP/S traffic routed through this proxy.

Advanced Launch Options

launch-burp.sh
#!/bin/bash

# Launch Burp with 2GB heap max and proxy visible
burpsuite \
  -Xmx2g \
  --proxy-chain=false \
  --no-startup-wizard

# Alternative: with custom XML config
# burpsuite --config-file=~/burp-config.xml

This script optimizes launch: 2GB RAM to avoid OutOfMemory errors, disables proxy-chain (unneeded solo), and skips the wizard. Use --config-file to load XML config. Pitfall: Without -Xmx, Burp freezes on large scans – always specify it.

Browser Proxy Configuration

In Firefox: Settings > Network Settings > Manual proxy: HTTP 127.0.0.1:8080, no SOCKS. Chrome: --proxy-server=127.0.0.1:8080. Test on httpbin.org/get: Burp intercepts! For HTTPS, import Burp's CA (Proxy > Options > Import / Export CA Certificate > DER > Save). Install in browser: Firefox Authorities > Import.

Proxy Testing with curl

test-proxy.sh
#!/bin/bash

# Simple HTTP test via Burp proxy
curl -x 127.0.0.1:8080 \
  -k \
  http://httpbin.org/get

# HTTPS test (ignore cert for testing)
curl -x 127.0.0.1:8080 \
  -k \
  https://httpbin.org/json

# With custom headers (great for Repeater)
curl -x 127.0.0.1:8080 \
  -H "X-Test: burp" \
  -d '{"key":"value"}' \
  https://httpbin.org/post

These curl commands validate the proxy: traffic flows through Burp (visible in Intercept). -k ignores certs for quick tests. Add headers/data to simulate POST. Pitfall: Without -x, curl bypasses Burp – always test before browser.

Basic Burp XML Configuration

burp-config.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<config>
  <component>
    <name>core</name>
    <config>
      <project>
        <temporaryProject>true</temporaryProject>
      </project>
      <startup>
        <wizardCompleted>true</wizardCompleted>
      </startup>
    </config>
  </component>
  <component>
    <name>proxy</name>
    <config>
      <tasks.intercept.interceptServerRequests>true</tasks.intercept.interceptServerRequests>
      <http>
        <listener>
          <interface>127.0.0.1</interface>
          <port>8080</port>
        </listener>
      </http>
    </config>
  </component>
  <component>
    <name>target</name>
    <config>
      <scope>
        <include>
          <url type="simple">http://httpbin.org/.*</url>
        </include>
      </scope>
    </config>
  </component>
</config>

This complete XML file sets up Burp: proxy on 8080, interception ON, scope limited to httpbin.org (reduces noise). Load with burpsuite --config-file=burp-config.xml. Pitfall: Malformed XML crashes Burp – validate with an XML editor first.

Using Repeater and Logger

Intercept a request (e.g., httpbin.org/get), Forward to pass it. Right-click > Send to Repeater: modify and Send. Logger captures everything passively. Real example: Change User-Agent in Repeater, resend – watch server response. For basic Intruder: Send to Intruder > Positions > Clear § Add on a param, Start attack with Sniper payload (alphabet). Result: Simple brute-force test.

Generating and Exporting Burp CA

ca-burp.sh
#!/bin/bash

# In Burp: Proxy > Options > CA Certificate > Export > DER
# Then convert DER to PEM (for import)
openssl x509 -inform der -in ~/burp-cacert.der -out ~/burp-cacert.pem

# Verify the CA
echo "CA Content:"
openssl x509 -in ~/burp-cacert.pem -text -noout

# Add to system store (Linux Ubuntu)
sudo cp ~/burp-cacert.pem /usr/local/share/ca-certificates/burp.crt
sudo update-ca-certificates

After exporting DER from Burp, this script converts to PEM, verifies, and adds to system CAs (smooth HTTPS). Essential to avoid cert errors. Pitfall: Skipping PEM conversion causes 'cert invalid' in browser – always convert.

Sample HTTP Request for Repeater

repeater-request.txt
GET /get?param=§test§ HTTP/1.1
Host: httpbin.org
User-Agent: BurpSuite/2026
Accept: */*
X-Forwarded-For: 127.0.0.1

# Paste into Repeater, § for Intruder payload
# Payloads: Intruder > Payloads > Simple list: alpha, numbers

Copy this raw request into Repeater: § marks fuzzing position. Add realistic headers for auth tests. Run Intruder for param brute-force. Pitfall: Without double \n at end, Repeater parses wrong – always end with blank line.

Best Practices

  • Strict scope: Set Target > Scope to filter noise (e.g., ^https?://target\.com/ ). Avoids 10GB useless logs.
  • Drop vs Forward: Drop to block malicious, Forward to observe.
  • HTTPS only: Always install CA before prod – test curl -k first.
  • Save project: File > Save project as .burp (includes history).
  • RAM tuning: -Xmx4g for >100k requests.

Common Errors to Avoid

  • Proxy not visible: Check netstat -tlnp | grep 8080 – kill conflicting process.
  • HTTPS blocked: Unimported CA = 'Connection reset'. Convert PEM and update-ca.
  • Memory exhausted: Logs explode without scope – limit to 1h sessions.
  • Infinite interception: Turn Intercept off after test, or bypass loopback (no-proxy-for localhost).

Next Steps

  • Free extensions: Logger++, Autorize (BApp Store > Extender > BApp Store).
  • Pro tutorial: REST API for automation.
  • Certifications: PortSwigger Academy.
  • Advanced training: Learni Group - Web Pentest.
  • Book: The Web Application Hacker's Handbook.