Burp Suite Beginner Guide: Setup, Intercepting Traffic, Repeater, Intruder + Practice Labs
This Burp Suite beginner guide covers everything you need to go from a blank screen to actively intercepting web traffic and testing vulnerabilities in a legal practice environment, step by step.
Burp Suite is the most widely used web application security testing tool in the industry. It appears in CEH v13 lab modules, OSCP exam environments, and virtually every junior penetration testing job description in India. Students who know how to use it walk into technical interviews with a concrete, demonstrable skill. Students who do not often struggle to answer the one question every interviewer asks: which tools have you actually used?
This guide covers how to use Burp Suite for ethical hacking from the ground up. You will learn how to install it, configure the Proxy, test vulnerabilities using Repeater and Intruder, and practice on free, intentionally vulnerable applications built specifically for this purpose.
What Is Burp Suite and Why Do Ethical Hackers and Penetration Testers Use It?
Burp Suite is a web application security testing platform developed by PortSwigger that allows security professionals to intercept, inspect, and manipulate HTTP and HTTPS traffic between a browser and a web application in authorised testing environments.
It is not a single tool but a suite of integrated features, each designed for a different phase of web application penetration testing. The Proxy intercepts traffic. Repeater re-sends and modifies individual requests manually. Intruder automates payload-based testing. The Scanner (Professional edition) crawls and identifies vulnerabilities automatically.
For students and fresh graduates in India exploring web application penetration testing tools, Burp Suite is the most practical skill to develop because:
- It is the standard tool used in professional penetration testing engagements globally
- It covers nearly every web application vulnerability category in the OWASP Top 10
- Employers hiring junior ethical hackers in India list it by name in job descriptions more than any other web security tool
- Hands-on Burp Suite experience is directly tested in CEH v13 practical exams and OSCP lab environments
Among ethical hacking tools for beginners in India, Burp Suite has the best balance of accessibility and professional relevance. The Community Edition is completely free, and the learning resources available for it are extensive.
What Is the Difference Between Burp Suite Community Edition and Professional for Students?
Burp Suite Community Edition is free and contains all the core features students need to learn web application security testing and build interview-ready skills.
Burp Suite Professional adds automated scanning, unlimited Intruder attack speed, and advanced features used in commercial penetration testing engagements. It costs approximately $449 per year. For students and fresh graduates starting out, this is not necessary.
Feature Comparison:
| Feature | Community Edition | Professional Edition |
| Proxy (Traffic Interception) | ✓ Full access | ✓ Full access |
| Repeater (Manual Testing) | ✓ Full access | ✓ Full access |
| Intruder (Automated Payloads) | ✓ Available (throttled speed) | ✓ Full speed |
| Scanner (Automated Vulnerability Scan) | ✗ Not available | ✓ Full access |
| Save and Restore Projects | ✗ Not available | ✓ Full access |
| Cost | Free | ~$449/year |
Burp Suite Community Edition free download is available directly from PortSwigger’s official website. For every practice lab, CEH preparation task, and beginner-level penetration testing exercise covered in this guide, Community Edition is fully sufficient.
How Do You Install and Set Up Burp Suite on Kali Linux or Windows for Ethical Hacking Practice?
Setting up Burp Suite takes under 15 minutes and requires three steps: installing the application, configuring your browser to route traffic through Burp’s proxy, and installing Burp’s CA certificate to intercept HTTPS traffic.
Installation Path:
- Kali Linux: Burp Suite Community Edition comes pre-installed. Open it from Applications > Web Application Analysis > Burp Suite Community Edition. No download needed.
- Windows or other systems: Download the installer from portswigger.net/burp/communitydownload. Run the installer, accept defaults, and launch the application.
Step-by-Step Proxy Configuration (works on both platforms):
- Open Burp Suite and go to Proxy > Options. Confirm the listener is set to 127.0.0.1:8080.
- Open your browser settings (Firefox recommended for Burp Suite practice).
- Navigate to Manual Proxy Configuration and set the HTTP proxy to 127.0.0.1 with port 8080.
- Apply the settings and return to Burp Suite.
- In Burp Suite, go to Proxy > Intercept and confirm “Intercept is on.”
- Open a website in your browser. The request should appear in Burp Suite’s Intercept tab.
Installing the Burp CA Certificate (required for HTTPS):
- With the proxy active, navigate to http://burpsuite in your browser.
- Click “CA Certificate” and download the file.
- In Firefox, go to Settings > Privacy and Security > Certificates > Import.
- Import the downloaded certificate and enable “Trust this CA to identify websites.”
- Reload an HTTPS site. It should now load without errors while Burp intercepts the traffic.
This Burp Suite proxy setup tutorial process is the same whether you are using Kali Linux Burp Suite setup or a Windows installation. The Kali Linux path simply skips the download step since Burp Suite is already present.
How Does Burp Suite Proxy Work and How Do Ethical Hackers Use It to Intercept Web Traffic?
The Burp Suite Proxy sits between your browser and the web server, capturing every HTTP and HTTPS request and response before it reaches its destination, giving the tester full visibility into what data is being transmitted and the ability to modify it in real time.
When intercept is on, each request pauses inside Burp Suite and waits for you to review, edit, or forward it. This is how ethical hackers examine what a web application sends during login, form submission, file upload, and other interactions in authorised testing environments.
What you can see and do in the Proxy:
- View the full raw HTTP request including headers, cookies, and POST body data
- Edit any part of the request before forwarding it to the server
- Drop requests entirely to test how the application handles missing data
- Send interesting requests to Repeater or Intruder with one click for deeper testing
- View the server’s response to see exactly what comes back after each request
Intercepting HTTP traffic for ethical hacking purposes is only done on applications and systems you have explicit permission to test. In practice, this means DVWA, WebGoat, PortSwigger’s labs, or machines on TryHackMe and Hack The Box where testing is explicitly permitted by the platform.
The Proxy is the starting point for almost every web application security assessment. Before using Repeater or Intruder, you first capture the request you want to work with through the Proxy.
How Does Burp Suite Repeater Help Ethical Hackers Test Web Application Vulnerabilities?
Burp Suite Repeater allows you to capture a single HTTP request, modify it manually, and resend it as many times as needed to observe how the application responds to different inputs.
The typical workflow is: intercept a request in the Proxy, right-click and select “Send to Repeater,” then switch to the Repeater tab. From there, you can change any part of the request and click Send to see the server’s response immediately without going back through the browser.
Common uses of Repeater in web application security testing:
- SQL injection testing with Burp Suite: Modify a login field or URL parameter to insert SQL payloads and watch how the database responds
- Broken access control testing: Change a user ID in a request to see if the server returns another user’s data without checking permissions
- Parameter manipulation: Modify prices, quantities, or privilege levels in POST requests to test whether the server validates these values
- Cookie and session testing: Replace or modify session tokens to check whether they are validated correctly
This Burp Suite Repeater tutorial approach is what separates manual testers from those who only use automated scanners. Repeater teaches you to think about how each parameter affects the application’s behaviour, which is exactly the skill set employers look for in junior penetration testing candidates.
How Does Burp Suite Intruder Work and What Types of Web Application Attacks Can Ethical Hackers Test With It?
Burp Suite Intruder automates the process of sending multiple modified versions of a single request to a web application by replacing marked positions in the request with payloads from a list you define.
To use Intruder, capture a request through the Proxy, right-click and select “Send to Intruder,” then mark the parameters you want to test by highlighting them and clicking “Add.” Load a payload list (such as common passwords, directory names, or SQL injection strings) and click “Start Attack.” Intruder sends every payload in your list and shows you the server’s response to each one.
Burp Suite Intruder Attack Types Explained:
| Attack Type | How It Works | Best Used For |
| Sniper | One payload list, one insertion point at a time | Testing a single parameter with many payloads |
| Battering Ram | One payload list, same payload inserted into all positions simultaneously | Testing where all parameters must match |
| Pitchfork | Multiple payload lists, one per position, iterated in parallel | Username and password testing with matched pairs |
| Cluster Bomb | Multiple payload lists, all combinations tested | Finding which combination of values triggers a vulnerability |
In Community Edition, Intruder is throttled to one request per second. This is slow for large attacks but fully functional for learning and lab-based testing. For this Burp Suite beginner guide, the throttle is not a limitation since practice labs use small payload lists where speed is not critical.
What Are the Best Free Practice Labs to Learn Burp Suite for Ethical Hacking in India?
The best free practice environments for learning Burp Suite are PortSwigger’s Web Security Academy, DVWA (Damn Vulnerable Web App), WebGoat, and TryHackMe’s free rooms.
All of these are intentionally vulnerable applications built specifically for security practice in legal environments. Using Burp Suite against any live website or application without explicit written permission is illegal. Always practice in one of the platforms listed below.
Free Burp Suite Practice Labs:
| Platform | Cost | Skill Level | Best For Practicing |
| PortSwigger Web Security Academy | Free | Beginner to Advanced | All Burp Suite features with guided labs |
| DVWA (Damn Vulnerable Web App) | Free (self-hosted) | Beginner | Proxy, Repeater, SQL injection, XSS |
| WebGoat (OWASP) | Free (self-hosted) | Beginner to Intermediate | OWASP Top 10 vulnerabilities with Burp Suite |
| TryHackMe | Free tier available | Beginner | Guided rooms covering Burp Suite basics |
| Hack The Box | Free tier available | Intermediate | Web application machines for Repeater and Intruder practice |
PortSwigger Web Security Academy is the strongest starting point for this Burp Suite beginner guide because its labs are built specifically around Burp Suite features and are updated regularly. DVWA practice lab for ethical hacking is the best choice for students who want a self-hosted environment that runs locally on their own machine with no internet dependency.
To set up DVWA locally: install XAMPP or use Kali Linux, download DVWA from GitHub, configure the database settings, and access it through your browser at http://localhost/dvwa.
Which Burp Suite Skills Do Employers Look for When Hiring Junior Penetration Testers in India?
Indian employers hiring junior penetration testers specifically look for hands-on experience with Burp Suite’s Proxy, Repeater, and basic Intruder usage, and candidates who can demonstrate these in a technical interview consistently get shortlisted over those who only list the tool on their resume.
The gap between students who practice Burp Suite in labs and those who only read about it becomes obvious very quickly during technical interviews. Employers ask practical questions that require you to describe exactly what you would do, not just that you know the tool exists.
Common penetration testing interview questions in India about Burp Suite:
- “Walk me through how you would test a login form for SQL injection using Burp Suite”
- “How would you use Repeater to test for broken access control?”
- “What is the difference between Intruder’s Sniper and Cluster Bomb modes?”
- “How do you configure Burp Suite to intercept HTTPS traffic?”
- “Which Burp Suite features did you use in your last lab or project?”
The most effective way to prepare answers to these questions is to have actually done these things in a lab, not to have memorised descriptions of them.
Web application penetration testing tools like Burp Suite are increasingly listed as mandatory skills in Indian job postings for security analyst and penetration tester roles, not just preferred ones. Building this skill before you start your job search puts you significantly ahead of candidates who plan to learn it on the job.
How Does Learning Burp Suite Help Students Prepare for CEH v13 and Web Application Security Certifications?
Learning Burp Suite before starting CEH v13 training directly improves performance in the web application hacking modules, which are among the highest-weightage and most practically oriented sections of the CEH v13 exam.
CEH v13 web application hacking modules require students to understand how tools like Burp Suite are used to identify and test OWASP Top 10 vulnerabilities in authorised environments. Students who already have hands-on Burp Suite experience complete these modules significantly faster and perform better on scenario-based questions that describe a web attack and ask which tool or step comes next.
Beyond CEH, Burp Suite proficiency directly supports:
- OSCP preparation: PortSwigger’s labs and DVWA practice closely mirror the web application machines in the OSCP exam environment
- Bug bounty programs: Many bug bounty hunters use Burp Suite as their primary tool for identifying web vulnerabilities on authorised targets
- Web application penetration testing certifications: Certifications like eWPT (eLearnSecurity Web Application Penetration Tester) are built around the same Burp Suite workflow covered in this guide
If you want structured training that covers Burp Suite, OWASP Top 10, and the full CEH v13 curriculum with hands-on lab access, explore Appin’s CEH v13 AI-powered course to check batch schedules and course details in Indore.
Conclusion
Burp Suite is not a tool you learn by reading about it. You learn it by setting up a lab, configuring the Proxy, intercepting real requests, and testing for vulnerabilities in a controlled environment until the workflow becomes second nature.
This guide gives you everything you need to start: installation, Proxy setup, Repeater and Intruder explained, and free practice labs to build genuine skill. The rest depends on how consistently you practice.
If you want structured CEH preparation that integrates Burp Suite lab work with full certification guidance and placement support, enquire with Appin Indore to check the next available batch.
