{"id":21888,"date":"2022-05-09T19:40:13","date_gmt":"2022-05-09T19:40:13","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=21888"},"modified":"2023-10-06T18:36:27","modified_gmt":"2023-10-06T18:36:27","slug":"getting-started-with-burp-suite-pentest-tutorial","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/","title":{"rendered":"Getting Started with the Burp Suite: A Pentesting Tutorial"},"content":{"rendered":"\n<p>Burp is one of the top-rated security suites for <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-penetration-testing\/\">pentesting and ethical hacking<\/a>. While there are paid professional and enterprise editions, you can install the community edition for free and even use it directly from <a href=\"https:\/\/www.esecurityplanet.com\/networks\/kali-linux-tutorial\/\">Kali Linux<\/a>.<\/p>\n\n\n\n<p>The Burp suite is widely used by security professionals to perform advanced scans and various traffic interceptions (e.g., HTTP requests). The tool, maintained by PortSwigger,&nbsp;offers <a href=\"https:\/\/portswigger.net\/burp\/documentation\" target=\"_blank\" rel=\"noreferrer noopener\">comprehensive documentation<\/a>.<\/p>\n\n\n\n<p>There are dedicated sections for the different editions. While the enterprise and pro versions are expensive, they provide additional features that may make sense for your organization, so don\u2019t stick with the free community edition just because it\u2019s free. Cybersecurity tools typically pay for themselves in the costs saved from prevented breaches, which can run in the millions for a single breach.<\/p>\n\n\n\n<p>Still, the free edition offers plenty, so we&#8217;ll review some basics here.<\/p>\n\n\n\n<p>Also read: <a href=\"https:\/\/www.esecurityplanet.com\/applications\/open-source-penetration-testing-tools\/\">10 Top Open Source Penetration Testing Tools<\/a><\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_68_1 ez-toc-wrap-left counter-flat ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-66d6fb405ca2c\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"ez-toc-cssicon\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-66d6fb405ca2c\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#Install-Burp-on-VMs-for-Safety\" title=\"Install Burp on VMs for Safety\">Install Burp on VMs for Safety<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#How-to-Set-Up-a-Burp-Suite-Demo\" title=\"How to Set Up a Burp Suite Demo\">How to Set Up a Burp Suite Demo<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#How-Do-You-Intercept-Requests-Using-Burp\" title=\"How Do You Intercept Requests Using Burp?\">How Do You Intercept Requests Using Burp?<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#Is-Pentesting-Easy-Using-Burp\" title=\"Is Pentesting Easy Using Burp?\">Is Pentesting Easy Using Burp?<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Install-Burp-on-VMs-for-Safety\"><\/span><strong>Install Burp<\/strong> <strong>on VMs for Safety<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The easiest way to start with Burp is to install some virtual machines so you undertake your tests in safe conditions. Of course, you don\u2019t have to install Kali Linux, as the Burp suite can be installed as a standalone package on most operating systems, including the relatively recent macOS M1.<\/p>\n\n\n\n<p>Absolute beginners should probably stick with Linux Ubuntu or Debian distributions and <a href=\"https:\/\/portswigger.net\/burp\/releases\/professional-community-2022-3-6?requestededition=community\" target=\"_blank\" rel=\"noreferrer noopener\">download the installer<\/a>, as Kali can be overwhelming and is more a supercharged OS for pentesters and ethical hackers.<\/p>\n\n\n\n<p>The Burp suite has many advanced features but the most popular is probably the Burp proxy that can intercept requests. If you need to test this feature, you have to configure the browser to use the right proxy. There are browser extensions to ease the task.<\/p>\n\n\n\n<p>In any case, you\u2019ll need the following elements for the tests:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a machine with the Burp Suite installed (use the default presets to speed up the install)<\/li>\n\n\n\n<li>a browser configured with the Burp proxy (Firefox on Kali is the easiest way)<\/li>\n\n\n\n<li>a web app to attack<\/li>\n<\/ul>\n\n\n\n<p>Also read: <a href=\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-use-reconnaissance\/\">How Hackers Use Reconnaissance \u2013 and How to Protect Against It<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How-to-Set-Up-a-Burp-Suite-Demo\"><\/span><strong>How to Set Up a Burp Suite Demo<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>You can install the Burp suite on your system or use the prepackaged version in Kali Linux, but that won&#8217;t tell you what to do with it.<\/p>\n\n\n\n<p>In this guide, we\u2019ll focus on pentests. In that perspective, <a href=\"https:\/\/portswigger.net\/support\/using-burp-to-test-for-the-owasp-top-ten\" target=\"_blank\" rel=\"noreferrer noopener\">the OWASP top ten<\/a> could be helpful to define goals and organize a complete work session, but here we\u2019ll demonstrate just a few vulnerabilities.<\/p>\n\n\n\n<p>We\u2019ll use the OWASP Juice Shop, &#8220;the most modern and sophisticated insecure web application,&#8221; as the vulnerable target.<\/p>\n\n\n\n<p>The OWASP teams maintain this flawed web app for educational purposes. <a href=\"https:\/\/github.com\/juice-shop\/juice-shop\" target=\"_blank\" rel=\"noreferrer noopener\">Follow this link<\/a> for instructions on how to install it on your system (e.g., the Kali VM).<\/p>\n\n\n\n<p>In addition, you\u2019ll need Node and NPM, which are not installed by default in Kali Linux. Once you have those, you can start the app with an npm start and go to http:\/\/localhost:3000:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized has-custom-border\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"421\" src=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_home-1024x421.jpg\" alt=\"\" class=\"wp-image-32242\" style=\"border-style:none;border-width:0px;border-radius:0px;width:950px;height:auto\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_home-1024x421.jpg 1024w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_home-300x123.jpg 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_home-768x316.jpg 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_home.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div style=\"height:1em\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Make sure the browser uses the proxy on 127.0.0.1 (the default port for Burp is 8080). If you don\u2019t know how to configure it, <a href=\"https:\/\/portswigger.net\/burp\/documentation\/desktop\/tools\/proxy\/getting-started\" target=\"_blank\" rel=\"noreferrer noopener\">read the documentation<\/a>.<\/p>\n\n\n\n<p>Once you have all the dependencies installed and configured, you&#8217;re ready for the next steps.<\/p>\n\n\n\n<p>Also read: <a href=\"https:\/\/www.esecurityplanet.com\/applications\/owasp-list-gets-a-new-top-vulnerability\/\">OWASP Names a New Top Vulnerability for First Time in Years<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How-Do-You-Intercept-Requests-Using-Burp\"><\/span><strong>How Do You Intercept Requests Using Burp?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>There are so many things to do with the Juicy Shop but let\u2019s say we want to intercept the registration forms. We can emulate such an attack by opening Burp (make sure intercept is turned on) and submitting a form.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"478\" src=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register-1024x478.jpg\" alt=\"\" class=\"wp-image-32241\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register-1024x478.jpg 1024w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register-300x140.jpg 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register-768x358.jpg 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div style=\"height:1em\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The screenshot above shows how we did it. Look at the intercepted request below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"622\" height=\"387\" src=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register_intecerpt.jpg\" alt=\"\" class=\"wp-image-32238\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register_intecerpt.jpg 622w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register_intecerpt-300x187.jpg 300w\" sizes=\"(max-width: 622px) 100vw, 622px\" \/><\/figure>\n\n\n\n<div style=\"height:1em\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>If we send that to the Repeater feature, we are now able to register new users directly from our dashboard by sending the same request with new values. Because the app is flawed, it works:<\/p>\n\n\n\n<p>We can click on \u201csend\u201d to register a new user and get further information:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"780\" height=\"503\" src=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register_from_burp.jpg\" alt=\"\" class=\"wp-image-32239\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register_from_burp.jpg 780w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register_from_burp-300x193.jpg 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_register_from_burp-768x495.jpg 768w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/><\/figure>\n\n\n\n<div style=\"height:1em\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The form seems to create users with the role of \u201ccustomer,\u201d but, as pentesters, we will probably check if we can obtain a higher role, such as \u201cadministrator\u201d or \u201cadmin.\u201d It\u2019s not supposed to happen, but if we can achieve that, it\u2019s game over for the shop.<\/p>\n\n\n\n<p>There are several approaches but an easy one would be to take the registration form we intercepted earlier, add a new key-value pair \u201crole=admin\u201d, and send the crafted request:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"456\" src=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_admin-1024x456.jpg\" alt=\"\" class=\"wp-image-32244\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_admin-1024x456.jpg 1024w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_admin-300x134.jpg 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_admin-768x342.jpg 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_admin.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div style=\"height:1em\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>As you can see, we get a \u201csuccess\u201d status, and when we log in with our new admin account, we\u2019ve just solved a new challenge:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"856\" height=\"101\" src=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_admin_challenge.jpg\" alt=\"\" class=\"wp-image-32243\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_admin_challenge.jpg 856w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_admin_challenge-300x35.jpg 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2023\/10\/esp_20231006-getting-started-with-burp-suite-pentest-tutorial-owasp_juice_shop_admin_challenge-768x91.jpg 768w\" sizes=\"(max-width: 856px) 100vw, 856px\" \/><\/figure>\n\n\n\n<div style=\"height:1em\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Because the OWASP teams made the Juicy Shop for educational purposes, there are other challenges to unlock before we can take full control of the environment, but it\u2019s a good start.<\/p>\n\n\n\n<p>Also read:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.esecurityplanet.com\/networks\/nmap-vulnerability-scanning-made-easy\/\">Nmap Vulnerability Scanning Made Easy: Tutorial<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/metasploit-framework-tutorial\/\">Getting Started With the Metasploit Framework: A Pentesting Tutorial<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Is-Pentesting-Easy-Using-Burp\"><\/span><strong>Is Pentesting Easy Using Burp?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>We&#8217;ve just been using the free community edition but its slick interface still gives us value. You get everything you need to capture data, convert it into various formats, decode and repeat requests, or scan for vulnerabilities.<\/p>\n\n\n\n<p>You can also customize Burp\u2019s behavior with <a href=\"https:\/\/portswigger.net\/bappstore\" target=\"_blank\" rel=\"noreferrer noopener\">the BApp store<\/a>. There are free extensions even for the community edition.<\/p>\n\n\n\n<p>Pentesters will appreciate the workspace and the ability to create projects to keep things organized and save the work. There\u2019s an intruder mode to load <a href=\"https:\/\/www.esecurityplanet.com\/threats\/how-hackers-use-payloads-to-take-over-your-machine\/\">malicious payloads<\/a> and send them to the target.<\/p>\n\n\n\n<p>Read next:&nbsp;<a href=\"https:\/\/www.esecurityplanet.com\/applications\/open-source-vulnerability-scanners\/\">Top 10 Open Source Vulnerability Assessment Tools<\/a><\/p>\n\n\n<div id=\"ta-campaign-widget-66d6fb4057e14-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6fb4057e14\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6fb4057e14\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6fb4057e14\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6fb4057e14\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6fb4057e14\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6fb4057e14\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Burp is one of the top-rated security suites for pentesting and ethical hacking. While there are paid professional and enterprise editions, you can install the community edition for free and even use it directly from Kali Linux. The Burp suite is widely used by security professionals to perform advanced scans and various traffic interceptions (e.g., [&hellip;]<\/p>\n","protected":false},"author":267,"featured_media":21892,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[22,14],"tags":[9651,31708],"b2b_audience":[33,35],"b2b_industry":[],"b2b_product":[382],"class_list":["post-21888","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-applications","category-networks","tag-faq","tag-pentesting","b2b_audience-awareness-and-consideration","b2b_audience-implementation-and-support","b2b_product-application-security-vulnerability-management"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Getting Started with the Burp Suite: A Pentesting Tutorial<\/title>\n<meta name=\"description\" content=\"The Burp suite is a powerful tool for pentesters and ethical hackers. Here&#039;s a tutorial to get you started.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Getting Started with the Burp Suite: A Pentesting Tutorial\" \/>\n<meta property=\"og:description\" content=\"The Burp suite is a powerful tool for pentesters and ethical hackers. Here&#039;s a tutorial to get you started.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-09T19:40:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-10-06T18:36:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1881\" \/>\n\t<meta property=\"og:image:height\" content=\"878\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Julien Maury\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Julien Maury\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/\"},\"author\":{\"name\":\"Julien Maury\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a\"},\"headline\":\"Getting Started with the Burp Suite: A Pentesting Tutorial\",\"datePublished\":\"2022-05-09T19:40:13+00:00\",\"dateModified\":\"2023-10-06T18:36:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/\"},\"wordCount\":936,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png\",\"keywords\":[\"FAQ\",\"pentesting\"],\"articleSection\":[\"Applications\",\"Networks\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/\",\"name\":\"Getting Started with the Burp Suite: A Pentesting Tutorial\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png\",\"datePublished\":\"2022-05-09T19:40:13+00:00\",\"dateModified\":\"2023-10-06T18:36:27+00:00\",\"description\":\"The Burp suite is a powerful tool for pentesters and ethical hackers. Here's a tutorial to get you started.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png\",\"width\":1881,\"height\":878,\"caption\":\"Burp in action\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Getting Started with the Burp Suite: A Pentesting Tutorial\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a\",\"name\":\"Julien Maury\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp\",\"caption\":\"Julien Maury\"},\"description\":\"eSecurity Planet contributor Julien Maury writes about penetration testing, code security, open source security and more. He is a backend developer, a mentor and a technical writer who enjoys sharing his knowledge and learning new concepts.\",\"url\":\"https:\/\/www.esecurityplanet.com\/author\/jmaury\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Getting Started with the Burp Suite: A Pentesting Tutorial","description":"The Burp suite is a powerful tool for pentesters and ethical hackers. Here's a tutorial to get you started.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/","og_locale":"en_US","og_type":"article","og_title":"Getting Started with the Burp Suite: A Pentesting Tutorial","og_description":"The Burp suite is a powerful tool for pentesters and ethical hackers. Here's a tutorial to get you started.","og_url":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/","og_site_name":"eSecurity Planet","article_published_time":"2022-05-09T19:40:13+00:00","article_modified_time":"2023-10-06T18:36:27+00:00","og_image":[{"width":1881,"height":878,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png","type":"image\/png"}],"author":"Julien Maury","twitter_card":"summary_large_image","twitter_creator":"@eSecurityPlanet","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Julien Maury","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/"},"author":{"name":"Julien Maury","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a"},"headline":"Getting Started with the Burp Suite: A Pentesting Tutorial","datePublished":"2022-05-09T19:40:13+00:00","dateModified":"2023-10-06T18:36:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/"},"wordCount":936,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png","keywords":["FAQ","pentesting"],"articleSection":["Applications","Networks"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/","url":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/","name":"Getting Started with the Burp Suite: A Pentesting Tutorial","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png","datePublished":"2022-05-09T19:40:13+00:00","dateModified":"2023-10-06T18:36:27+00:00","description":"The Burp suite is a powerful tool for pentesters and ethical hackers. Here's a tutorial to get you started.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/05\/owasp_juice_shop_register.png","width":1881,"height":878,"caption":"Burp in action"},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/networks\/getting-started-with-burp-suite-pentest-tutorial\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"Getting Started with the Burp Suite: A Pentesting Tutorial"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/4723f5dca54d7ee1d8111912ac8b1d4a","name":"Julien Maury","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/02\/JulienMaury-AvatarImg-150x150.webp","caption":"Julien Maury"},"description":"eSecurity Planet contributor Julien Maury writes about penetration testing, code security, open source security and more. He is a backend developer, a mentor and a technical writer who enjoys sharing his knowledge and learning new concepts.","url":"https:\/\/www.esecurityplanet.com\/author\/jmaury\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/21888"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/267"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=21888"}],"version-history":[{"count":1,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/21888\/revisions"}],"predecessor-version":[{"id":32247,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/21888\/revisions\/32247"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/21892"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=21888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=21888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=21888"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=21888"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=21888"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=21888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}