Most people who hear about Burp Suite for the first time assume it is a tool for experts. The name does not help. Neither does the interface, which opens to a dashboard full of tabs and configuration options that give no obvious indication of where to begin.
But here is the thing: every penetration tester who uses Burp Suite daily started exactly where you are now. The tool is powerful because of what it lets you do to web traffic, not because it requires any particular background to understand. Once you grasp the core idea, the individual tools follow naturally.
This guide explains what Burp Suite is, what its key tools actually do, and how they connect into a real web penetration testing workflow.
What Burp Suite Actually Is
Burp Suite is a web application security testing platform built by PortSwigger. At its core it does one thing: it sits between your browser and the web application you are testing, and intercepts everything that passes between them.
Think about what normally happens when you click a button on a website. Your browser sends an HTTP request to a server. The server processes it and sends a response back. Your browser renders the response. The whole thing happens invisibly, in fractions of a second.
Burp Suite interrupts that flow. It positions itself as a proxy (a middleman) so that every request your browser sends and every response the server returns passes through Burp first. That means you can read it, modify it, replay it, automate variations of it, and analyse what the server does when it receives something unexpected.
That ability is the foundation of web application penetration testing.
Burp Suite comes in three editions. The Community Edition is free and contains all the tools you need to learn and practise manual web testing. The Professional Edition adds an automated vulnerability scanner and removes speed restrictions on certain tools, making it the standard for professional engagements. The Enterprise Edition is built for organisations running continuous automated scanning at scale. For anyone starting out, Community Edition is where you begin.
The Proxy: Where Everything Starts
The Proxy is the heart of Burp Suite. Before you can use any other tool effectively, you need to understand what the Proxy does and how to set it up.
When Burp's Proxy is running, it listens on a local port by default on 127.0.0.1:8080. You configure your browser to route its traffic through that address. From that point on, every HTTP and HTTPS request you make in the browser passes through Burp before reaching its destination.
With the Proxy's intercept function enabled, Burp catches each request and holds it, displaying the raw HTTP in a readable, editable panel. You can read the request in full, including the method, URL, headers, body, and any cookies or tokens, before deciding whether to forward it unchanged, modify it and then forward it, or drop it entirely.
This is what web application testing looks like in practice. You interact with an application as a normal user would: logging in, submitting forms, navigating pages. But with the Proxy running, you are seeing and controlling everything the application receives, not just what the interface shows you.
Even with intercept turned off, the Proxy records every request and response in its HTTP history. This log becomes your primary reference during a test: a full record of how the application behaves, which endpoints exist, what parameters are being passed, and where the interesting interactions are happening.
Configuring the Proxy requires a small amount of setup. You need to install a browser extension (FoxyProxy is the standard choice for Firefox) and configure it to route traffic to Burp's listening port. You also need to install Burp's CA certificate in your browser so that it can decrypt HTTPS traffic without throwing certificate errors. TryHackMe's AttackBox has this already configured, which is one of the practical advantages of working through Burp Suite labs in-browser before setting up your own environment.
Repeater: Your Most-Used Tool
Once you have identified a request that looks interesting in the Proxy history, the next step is usually to send it to Repeater.
Repeater is exactly what the name suggests. It lets you take a captured request, modify it however you want, send it to the server, and see the response, then do the same thing again with a different modification, and again, and again. Each send is logged, so you can compare responses across iterations and track exactly how the application reacts to different inputs.
The workflow is simple: right-click any request in the Proxy history and select "Send to Repeater." Switch to the Repeater tab, and you will see the full request on the left and a blank response panel on the right. Click Send, and the response populates. Now start manipulating.
What are you looking for? That depends on the vulnerability class you are investigating. If you suspect a parameter is vulnerable to SQL injection, you might try appending a single quote to the value and observe whether the application throws an error. If you are testing access controls, you might swap out an ID value to see whether the application returns data belonging to a different user. If you are examining how the application handles authentication tokens, you might modify a cookie value and observe whether the session still works. PortSwigger's Web Security Academy, built by the team behind Burp Suite, covers every major vulnerability class with free interactive labs designed specifically around the tool, and is worth bookmarking as you build your testing methodology.
Repeater gives you precise, manual control over individual requests. It is the tool you use to confirm whether a potential vulnerability is real and to understand exactly how it behaves before you decide how to exploit it. Most penetration testers spend more time in Repeater than in any other Burp tool.
Intruder: Automated Attack Testing
Where Repeater is precise and manual, Intruder is automated and systematic. It takes a request and lets you define one or more positions within it, specific parameter values, headers, or anything else, then automatically sends that request repeatedly, substituting different payload values into those positions each time.
The most common use cases are brute-forcing login forms, testing how an application responds to a large range of input values, and enumerating hidden endpoints or valid user identifiers. Intruder's four attack types give you flexibility over how multiple payload positions interact: Sniper cycles one payload list through a single position, Battering Ram applies the same payload to all positions simultaneously, Pitchfork pairs corresponding entries from multiple lists across positions, and Cluster Bomb tries every combination across multiple lists.
In practice, Intruder is frequently used to enumerate usernames or test for weak passwords, to fuzz input fields by throwing unexpected characters and strings at a parameter to see whether anything breaks, and to identify Insecure Direct Object References (IDOR) by iterating through sequential IDs to find records the application should not be exposing.
One important note for Community Edition users: Intruder in the free version rate-limits its requests significantly. This makes large-scale brute-forcing slow, but it does not affect your ability to learn and understand the tool, and it is perfectly adequate for the kind of targeted fuzzing you will do during practice and in most entry-level assessments.
Decoder: Reading What the Application Is Hiding
Web applications communicate using a variety of encoding formats. Parameter values get URL-encoded so that special characters can safely travel in query strings. Tokens and other data often travel as Base64 strings. Hashes appear in various formats across different parts of an application. Understanding what is actually being transmitted and being able to modify it requires decoding and re-encoding that data.
Decoder is Burp's tool for this. You paste in encoded data, select the format, and it decodes it. You can then modify the decoded value and re-encode it into whatever format you need to send it back. Decoder supports URL encoding, Base64, HTML encoding, hex, and several other formats, and you can chain multiple transformations together in sequence.
This becomes relevant in vulnerabilities like JWT manipulation, where authentication tokens are Base64-encoded and you need to decode them to read and modify their contents, or in any situation where the application is doing something with encoded values that you want to understand and potentially manipulate.
The Tools Work Together
The real power of Burp Suite comes from how these tools connect. The workflow in a typical web application test flows naturally from one to the next.
You start by browsing the target application with the Proxy running, building up a picture of the application's structure in the HTTP history. You identify interesting requests, including login forms, search fields, API calls, and anything that takes user input or returns sensitive data. You send those requests to Repeater and begin manually probing them, modifying parameters, adjusting headers, testing edge cases. When you find something worth automating, you send the request to Intruder and run it against a payload list. When you encounter encoded values, you send them to Decoder to understand what they contain.
Right-clicking a request in any panel and selecting "Send to" is the action that stitches the whole workflow together. Getting comfortable with that movement: from Proxy history to Repeater to Intruder and back:is what turns Burp Suite from a confusing dashboard of tabs into a coherent, powerful testing environment.
Community vs Professional: What You Actually Need
The question beginners often ask is whether they need Burp Suite Professional to get serious about web application testing. The honest answer is no, not yet.
Community Edition contains all the tools described in this article. The limitations are that Intruder is rate-limited, the Professional automated scanner is absent, and certain extensions from the BApp Store require a Professional licence. None of this matters while you are learning. The manual techniques: Proxy interception, Repeater-based testing, Intruder fuzzing:are where real skill is built, and all of them work in Community Edition.
When you move into professional engagements, particularly where time is a constraint and automated scanning adds value, Professional becomes worth the investment. But for learning, for practising on labs, and for most CTF and certification exam scenarios, Community Edition is entirely sufficient.
Practising Burp Suite on TryHackMe
Reading about these tools will only take you so far. The step change in understanding comes from using them against real targets in a safe environment.
TryHackMe's Burp Suite module walks you through each tool in sequence, with hands-on rooms covering the Basics, Repeater, Intruder, and Other Modules. You interact with deliberately vulnerable applications inside the browser-based AttackBox, with no local setup required. The module sits within the Jr Penetration Tester learning path, which builds the full offensive web security skillset, covering SQL injection, XSS, authentication vulnerabilities, and more, around Burp Suite as the central tool.
If your goal is to work toward a penetration testing career or the PT1 certification, this is where the practical foundation gets built.
The Only Way to Get Good at This
Burp Suite is not a tool you learn by reading documentation. It is a tool you learn by intercepting requests, modifying them, sending them, and paying close attention to what happens. Every application you test teaches you something about how web applications handle input, and every unexpected response is a clue.
Start with the Proxy. Get comfortable reading raw HTTP. Send everything interesting to Repeater and start changing things. Build up from there.
The gap between "I've heard of Burp Suite" and "I know how to use Burp Suite" is shorter than most beginners expect. It just requires sitting down with the tool and a real target.
Start Learning Burp Suite in Practice
TryHackMe's Burp Suite module gives you hands-on labs across every tool covered in this guide, all accessible from your browser with no setup required.
Nick O'Grady