Burp Suite Hacking E-Book

BURP SUITE HACKING

FROM RECON TO EXPLOITATION

4 BOOKS IN 1

BOOK 1

BURP SUITE ESSENTIALS: WEB APP HACKING FROM ZERO TO NINJA

BOOK 2

ADVANCED BURP: WEAPONIZING YOUR WORKFLOW

BOOK 3

BUG HUNTER'S PLAYBOOK: REAL-WORLD EXPLOITS WITH BURP SUITE

BOOK 4

THE BURP SUITE LAB MANUAL: HANDS-ON PROJECTS FOR WEB SECURITY TESTING

ROB BOTWRIGHT

Copyright © 2025 by Rob Botwright

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the publisher.

Published by Rob Botwright

Library of Congress Cataloging-in-Publication Data

ISBN 978-1-83938-941-2

Cover design by Rizzo

Disclaimer

The contents of this book are based on extensive research and the best available historical sources. However, the author and publisher make no claims, promises, or guarantees about the accuracy, completeness, or adequacy of the information contained herein. The information in this book is provided on an "as is" basis, and the author and publisher disclaim any and all liability for any errors, omissions, or inaccuracies in the information or for any actions taken in reliance on such information.

The opinions and views expressed in this book are those of the author and do not necessarily reflect the official policy or position of any organization or individual mentioned in this book. Any reference to specific people, places, or events is intended only to provide historical context and is not intended to defame or malign any group, individual, or entity.

The information in this book is intended for educational and entertainment purposes only. It is not intended to be a substitute for professional advice or judgment. Readers are encouraged to conduct their own research and to seek professional advice where appropriate.

Every effort has been made to obtain necessary permissions and acknowledgments for all images and other copyrighted material used in this book. Any errors or omissions in this regard are unintentional, and the author and publisher will correct them in future editions.

BOOK 1 - BURP SUITE ESSENTIALS: WEB APP HACKING FROM ZERO TO NINJA

Introduction

Chapter 1: Setting Up Your Web Hacking Lab      

Chapter 2: Getting Started with Burp Suite – Interface and Workflow

Chapter 3: Proxy Basics – Capturing and Modifying Web Traffic

Chapter 4: Target and Scope – Defining What to Hack

Chapter 5: Repeater and Intruder – Manual Testing and Automation

Chapter 6: Spider and Scanner – Crawling and Identifying Vulnerabilities

Chapter 7: Sessions and Cookies – Managing State Like a Pro

Chapter 8: Common Web Vulnerabilities and How to Test Them

Chapter 9: Reporting and Exporting Your Findings

Chapter 10: Leveling Up – Extensions, Shortcuts, and Best Practices

BOOK 2 - ADVANCED BURP: WEAPONIZING YOUR WORKFLOW

Chapter 1: Burp Pro Features – Unlocking the Full Arsenal

Chapter 2: Macros and Sessions – Automating State Management

Chapter 3: Burp Extensions – Powering Up with BApp Store Tools

Chapter 4: Burp Collaborator – Finding Blind and OOB Vulnerabilities

Chapter 5: Advanced Intruder – Custom Payloads and Greedy Fuzzing

Chapter 6: Turbo Automation – Using Burp with CLI, API, and Scripts

Chapter 7: Decoder, Comparer, and Sequencer – Hidden Gems in Action

Chapter 8: Crafting Advanced XSS and SQLi Payloads

Chapter 9: Integrating Burp with External Tools and Workflows

Chapter 10: Real-World Scenarios – Red Team Tactics Using Burp

BOOK 3 - BUG HUNTER'S PLAYBOOK: REAL-WORLD EXPLOITS WITH BURP SUITE

Chapter 1: The Mindset of a Bug Hunter – Thinking Like an Attacker

Chapter 2: Recon Reloaded – Gathering Hidden Data with Burp

Chapter 3: Bypassing Authentication and Access Controls

Chapter 4: Exploiting Injection Flaws – SQLi, Command Injection & More

Chapter 5: XSS Mastery – Stored, Reflected, and DOM-Based Attacks

Chapter 6: Breaking Sessions and Tokens – CSRF, JWT, and Cookie Issues

Chapter 7: Advanced SSRF and File Inclusion Tactics

Chapter 8: Exploiting Business Logic and High-Impact Bugs

Chapter 9: Real Bug Bounty Case Studies – From Discovery to Report

Chapter 10: Building a Hunting Routine – Tracking, Reporting, and Scaling Up

BOOK 4 - THE BURP SUITE LAB MANUAL: HANDS-ON PROJECTS FOR WEB SECURITY TESTING

Chapter 1: Lab Setup – Building a Safe Web Hacking Environment

Chapter 2: Intercept and Modify – Burp Proxy in Action

Chapter 3: Scoping and Crawling – Mapping the Application Surface

Chapter 4: Manual Testing Lab – Using Repeater and Intruder

Chapter 5: Vulnerability Labs – XSS, SQLi, and More

Chapter 6: Authentication Labs – Breaking Login and Session Controls

Chapter 7: Access Control Challenges – Privilege Escalation in Practice

Chapter 8: Automation Projects – Macros, Extensions, and Scripts

Chapter 9: Bug Bounty Simulations – End-to-End Attack Scenarios

Chapter 10: Capture the Flag (CTF) with Burp Suite – Final Challenges

Conclusion

Introduction

Welcome to Burp Suite Hacking: From Recon to Exploitation—a complete, four-part journey through one of the most powerful tools in the web security world. This series is not just about learning Burp Suite; it’s about mastering the art of web application hacking from the ground up, using the industry’s gold-standard toolkit for offensive security professionals, bug bounty hunters, and ethical hackers alike.

Whether you're a complete beginner or an intermediate tester looking to sharpen your skills, this series is designed to meet you where you are and take you far beyond the basics. We start in Book 1 – Burp Suite Essentials: Web App Hacking from Zero to Ninja, where you’ll build your foundation by setting up your lab, learning the interface, capturing and modifying traffic, and using the core features like Proxy, Repeater, Intruder, and Scanner. No experience? No problem—this book was written with you in mind.

Book 2 – Advanced Burp: Weaponizing Your Workflow dives deeper. Here, we move from basic testing to powerful automation, chaining tools and extensions, leveraging macros, and scripting custom logic. You’ll learn to hunt more efficiently, customize Burp to your exact needs, and interface with external tools like ffuf, sqlmap, and Burp’s own API.

In Book 3 – Bug Hunter’s Playbook: Real-World Exploits with Burp Suite, we enter the domain of real-world web application vulnerabilities. Each chapter focuses on specific bug classes—like XSS, IDOR, SQLi, SSRF, logic flaws, and more—illustrated with real scenarios and walk-throughs. You’ll learn not just how to find bugs, but how to exploit them, chain them, and write reports that get attention.

Finally, Book 4 – The Burp Suite Lab Manual: Hands-On Projects for Web Security Testing offers a structured, hands-on approach to reinforce what you’ve learned. From building your own vulnerable lab environments to solving full CTF-style scenarios, this book turns theory into action. You’ll practice authentication bypasses, access control abuses, blind injections, session token attacks, and simulate bug bounty cases from discovery to report.

This series was designed to go beyond the “how” and teach you the “why”—why a vulnerability exists, how to identify the subtle signs, how to exploit it responsibly, and how to scale your findings into a reliable workflow. Every command, every payload, and every scenario is based on what real-world hackers do when testing modern web apps.

No filler. No fluff. Just hands-on, practical knowledge built on years of field experience.

Let’s get started. Your hacking journey begins now.

BOOK 1

BURP SUITE ESSENTIALS

WEB APP HACKING FROM ZERO TO NINJA

ROB BOTWRIGHT

Chapter 1: Setting Up Your Web Hacking Lab

Sure! Below is a continuous, in-depth 800-word section for a book chapter titled "Setting Up Your Web Hacking Lab", written in a technical yet reader-friendly tone, and designed as a natural book chapter with command-line usage where relevant:

Setting up a secure, functional web hacking lab is the foundational step for any aspiring penetration tester or bug bounty hunter. Your lab must be isolated, legal, and equipped with all the tools necessary to simulate real-world attacks without risking harm to production systems. Start by deciding whether you'll use a virtualization platform or a cloud environment. For local labs, VirtualBox and VMware Workstation Player are two of the most popular and free options. For this guide, we'll use VirtualBox.

Install VirtualBox from the official site and then download an ISO image of Kali Linux, the most widely-used pentesting distribution. Kali comes pre-loaded with Burp Suite Community Edition, along with many other tools you’ll likely use later. After installing VirtualBox, create a new virtual machine with at least 2 GB of RAM and 2 processors for smoother operation. Attach the Kali ISO as the boot device and install it on a virtual hard disk of at least 20 GB. Once installation completes, perform a full system update by running:

sudo apt update && sudo apt full-upgrade -y

Next, install Guest Additions if you're using VirtualBox, to allow for screen resizing and better integration:

sudo apt install virtualbox-guest-x11 -y

Once Kali is ready, verify that Burp Suite Community Edition is pre-installed by running:

burpsuite

You’ll also need a browser that can work well with Burp. Firefox is pre-installed in Kali, and it allows for flexible proxy configurations. You can also install Chromium using:

sudo apt install chromium -y

Now you’ll need some intentionally vulnerable web applications to practice on. One of the best starting points is DVWA (Damn Vulnerable Web Application). DVWA requires Apache, PHP, and MySQL, all of which are available in Kali. Start by installing Apache and PHP:

sudo apt install apache2 php php-mysqli mariadb-server -y

Once installed, clone DVWA into your web root:

cd /var/www/html

sudo git clone https://github.com/digininja/DVWA.git

Set the appropriate file permissions and configure the database:

sudo chown -R www-data:www-data /var/www/html/DVWA

sudo mysql_secure_installation

sudo mysql -u root -p

Inside the MySQL prompt, create a DVWA database:

CREATE DATABASE dvwa;

GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwauser'@'localhost' IDENTIFIED BY 'password';

FLUSH PRIVILEGES;

EXIT;

Then edit the DVWA configuration file:

sudo nano /var/www/html/DVWA/config/config.inc.php

Update the database credentials to match what you set above. Start Apache and MySQL services:

sudo systemctl start apache2

sudo systemctl start mariadb

Visit http://localhost/DVWA in your browser to complete the setup. Set DVWA’s security level to low initially so you can explore basic concepts.

Beyond DVWA, you can also install other vulnerable apps like bWAPP, WebGoat, or Mutillidae. WebGoat, developed by OWASP, runs on Java. To install WebGoat, install Java first:

sudo apt install default-jre -y

Then download WebGoat and run it:

wget https://github.com/WebGoat/WebGoat/releases/download/v8.2.0/webgoat-server-8.2.0.jar

java -jar webgoat-server-8.2.0.jar

Access WebGoat at http://localhost:8080/WebGoat.

At this point, it’s important to configure Burp Suite properly. Open Burp and navigate to the Proxy tab. Make sure the intercept is turned off unless you're actively modifying requests. Go to the Proxy > Options tab and verify the listener is set to 127.0.0.1:8080. Then configure Firefox to use Burp as its proxy:Go to Preferences > Network Settings > Manual proxy configuration, set HTTP Proxy to 127.0.0.1 and Port to 8080, and check the box that says "Use this proxy server for all protocols".

To avoid SSL errors in HTTPS traffic, install Burp's CA certificate in Firefox. In Burp, go to Proxy > Options > Import / export CA certificate, export as DER file. Then in Firefox, go to Settings > Privacy & Security > View Certificates, import the DER certificate under Authorities and check both trust boxes.

Now your browser is fully configured to pass traffic through Burp. This allows you to intercept, inspect, modify, and replay HTTP and HTTPS requests. You can test this by visiting http://testphp.vulnweb.com, a free live target provided by Acunetix, and observing the traffic flow inside Burp's HTTP history tab.

To keep your lab isolated, consider setting up a host-only network in VirtualBox. This ensures your vulnerable apps aren’t exposed to the public internet. Go to VirtualBox > Preferences > Network > Host-Only Networks, add a new adapter, then attach your VM to it via Settings > Network > Adapter 2. This provides local communication between host and guest with no external access.

Snapshot your VM now. This gives you a clean rollback point in case something breaks. In VirtualBox, right-click your VM and choose Take Snapshot. Name it something like “Clean Kali + Burp + DVWA”.

As your skills grow, you might want to expand your lab using Docker. Docker allows you to run multiple vulnerable applications in isolated containers. Install Docker with:

sudo apt install docker.io -y

sudo systemctl start docker

sudo systemctl enable docker

Try running bWAPP via Docker:

docker pull raesene/bwapp

docker run -d -p 8081:80 raesene/bwapp

Then visit http://localhost:8081/install.php in your browser to complete setup. Dockerized apps are especially useful if you want to keep your environment clean and easily resettable.

You now have a flexible and safe space to practice web app security using Burp Suite. Whether you're preparing for bug bounty programs, OSCP certification, or just exploring web hacking, having this kind of lab is critical. Continue to evolve your setup as you learn new techniques, but always keep it isolated and ethical.

Chapter 2: Getting Started with Burp Suite – Interface and Workflow

Burp Suite is one of the most powerful and widely used tools for web application security testing, and becoming familiar with its interface and workflow is a critical step in mastering modern penetration testing. When you first launch Burp Suite, you’ll be greeted with the Start Burp screen. If you're using the Community Edition, simply click “Start Burp” and proceed without a project file. The Professional version allows for advanced project management and saving of testing sessions, but for most introductory purposes, the Community Edition suffices. After starting the application, the main interface is divided into several tabs—each representing a specific function within the suite. These include Dashboard, Target, Proxy, Intruder, Repeater, Sequencer, Decoder, Comparer, and Extender.

The Dashboard tab serves as a centralized location where background tasks like scanning, crawling, or passive analysis are shown. In Burp Suite Professional, this is where live passive and active scans appear, giving you real-time information on detected vulnerabilities. In the Community Edition, scanning is limited, but it still shows basic passive crawl activity.

Next, the Target tab is where you define the scope of your testing. It has two main sub-sections: Site Map and Scope. The Site Map shows a hierarchical tree of all domains, folders, and endpoints that your browser has touched while proxying traffic through Burp. It displays both requested URLs and responses. The Scope tab allows you to restrict your testing to specific domains or URL patterns. Defining your scope properly is a critical best practice to avoid accidental testing on unauthorized sites. You can add a target to scope by right-clicking on it in the Site Map and selecting “Add to Scope”.

To intercept HTTP traffic, you need to configure your browser to use Burp Suite’s proxy. Burp listens by default on 127.0.0.1:8080. In Firefox, go to Settings > Network Settings > Manual proxy configuration, enter 127.0.0.1 as the HTTP proxy and set the port to 8080. Check the option “Use this proxy server for all protocols.” Once this is done, all HTTP and HTTPS traffic from your browser will pass through Burp Suite. If you're intercepting HTTPS, install Burp’s SSL certificate in your browser to avoid warnings. Go to Proxy > Options > Import/export CA certificate, export as DER file, and import it into your browser’s certificate authorities section.

The Proxy tab is the real-time window into your browser’s traffic. Under Proxy > Intercept, you can choose to intercept requests and responses manually. When “Intercept is on,” Burp will pause requests before they leave your browser, allowing you to view and modify them. If you don’t want this, toggle it off so traffic flows uninterrupted. Under Proxy > HTTP History, you can see all traffic that passed through Burp, with complete request and response details. This is where you can manually inspect, replay, or forward interesting requests to other tools.

Once you've identified an interesting request—such as a login form, file upload, or API call—you can right-click and send it to Repeater. The Repeater tab is a manual testing interface where you can repeatedly modify and resend a request to observe how the server responds. This is essential for testing input validation, bypasses, and manipulating parameters. Each time you click the Send button, the server's response is shown in a new tab. You can view the response in several formats: Raw, Hex, HTML, or Rendered. This lets you examine exactly what the application returns.

The Intruder tab is used for automating attacks such as brute-force, fuzzing, and parameter manipulation. To begin, send a request to Intruder from Proxy or Repeater. Then, define the positions—these are placeholders that Burp will replace with payloads. Positions are marked using § symbols. You can add them manually or use the "Clear §" and "Add §" buttons. Next, switch to the Payloads tab, where you load or generate a list of inputs to inject. This could be usernames, passwords, injection strings, or custom wordlists. Once configured, click Start Attack (Professional version only) and observe how the server reacts to each input.

Burp’s Sequencer is useful for analyzing the randomness of session tokens, CSRF tokens, or any value intended to be unpredictable. Send a request containing such a token to Sequencer, and Burp will extract and collect hundreds or thousands of values to statistically analyze their entropy. This helps determine whether the tokens can be guessed or predicted.

The Decoder tool is straightforward—it allows you to manually or automatically encode and decode data in various formats such as URL, Base64, Hex, HTML, and more. For example, to decode a Base64 string like U2VjdXJpdHlUZXN0, paste it into the input field, select "Decode as Base64," and the result will appear immediately. Decoder is very handy when dealing with obfuscated or encoded payloads during analysis.

The Comparer tab lets you perform visual and byte-level comparisons between two pieces of text, typically request/response pairs. This is useful when you want to see exactly what changes between two server responses or how different parameters affect output. Simply load two items and hit "Compare" to view line-by-line differences.

Finally, the Extender tab allows you to expand Burp’s functionality through extensions written in Java, Python, or Ruby. You can install plugins directly from the BApp Store, such as Logger++, Autorize, or Turbo Intruder. Many of these tools automate advanced tasks or improve visibility into complex web app behavior.

To manage your workflow efficiently, learn to right-click. Burp Suite is a right-click-heavy environment. Nearly every useful action—sending to Repeater, copying URLs, scanning, highlighting, adding comments—can be accessed via context menu. You can also tag interesting requests with colors or notes to keep track of them during longer engagements.

Keyboard shortcuts can save time too. Press Ctrl + Shift + H to open HTTP history, or Ctrl + R to open Repeater. The interface is consistent and intuitive once you get used to navigating it. Keep in mind that the Community Edition does not allow for scanning or saving of full session data, so if you plan to work professionally, the Pro version is highly recommended.

As you move through your testing, you'll frequently bounce between Proxy, Repeater, Intruder, and Target. These four tabs form the core workflow. Proxy captures the request, Repeater modifies it, Intruder attacks it, and Target maps it. The rest of the suite complements these tools and helps you track patterns, decode content, or extend capabilities. Understanding the interface not only makes you faster but also reduces mistakes during testing.

Chapter 3: Proxy Basics – Capturing and Modifying Web Traffic

Understanding how to capture and modify web traffic using Burp Suite’s Proxy tool is one of the most important skills in web application testing. The Proxy acts as a man-in-the-middle between your browser and the server, intercepting HTTP and HTTPS requests and responses in real time. This gives you full visibility and control over the data being transmitted, enabling manual inspection, manipulation, and attack simulation. To get started, you need to configure your browser to route traffic through Burp’s proxy listener. By default, Burp Suite listens on 127.0.0.1 (localhost) and port 8080. In Firefox, navigate to Settings > Network Settings > Manual proxy configuration, set the HTTP proxy to 127.0.0.1 and the port to 8080, and check the option “Use this proxy server for all protocols.” This configuration ensures that all traffic—including HTTPS—is routed through Burp Suite.

When you first open the Proxy tab in Burp Suite, you'll see four sub-tabs: Intercept, HTTP history, WebSockets history, and Options. The Intercept sub-tab allows you to pause requests before they leave your browser or before responses reach it. When Intercept is on, any HTTP or HTTPS request made in the browser will be held by Burp, giving you the opportunity to modify it before forwarding it to the server. You can toggle interception using the Intercept is on/off button. For example, visit http://testphp.vulnweb.com in your browser. If intercept is on, you’ll immediately see the request appear in the Intercept tab. You can click “Forward” to send the request unaltered, or you can edit fields like headers, cookies, or parameters before forwarding. You can also drop the request entirely.