LabEx
Log InJoin Free

Explore the User Interface in Burp Suite

Beginner
Practice Now

Introduction

Burp Suite is a powerful and popular platform for performing security testing of web applications. It consists of a set of integrated tools that work together to support the entire testing process, from initial mapping and analysis of an application's attack surface to finding and exploiting security vulnerabilities.

Before you can effectively use Burp Suite for security testing, you must first become familiar with its user interface (UI). In this lab, you will launch Burp Suite and take a guided tour of its primary tabs and features. This foundational knowledge is essential for all future labs involving web application penetration testing.

Review the Dashboard and Event Log

In this step, you will launch Burp Suite and explore the main Dashboard, which serves as the central hub for your testing activities.

First, open a terminal in your LabEx environment. The Burp Suite JAR file has already been downloaded to your ~/project directory. Use the following command to start the application. Note that it may take a moment to load.

java -jar burpsuite_community.jar

A dialog box will appear asking about project files. For this lab, we will use a temporary project. Simply accept the default selection and click Next.

Another dialog may appear asking about default settings. Click Start Burp to continue.

Once Burp Suite loads, you will see the main window. The first tab you see is the Dashboard.

The Dashboard is divided into four main quadrants:

  • Tasks: This allows you to run predefined scans and other automated tasks.
  • Event log: This provides a running log of all significant events occurring within Burp Suite, such as the proxy starting or new issues being discovered.
  • Issue activity: This shows a real-time feed of security issues identified by Burp Scanner.
  • Advisory: This section provides details and remediation advice for selected security issues.

Take a moment to look at the Event log. You should see entries indicating that the proxy service has started and the application is ready. This log is very useful for troubleshooting and understanding what Burp is doing in the background.

Examine the Target Tab and Site Map

In this step, you will explore the Target tab, which is used to define the scope of your work and view a detailed map of the target application's structure.

In the Burp Suite window, click on the Target tab located at the top of the interface.

This tab is crucial for organizing your testing efforts. It has two primary sub-tabs on the left side:

  • Site map: This view provides a hierarchical tree representation of the content of the target application. As you browse the application through Burp's Proxy, this map will automatically populate with all the URLs and resources you discover. Since we haven't browsed any sites yet, this area will be mostly empty.
  • Scope: This sub-tab allows you to define exactly which hosts and URLs are part of your testing scope. Any items "in scope" will be processed by Burp's tools, while out-of-scope items are typically ignored. This is essential for focusing your testing and avoiding unintended interactions with other websites.

Click on both the Site map and Scope sub-tabs to familiarize yourself with their layout. Understanding how to manage your target scope is a fundamental skill for using Burp Suite effectively.

Understand the Proxy Tab's Intercept and History Views

In this step, we will look at the Proxy tab, which contains one of Burp Suite's core tools. The Burp Proxy acts as a man-in-the-middle, allowing you to intercept, inspect, and modify all traffic between your browser and the target web application.

Click on the Proxy tab.

You will see several sub-tabs. The two most important ones for now are:

  • Intercept: This is the control center for intercepting traffic. When the Intercept is on button is active, Burp will pause any matching HTTP/S requests and responses, allowing you to view and edit them before they are sent to their destination. This is incredibly powerful for manual testing. Click the button to toggle it between Intercept is on and Intercept is off to see how it changes. For now, leave it off.
  • HTTP history: This sub-tab provides a complete log of every HTTP request that has passed through the proxy. For each request, you can see the full request and response, headers, parameters, and more. This history is an invaluable resource for understanding how an application works and for finding potential vulnerabilities.

There is also a WebSockets history tab for logging WebSocket traffic, which is used by modern real-time applications. For now, focus on understanding the function of the Intercept and HTTP history views.

Locate the Repeater and Intruder Tabs

In this step, you will find two more essential tools for manual and automated testing: Repeater and Intruder.

First, click on the Repeater tab.

Burp Repeater is a simple but powerful tool for manually manipulating and reissuing individual HTTP requests. You can send a request from another Burp tool (like the Proxy history) to Repeater, modify any part of it (e.g., a parameter or header), and send it over and over again. This is perfect for testing application logic, validating findings, and performing fine-grained manual attacks. The interface is split, showing the request on the left and the response on the right.

Next, click on the Intruder tab.

Burp Intruder is a highly configurable tool for automating customized attacks. Its primary use is for "fuzzing," which involves sending a large number of requests with modified data to probe for vulnerabilities. You can use it for tasks like brute-forcing passwords, enumerating identifiers, or finding SQL injection flaws. Intruder works by defining a request template, marking positions for payloads, and then configuring payload sets and attack types.

Take a moment to look at the interfaces for both Repeater and Intruder to get a sense of their purpose and layout.

Find the Extender Tab for BApp Store and Extensions

In this final step of our tour, you will explore the Extender tab, which allows you to expand Burp Suite's capabilities with extensions.

Click on the Extender tab.

This area is the hub for managing Burp Suite extensions, which are add-ons that can introduce new functionality or integrate with other tools. The main sub-tabs here are:

  • Extensions: This list shows all the extensions that are currently loaded into Burp. You can add, remove, and configure your extensions from here.
  • BApp Store: This is Burp's official repository of extensions written by the community and PortSwigger staff. You can browse the store, view details about each extension, and install them directly into Burp with a single click.
  • APIs: This sub-tab provides documentation for developers who want to write their own extensions using Java, Python, or Ruby.
  • Settings: Here you can configure settings related to Java, Python, and Ruby environments for running extensions.

Browse the BApp Store to see the wide variety of available extensions. This extensibility is one of the key reasons for Burp Suite's popularity.

Summary

In this lab, you successfully launched Burp Suite and completed a comprehensive tour of its user interface. You are now familiar with the purpose and layout of the most important tabs:

  • Dashboard: The central hub for monitoring tasks, events, and issues.
  • Target: For defining scope and viewing the application's site map.
  • Proxy: For intercepting and logging HTTP/S traffic.
  • Repeater: For manually modifying and re-sending individual requests.
  • Intruder: For automating customized attacks and fuzzing.
  • Extender: For managing extensions and expanding Burp's functionality via the BApp Store.

With this foundational understanding of the Burp Suite UI, you are now prepared to tackle more advanced labs that involve active web application security testing.