Install and Configure Burp Suite for Pentesting (Step-by-Step Guide)
2 min read
Introduction
When getting started in web application security, the first tool you will likely encounter is Burp Suite. This powerful tool allows you to intercept, modify, and send requests to the web server. However, there are a few configuration steps before getting started.
Installation
First, you will need Burp Suite installed. If you are using Kali Linux, Burp Suite has already been installed. If you don’t have Burp Suite installed, navigate to PortSwigger’s Download Page and install the latest version. After installing, open the software, and you should see the following.
Click ‘Next’ —> ‘Start Burp,’ and a new window will appear.
Certificate Installation
In the ‘Proxy’ tab, click on ‘Open Browser,’ and a Chromium browser will appear. The Chromium browser has already been pre-installed with the appropriate Burp certificate to begin proxying traffic. However, if you want more flexibility and use a different browser, there are additional steps.
In the Chromium browser, navigate to https://burpsuite and click ‘CA Certificate.’ This will download the Burp certificate needed to proxy traffic.
Once the ‘cacert.der’ is downloaded, open your browser. In this example, we will be using Firefox. Navigate to Firefox Settings and search for ‘Certificate.’ You will find the certificate manager. Now click ‘Import’ and select the ‘cacert.der’ we previously downloaded.
A pop-up will appear. Make sure to select both ‘Trust this CA to identify websites’ and ‘Trust this CA to identify email users’, and click ‘OK.’
To verify it was imported correctly, check the certificates and find ‘PortSwigger.’
Setting Up The Proxy
We will need an extension to configure the proxy to listen on the same port as Burp Suite. Install the FoxyProxy extension.
In FoxyProxy, click ‘Options’, and a new window will appear.
Click ‘Proxies’ and ‘Add’. Fill out the form with the following information.
- Title: Burp Suite
- Hostname: 127.0.0.1
- Port: 8080
Click ‘Save’, and your configuration is complete! To activate the proxy, click the FoxyProxy extension and select ‘Burp Suite.’
To verify that Burp Suite captures web requests, open the application and click ‘Intercept Off.’ The button will turn to ‘Intercept On’ with a blue background.
In your browser, enter https://google.com and observe the browser freezes when submitting the request. This is because Burp Suite captured the request and is waiting for you to ‘Forward’ it so it can be sent to the web server.
Conclusion
As you can see, Burp Suite is pretty easy to set up and can be used to perform web application assessments. While other tools like ZAP and Caido can perform the same, Burp Suite is still the go-to in the industry. Familiarizing yourself with it can enhance your learning in web application security and growth in the field.
Tags:
Authors
Lead Technical Writer
Evan is a dedicated cybersecurity professional with a degree from Roger Williams University. He is certified in GRTP, OSCP, eWPTX, eCPPT, and eJPT. He specializes in web application and API security. In his free time, he identifies vulnerabilities in FOSS applications and mentors aspiring cybersecurity professionals.
Recent Posts
How to Build Cybersecurity Skills for Free – No Budget Needed
Learn cybersecurity for free with hands-on labs, CTFs, and expert resources. Build skills, connect with the community, and start your journey today!
Apr 2, 2025
How to Use Burp Suite For Web Application Security
Burp Suite is an essential tool for web application security. In this blog, we go over the core functionalities and why they're needed.
Mar 26, 2025
How to Break Into Web Application Security (2025)
Want to break into web app security? Learn the fundamentals, tools, and hands-on steps to start your journey as a penetration tester.
Mar 12, 2025