Using Repeater
Learn to resend and modify requests without going back through the browser. Repeater is where most manual testing happens.
Burp Suite Learning Hub › Getting Started
Getting Started with Burp Suite
Install Burp Suite Community Edition, configure your browser, and capture your first HTTP request — step by step. No prior security experience required.
What is Burp Suite?
Burp Suite is a web application security testing platform made by PortSwigger. The free Community Edition includes everything you need to start learning.
HTTP Proxy
Burp sits between your browser and the server, letting you see every request and response before it reaches its destination.
Intercept
Pause requests in flight, inspect their contents, modify parameters, then forward or drop them.
Repeater
Send modified HTTP requests repeatedly without going back through the browser. Essential for manual testing.
Burp's Browser
A built-in Chromium browser pre-configured to route traffic through Burp — no manual proxy setup required.
Setup in 5 Steps
Everything below uses Burp Suite Community Edition, which is free.
Download Burp Suite Community Edition
Go to portswigger.net/burp/communitydownload and download the installer for your operating system (Windows, macOS, or Linux). Install it like any other application.
Launch Burp and Create a Temporary Project
Open Burp Suite. When prompted, choose Temporary project and click Next, then Start Burp. Temporary projects do not save to disk — perfect for practice sessions.
Open Burp's Built-in Browser
Navigate to the Proxy tab, then click Open Browser. This launches a pre-configured Chromium browser that routes all traffic through Burp automatically. No proxy configuration or certificate installation required.
Turn Intercept On and Visit a Site
In the Proxy tab, make sure Intercept is on. In Burp's browser, navigate to an authorized target — for practice, use PortSwigger Academy labs. Burp will pause the first request so you can inspect it.
Inspect the Request and Forward It
Read through the intercepted request: the GET or POST method, the path, the Host header, and any parameters. Click Forward to let it continue. Click Drop to discard it. Toggle Intercept off to let traffic flow freely without pausing.
Authorized targets only
- Only test systems you own or have explicit written permission to test.
- For practice, use PortSwigger Web Security Academy labs — they are specifically built for this.
- OWASP Juice Shop and OWASP WebGoat are safe local alternatives.
- Never intercept or test production systems, other people's accounts, or any site without authorization.
What to Learn Next
Once you can intercept and forward requests, these tutorials build on that foundation.
Cookies and Sessions
Understand what session tokens are, how Burp shows them, and why they matter for web application security testing.
Safe Practice Labs
Find free, intentionally vulnerable apps designed for exactly this kind of hands-on learning.
Back to the Learning Hub
All tutorials, learning tracks, and safe practice resources in one place.