Burp Suite Community Edition: Web Security Guide 2026

If you’re serious about web application security, Burp Suite is your Swiss Army knife. The Community Edition is free, powerful, and the go-to tool for bug bounty hunters, penetration testers, and cybersecurity beginners.

In this Burp Suite Community Edition guide, you’ll learn:

• How to install Burp Suite on Windows, Linux, and macOS.
• How to set up the proxy and intercept HTTP/HTTPS traffic.
• How to use Repeater, Intruder (limited), and Decoder.
• How to find your first web vulnerability.

What is Burp Suite Community Edition?

Burp Suite (from PortSwigger) acts as a man-in-the-middle proxy between your browser and web servers. It lets you pause, modify, replay, and fuzz web requests — essential for finding SQLi, XSS, auth bypasses, and more.

✅ Free vs Pro: Community Edition includes Proxy, Repeater, Decoder, Comparer, and a limited Intruder (throttled). Pro adds active scanning, unlimited Intruder, extensions, and automation.

Part 1: How to Install Burp Suite Community Edition

🪟 Windows Installation

1. Download the Community Edition installer from portswigger.net/burp/communitydownload.
2. Run the .exe installer.
3. Choose installation directory (default is fine).
4. Launch Burp Suite from the Start Menu or Desktop shortcut.
5. Accept the license agreement.

🐧 Linux Installation

Option A: Manual (any distro)

# Download the .sh installer from PortSwigger
chmod +x burpsuite_community_linux_v*.sh
./burpsuite_community_linux_v*.sh

Follow the GUI installer steps.

Option B: Using apt (Debian/Ubuntu)

sudo apt update
sudo apt install burpsuite -y

Launch from terminal:

burpsuite

🍎 macOS Installation

1. Download the .dmg file from PortSwigger.
2. Open the DMG and drag Burp Suite Community Edition to Applications.
3. If macOS blocks it: System Settings → Privacy & Security → Allow anyway.
4. Launch Burp Suite.

First Launch Setup

When you open Burp Suite for the first time:

1. Click Next through the project options (choose “Temporary project” for learning).
2. Use the default configuration.
3. Click Start Burp.

✅ You’ll see the Dashboard — your command center.

Part 2: Configuring Your Browser to Use Burp Proxy

Burp listens on 127.0.0.1:8080 by default. You must route your browser traffic through this proxy.

Firefox (Recommended for Burp)

1. Go to Settings → Network Settings → Settings.
2. Choose Manual proxy configuration.
3. HTTP Proxy: 127.0.0.1 | Port: 8080
4. Check Also use this proxy for HTTPS.
5. Click OK.

Chrome / Edge

Use the command line (temporary session):

# Chrome
google-chrome --proxy-server="http://127.0.0.1:8080"

# Edge (Windows)
msedge.exe --proxy-server="http://127.0.0.1:8080"

Install Burp’s CA Certificate (For HTTPS)

Without this, HTTPS sites will show certificate errors.

1. With proxy enabled, visit http://burpsuite in your browser.
2. Click CA Certificate (download cacert.der).
3. Import into your browser:
   • Firefox: Settings → Privacy & Security → View Certificates → Import → Trust this CA to identify websites.
   • Chrome: Settings → Privacy & Security → Security → Manage Certificates → Import → Trusted Root Certification Authorities.

Part 3: Burp Suite Tutorial for Beginners

The Main Tabs You’ll Use Daily

Step 1: Intercepting Your First Request

1. Go to Proxy → Intercept tab.
2. Click Intercept is off to turn it on (button turns blue).
3. In your browser, visit any HTTP site (e.g., http://testphp.vulnweb.com).
4. Burp will freeze the request. You can now:
   • Modify headers, cookies, parameters.
   • Click Forward to send the request.
   • Click Drop to discard it.
   • Click Action to send to Repeater or Intruder.

💡 Toggle off interception once you understand it — otherwise every request gets paused.

Step 2: Using Repeater (Manual Testing)

Repeater lets you craft and resend requests repeatedly — perfect for testing parameter injection.

1. In Proxy → HTTP History, right-click any request.
2. Choose Send to Repeater (or press Ctrl + R).
3. Go to the Repeater tab.
4. Modify the request (e.g., change a ?id=1 to ?id=1' OR '1'='1).
5. Click Send.
6. View the response on the right panel.

Step 3: Spider & Site Map (Discovering Hidden Endpoints)

1. Go to Target → Site map.
2. Right-click your target domain → Add to scope.
3. In Proxy → HTTP History, right-click requests → Add to scope.
4. Go to Target → Site map → right-click domain → Spider this host (Community Edition uses passive spidering).

The site map will show all crawled URLs, parameters, and forms.

Step 4: Intruder (Limited but Powerful)

Even with rate limiting, Intruder is great for small payload lists.

Example: Fuzzing an id parameter for SQLi.

1. Send a request to Intruder (right-click → Send to Intruder).
2. In the Positions tab, highlight the parameter value and click Add §.
3. Go to Payloads tab:
   • Add a simple list: 1, 2, 3, 1', 1 OR 1=1
4. Click Start Attack.
5. Compare response lengths to find anomalies.

Step 5: Decoder (Quick Helper)

Navigate to Decoder tab.

• Paste encoded text (e.g., %3Cscript%3E).
• Choose Decode as → URL.
• Instantly get decoded output.

Great for analyzing obfuscated parameters or cookies.

Part 4: Practical Example — Finding a Reflected XSS

Let’s find your first vulnerability.

1. Target: http://testphp.vulnweb.com/search.php?search=test
2. In Burp, intercept the search request.
3. Change search=test to search=<script>alert(1)</script>.
4. Forward the request.
5. If the page shows an alert box (or <script> is rendered literally in HTML), you’ve found reflected XSS.

✅ Use Repeater to fine-tune the payload without re-navigating.

Part 5: Automate with Project Options & Extensions

Saving Your Work

• File → Save Project (use temporary projects for learning).
• Export proxy history: right-click → Save items.

Installing BApp Extensions (Community Supported)

1. Extensions → BApp Store.
2. Popular free extensions:
   • Logger++ — Advanced logging.
   • Param Miner — Discover hidden parameters.
   • Turbo Intruder — Faster brute-forcing (advanced).

Part 6: 4 Beginner Mistakes to Avoid

Where to Practice Legally

Before testing real sites, practice on these authorized platforms:

Final Thoughts

This Burp Suite Community Edition guide gives you a complete foundation for web security testing. You now know how to:

• Install Burp on any OS.
• Configure browser proxy and CA certificate.
• Intercept, modify, replay, and fuzz requests.
• Use Repeater, Intruder, and Decoder like a pro.

Next steps in your journey:

• Complete PortSwigger’s “Access Control” and “SQL injection” labs.
• Compare Burp with the OWASP ZAP Beginner Tutorial.
• Discover hidden admin panels or directories using our Gobuster Tutorial.
• Explore Burp extensions for OAuth testing, GraphQL, and more.

🔗 Share this guide with a fellow aspiring penetration tester. Questions? Drop them in the comments below.