Burp Suite Cheatsheet

Burp Suite shortcuts, Repeater techniques, Intruder attack types, scanner tips, Match & Replace rules, and essential BApp extensions. (32 payloads)

Proxy & Shortcuts

(7)

Ctrl+R

Send request to Repeater from any tab

Ctrl+I

Send request to Intruder

Ctrl+Shift+R

Toggle intercept on/off

Ctrl+F

Forward intercepted request

Ctrl+Shift+F

Forward and intercept next

Ctrl+Z

Drop intercepted request

Right-click → Do intercept → Response to this request

Intercept the response for a specific request

Repeater Techniques

(5)

Ctrl+Enter

Send request (faster than clicking Send)

Ctrl+← / Ctrl+→

Navigate request history

Right-click → Change request method

Switch GET↔POST (Burp rewrites body/params)

Right-click → Paste URL as request

Paste a URL directly into Repeater

Inspector panel → Request attributes

Parse and edit parameters visually

Intruder Attack Types

(4)

Sniper

One payload position, one wordlist — cycles through each position sequentially

Battering Ram

One wordlist, all positions use same value — brute force single password across all fields

Pitchfork

Multiple wordlists, parallel — pair username[i] with password[i] (credential stuffing)

Cluster Bomb

Multiple wordlists, cartesian product — try all combinations (username × password brute force)

Scanner & Active Scan

(4)

Right-click request → Scan

Active scan a single request for vulnerabilities

Target → Site map → Right-click domain → Scan

Scan entire site map

Dashboard → New scan → Crawl and audit

Automated crawl + vulnerability scan

Scan configuration → Audit checks → SQLi/XSS/Path traversal

Configure scan to focus on specific vuln types

Match & Replace

(4)

Proxy → Match and replace → Add rule: Request header / User-Agent / Mozilla/5.0 → Googlebot/2.1

Spoof User-Agent to Googlebot for all requests

Request header match: ^Authorization.*$ — replace with empty — bypass token validation

Remove Authorization header to test missing auth

Response header match: X-Frame-Options → replace with empty

Remove clickjacking protection to test embedding

Request body match: admin=false → replace: admin=true

Mass-replace privilege flags in all requests

Essential BApp Extensions

(8)

Turbo Intruder

High-speed Intruder replacement — race conditions, single-packet attacks, 10k+ req/sec

AuthMatrix

Test authorization across multiple user roles simultaneously

Autorize

Automatic IDOR/BOLA detection — replay every request as low-priv user

Param Miner

Discover hidden/undocumented parameters via header/body/URL fuzzing

JWT Editor

Decode/edit/resign JWTs, alg:none attacks, key confusion

Hackvertor

Tag-based encoding directly in requests — great for WAF bypass

Logger++

Advanced request/response logging with filtering and grep

HTTP Request Smuggler

Detect and exploit HTTP request smuggling (CL.TE, TE.CL, TE.TE)

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

XSS Payload SQL Injection HTTP Request Smuggling

Related Cheat Sheets

XSS Cheat Sheet Active Directory & Kerberos Cheat Sheet SQLMap Injection Cheatsheet

$loading...