Skip to content

Tips and Tricks

Burp Suite Pro is a powerful tool, but like anything else, the more you know, the more you get out of it. I thought I’d share a few tips and tricks that have made my life easier when working with Burp Suite. Keep in mind that these are things that work for me in my environment—your mileage may vary depending on your workflow and requirements. As always, use what works for you and leave the rest.

Use Target Scope Like a Pro

Setting your target scope properly is one of the easiest ways to save time and reduce clutter. Under Target > Scope, define exactly what you’re testing. Then, go to Proxy > Options and enable the ‘Stop out-of-scope traffic’ option. This ensures you’re only capturing relevant traffic, which makes your life a lot easier when reviewing requests later.

Customize Your Shortcuts

Burp has a ton of keyboard shortcuts that can speed things up once you memorize them. Go to User Options > Keyboard Shortcuts and set up custom bindings for the tasks you perform most often, like sending requests to Repeater or Intruder. Trust me, shaving a few seconds off repetitive tasks adds up over time.

Match and Replace Rules

When dealing with non-production environments, you’ll often run into issues where requests fail due to URLs or headers not matching the actual test environment. Go to Proxy > Options > Match and Replace and add rules to automatically adjust things like Host headers or specific paths. This small tweak can save you from manually modifying requests over and over again.

Take Advantage of Macros

Macros are one of those underused features that can make repetitive workflows feel effortless. For example, if you need to reauthenticate frequently while testing, set up a macro to log in automatically. You can configure macros under Project Options > Sessions. Once it’s running, you’ll never have to waste time manually logging in again.

Use Logger++

If you’re like me and want a cleaner view of every request and response during a test, Logger++ is your friend. It lets you see all the traffic in a simple, organized interface, making it easier to review and debug. This tool is particularly helpful when you want to cross-check logs or identify patterns in traffic.

Save and Load Settings

If you work on multiple projects, exporting your settings can save you a lot of time. You can save everything—extensions, scope, macros, match/replace rules, etc.—and load them for future use. Go to User Options > Project Options and export your configuration. Next time, just import it and get straight to work.

Practice Intruder Payload Chaining

Intruder isn’t just for brute force or spraying passwords. Try chaining multiple payload sets together for more advanced attacks. For example, you can use one set to test SQL injection in a query parameter and another to test XSS in the same payload. With a bit of creativity, Intruder becomes a powerhouse beyond the basics.

Extensions Are Your Best Friend

I’ve already talked about some of my favorite Burp Suite extensions here. The TL;DR? Use the BApp Store! There’s an extension for almost everything, from testing WAFs to analyzing JWTs. A few must-haves for me: Active Scan++, Software Vulnerability Scanner, and Autorize. Don’t underestimate the time these tools can save.

Keep Burp Updated

This might seem obvious, but keep your Burp Suite updated. PortSwigger is constantly adding new features and improving existing ones. The updates often include security fixes too, so you’re better off running the latest version.

Final Thoughts

These are just a few of the tricks I use to make Burp Suite work better for me. It’s all about finding ways to streamline your process so you can focus on what really matters: finding and exploiting vulnerabilities. If you’ve got your own tips, I’d love to hear them—this tool is always evolving, and there’s always more to learn.