Skip to main content
🧠Educationalintermediate6 min read

How to Use Burp Suite Like a Bug Bounty Hunter

Master Burp Suite with techniques used by professional bug bounty hunters: from basic interception to advanced automation.

Burp Suiteweb securitybug bountytools
Share:𝕏in

How to Use Burp Suite Like a Bug Bounty Hunter

Burp Suite is the Swiss Army knife of web application security testing. This guide covers the techniques that separate casual users from professional bug bounty hunters.

Initial Setup for Hunting

Optimizing Burp for Bug Bounty

Project Configuration:

  • Use project files to save your work
  • Configure appropriate memory (at least 2GB for large scopes)
  • Set up scope correctly from the start

Target Scope Setup:

Include in scope:
- *.target.com
- api.target.com
- *.target.io

Exclude from scope:
- analytics.target.com
- third-party domains

Essential Extensions

Install these from the BApp Store:

  1. Logger++ — Enhanced logging and searching
  2. Autorize — Automated authorization testing
  3. Param Miner — Hidden parameter discovery
  4. JS Link Finder — Extract endpoints from JavaScript
  5. Turbo Intruder — High-speed fuzzing
  6. Hackvertor — Advanced encoding/decoding
  7. HTTP Request Smuggler — Smuggling detection
  8. Collaborator Everywhere — SSRF/blind vulnerability detection

Reconnaissance with Burp

Passive Spider

Before active crawling, let the passive spider collect data as you browse:

  1. Browse the target manually
  2. Check Site map for discovered content
  3. Review Response codes for interesting patterns
  4. Look for patterns in URL structures

Active Spidering (With Permission)

Spider > Control > Start

Configure carefully:

  • Set appropriate speed limits
  • Avoid dangerous actions (logout, delete)
  • Handle forms appropriately

Content Discovery

Use Discover Content for finding hidden resources:

Target > Site map > Right-click > Engagement tools > Discover content

Custom wordlists for better results:

  • Industry-specific terms
  • Technology-specific paths
  • Target-specific patterns

Proxy Interception Mastery

Smart Interception

Don't intercept everything. Set up intelligent rules:

Intercept Rules:

AND: Request URL is in target scope
AND: File extension does not match: jpg|png|gif|css|js
AND: Method is not OPTIONS

Match and Replace: Automatically modify requests:

  • Remove security headers for testing
  • Add custom headers
  • Change parameter values

Response Modification

Enable response interception for:

  • Bypassing client-side controls
  • Testing hidden functionality
  • Modifying JavaScript behavior

Intruder: The Power Tool

Attack Types

Sniper: One payload position at a time

  • Best for: Parameter fuzzing, single injection points

Battering Ram: Same payload in all positions

  • Best for: Testing same value across fields

Pitchfork: Different payload in each position (synchronized)

  • Best for: Username/password combinations

Cluster Bomb: All payload combinations

  • Best for: Comprehensive testing (can be slow)

Effective Fuzzing Techniques

Finding Hidden Parameters:

POST /api/user HTTP/1.1

{"username":"test","§param§":"§value§"}

Use parameter wordlists + value wordlists.

IDOR Testing:

GET /api/users/§id§ HTTP/1.1
Authorization: Bearer <your_token>

Payload: 1-10000 (sequential) or known user IDs.

Authentication Bypass:

GET /admin/dashboard HTTP/1.1
§Header§: §Value§

Test various bypass headers:

  • X-Forwarded-For: 127.0.0.1
  • X-Original-URL: /admin
  • X-Custom-IP-Authorization: 127.0.0.1

Grep Settings

Configure result extraction:

Grep - Match:

  • Error messages
  • Success indicators
  • Sensitive data patterns

Grep - Extract:

  • CSRF tokens
  • Session IDs
  • API keys

Repeater: Surgical Testing

Testing Workflow

  1. Send interesting request to Repeater
  2. Create baseline response
  3. Modify one thing at a time
  4. Document each finding

Organized Tab Groups

Name your tabs meaningfully:

  • IDOR-userid
  • SQLi-search
  • XSS-comment
  • AuthBypass-admin

Comparison Feature

Compare responses to identify differences:

  1. Send original request
  2. Modify and send
  3. Right-click > Show response in comparison

Advanced Techniques

Turbo Intruder (High-Speed Attacks)

For rate-limited testing or large-scale fuzzing:

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=30,
                           requestsPerConnection=100,
                           pipeline=True)
    
    for word in open('/path/to/wordlist.txt'):
        engine.queue(target.req, word.rstrip())

def handleResponse(req, interesting):
    if '200' in req.status:
        table.add(req)

HTTP Request Smuggling

Test for smuggling vulnerabilities:

POST / HTTP/1.1
Host: target.com
Content-Length: 30
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1

Use the HTTP Request Smuggler extension for automated detection.

Collaborator for Blind Vulnerabilities

Insert Collaborator payloads in:

  • Headers (Host, X-Forwarded-Host)
  • Parameters (XXE, SSRF)
  • File uploads
  • Any reflection point

Check Collaborator client for callbacks indicating vulnerabilities.

CORS Testing

Test for CORS misconfigurations:

GET /api/user HTTP/1.1
Origin: https://evil.com

Look for:

  • Access-Control-Allow-Origin: https://evil.com
  • Access-Control-Allow-Credentials: true

WebSocket Testing

Use WebSockets history:

  1. Capture WebSocket traffic
  2. Send messages to Repeater
  3. Modify and resend
  4. Look for injection points

Bug-Specific Hunting

XSS Hunting

Workflow:

  1. Identify reflection points
  2. Test encoding/filtering
  3. Craft context-appropriate payloads
  4. Verify execution

Payloads to try:

<script>alert(1)</script>
"><script>alert(1)</script>
'-alert(1)-'
</script><script>alert(1)</script>
<img src=x onerror=alert(1)>

SQL Injection

Detection:

' OR '1'='1
' OR '1'='1'--
1 AND 1=1
1 AND 1=2

Time-based:

1' AND SLEEP(5)--
1'; WAITFOR DELAY '0:0:5'--

SSRF

Testing payloads:

http://127.0.0.1
http://localhost
http://[::1]
http://0.0.0.0
http://169.254.169.254 (AWS metadata)
http://collaborator.payload.com

Workflow Optimization

Session Management

Configure session handling rules for:

  • Automatic re-authentication
  • CSRF token extraction
  • Cookie management

Macros

Record macros for multi-step actions:

  1. Login sequences
  2. Token retrieval
  3. Complex state changes

Project Organization

Naming Conventions:

project_target_date.burp

Notes:

  • Document findings immediately
  • Screenshot interesting responses
  • Tag significant requests

Reporting from Burp

Generating Evidence

For each finding:

  1. Save request/response pairs
  2. Screenshot Burp interface
  3. Document reproduction steps
  4. Note impact and severity

Export Options

  • Save items as XML for later analysis
  • Export specific findings
  • Generate scan reports (Pro only)

Common Mistakes to Avoid

  1. Testing without scope — Always verify authorization
  2. Missing rate limits — Respect target infrastructure
  3. Incomplete testing — Test all parameters, not just obvious ones
  4. Ignoring JavaScript — Many endpoints hidden in JS
  5. Not checking 4xx responses — 403s often bypassable
  6. Skipping mobile endpoints — Mobile APIs often less secure

Pro Tips

Time-Saving Shortcuts

  • Ctrl+R — Send to Repeater
  • Ctrl+I — Send to Intruder
  • Ctrl+U — URL encode selection
  • Ctrl+Shift+U — URL decode selection

Efficiency Hacks

  • Use search across all tools
  • Color-code interesting requests
  • Create request templates
  • Build personal payload libraries

Want to level up your bug hunting skills? Contact us: m1k3@msquarellc.net

Found this helpful? Share it:

Share:𝕏in

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Educational

Explore more articles in this category.

Browse 🧠 Educational

Related Articles