Burp Suite Professional

How to Use Burp Suite Professional for Web Application Security [Part Two]

In part one of our blog series on how to use Burp Suite Professional for web application security, we walked you through the steps to get started. In part two, we’ll show you how to use Burp Suite as a web application security testing tool in a practical setting.

For this purpose, we’ll be using the Damn Vulnerable Web Application (DVWA) as our practice site. As the name suggests, DVWA is a vulnerable PHP/MySQL web application. It is designed to help security professionals test their skills and tools in a legal environment, help developers understand the processes they need to secure web applications, and as a tool to teach web application security.

For this tutorial, I’ve loaded up the DVWA ISO on my local machine:

Damn vulnerable web application
Figure 18. Damn Vulnerable Web Application

To get started assessing any web application with Burp, the website must be added to the target scope. This is a crucial step in the assessment process and should always be verified against the scope and Rules of Engagement (ROE) for the assessment. Let’s get this DVWA added to our scope.

This can be done in under the Target tab: Target -> Scope -> Add

Adding Target to scope
Figure 19. Adding Target to Scope

After successfully adding a target, Burp will ask if you’d like to stop sending out-of-scope items to history or other Burp tools. Selecting ‘Yes’ on this prompt help you limit the size of your Burp project, as well as ensuring no out-of-scope requests are automatically executed.

Disable logging of out-of-scope Items for Burp Suite Professional
Figure 20. Disable Logging of Out-of-Scope Items

We’re now ready to capture our first web request with Burp. First, ensure the “Burp” option is selected in your FoxyProxy dropdown as shown in Figure 17. Then navigate to the Proxy -> Intercept tab, and ensure that “Intercept” is on, as seen in Figure 21.

Enabling Intercept for Burp Suite Professional
Figure 21. Enabling Intercept

Turning on the “intercept” switch will allow Burp to capture and hold the next web request that is performed through Firefox. Here, we’ll be capturing and spidering the “login.php” request from the DVWA homepage as seen in Figure 18. With the Burp option selected in FoxyProxy, and the “intercept” switch on, refreshing the Firefox browser captures the following:

Capturing the DVWA “login.php” Request for Burp Suite Professional
Figure 22. Capturing the DVWA “login.php” Request

As seen in Figure 22, the request was successfully captured. From this point, we can execute multiple different actions. With the application already set in our target scope, we’re going to right-click in the “Intercept” screen, and we’re going to send to Spider.

Spidering the Captured Request
Figure 23. Spidering the Captured Request

After sending the request to the “Spider,” we can see that the site map of the DVWA can be seen in the site map:

Successfully Spidering the DWVA Application for Burp Suite Professional
Figure 24. Successfully Spidering the DVWA Application

Here you can manually browse through the identified pages, and functions detected during the spidering process. Browsing the pages will show you the requests and responses sent through Burp, along with the GET and POST details.

The last thing we’re going to do is actively scan the sitemap Burp identified. This will use the excellent Burp scanning engine, as well as the extensions we’ve added to identify possible vulnerabilities and exploits in the targeted application. To do this, right-click the root of the sitemap, and select “Actively scan this host.”

Actively Scanning the Host
Figure 25. Actively Scanning the Host

Prior to executing any scans, the “Active Scanning Wizard” will appear, giving you details of the number of items being scanned, as well as some additional options to check, or uncheck. We are going to leave everything as default for now.

Active Scanning Wizard for Burp Suite Professional
Figure 26. Active Scanning Wizard

After executing the scans, you can see the progress (Scanner > Scan Queue), and current results in Figure 27.

Active Scan Queue for Burp Suite Professional
Figure 27. Active Scan Queue

The “Scan Queue” breaks down the Host, URL, Status, Issues, and timestamp of the items being scanned.

Reviewing Scan Issues for Burp Suite Professional
Figure 28. Reviewing Scan Issues

The live results of the scans running can always be seen by clicking on the root of the URL in the sitemap. In the “Issues” and “Advisory” windows, as shown in Figure 28, you can browse through the detected vulnerabilities, read information on the background of the issue, and see the requests and responses transmitted.

The issues are categorized by severity, which can be viewed by the color of the alert next to the issues. The “cleartext submission of password” is categorized as a “high” in this case. Burp can often generate many false positives during the scanning phase, so manual validation of critical findings is necessary.


Burp Suite Professional has a lot of great features and testing capabilities for any web applications assessment, and is an invaluable tool for pen testers. At this point, you should be able to fire up Burp, target the in-scope applications, and perform initial scanning and testing procedures. Tackling the initial nuances of Burp Suite Professional can be a bit daunting right off the bat, however, becoming fluent with the proxy tool will add another tool to your testing arsenal. Happy Burping!

Do you need to evaluate your security posture or get remote pen testing? Contact us.