Burp Suite — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

PortSwigger's industry-standard web application testing proxy — Pro is the bug-bounty hunter's default tool.

Use case: Web ApplicationDifficulty: IntermediateHomepage: https://portswigger.net/burp

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux/macOS (Community)

wget https://portswigger.net/burp/releases/community/latest -O burp.sh && chmod +x burp.sh && ./burp.sh

Docker

docker run -p 8080:8080 portswigger/burp-suite-community

macOS (brew)

brew install --cask burp-suite

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Configure browser proxy

Browser → 127.0.0.1:8080; install Burp CA cert

CLI (Enterprise)

burpsuite_pro --headless --target=https://target.com

Replay request

Right-click in Proxy → Send to Repeater

Run scan (Pro)

Dashboard → New scan → Crawl + Audit

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Pro vs Community: Community has no scanner, no Intruder rate, no save/load. For real work, Pro is mandatory ($475/yr).
  • Memory: bump -Xmx4G in burp.vmoptions for large engagements (default 1G crashes on 5000+ proxy entries).
  • Project File mode (Pro): saves state to disk continuously. Use for week-long engagements.
  • Throttle Intruder: thread count 5-10 for production targets, never default 100.
  • Use collaborator-proxy + private Collaborator server for blind SSRF / OOB testing without leaking targets to PortSwigger.
  • Caido is now mature enough as Burp alternative — lighter, Rust-based, faster start-up; consider for grunt work.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Default scope captures EVERYTHING. Set scope tightly before clicking around target — otherwise unrelated traffic pollutes your project.
  • CA cert installation: Firefox needs separate trust store from system CA. Most missed-traffic complaints are this.
  • Burp’s Active Scanner can DELETE accounts via destructive payloads. Use Audit Light or Active scanning excluded paths only on prod.
  • Extension Bapp store has unmaintained extensions — verify before installing.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • Caido — modern Rust-based alternative; great UX, lighter weight.
  • OWASP ZAP — free; less polished but full-featured.
  • mitmproxy — Python, scriptable; CLI-first.

India context and engagement notes

For CERT-In empanelled VAPT: PortSwigger’s Active Scan results + manual evidence is the canonical output format Indian auditors expect. Pair with manually crafted Repeater proofs for each finding.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants