MCP.directory

burp-suite-web-application-testing

by davila7
0
0
Source

This skill should be used when the user asks to "intercept HTTP traffic", "modify web requests", "use Burp Suite for testing", "perform web vulnerability scanning", "test with Burp Repeater", "analyze HTTP history", or "configure proxy for web testing". It provides comprehensive guidance for using Burp Suite's core features for web application security testing.

Install

mkdir -p .claude/skills/burp-suite-web-application-testing && curl -L -o skill.zip "https://mcp.directory/api/skills/download/5197" && unzip -o skill.zip -d .claude/skills/burp-suite-web-application-testing && rm skill.zip

Installs to .claude/skills/burp-suite-web-application-testing

About this skill

Burp Suite Web Application Testing

Purpose

Execute comprehensive web application security testing using Burp Suite's integrated toolset, including HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows. This skill enables systematic discovery and exploitation of web application vulnerabilities through proxy-based testing methodology.

Inputs / Prerequisites

Required Tools

  • Burp Suite Community or Professional Edition installed
  • Burp's embedded browser or configured external browser
  • Target web application URL
  • Valid credentials for authenticated testing (if applicable)

Environment Setup

  • Burp Suite launched with temporary or named project
  • Proxy listener active on 127.0.0.1:8080 (default)
  • Browser configured to use Burp proxy (or use Burp's browser)
  • CA certificate installed for HTTPS interception

Editions Comparison

FeatureCommunityProfessional
Proxy
Repeater
IntruderLimitedFull
Scanner
Extensions

Outputs / Deliverables

Primary Outputs

  • Intercepted and modified HTTP requests/responses
  • Vulnerability scan reports with remediation advice
  • HTTP history and site map documentation
  • Proof-of-concept exploits for identified vulnerabilities

Core Workflow

Phase 1: Intercepting HTTP Traffic

Launch Burp's Browser

Navigate to integrated browser for seamless proxy integration:

  1. Open Burp Suite and create/open project
  2. Go to Proxy > Intercept tab
  3. Click Open Browser to launch preconfigured browser
  4. Position windows to view both Burp and browser simultaneously

Configure Interception

Control which requests are captured:

Proxy > Intercept > Intercept is on/off toggle

When ON: Requests pause for review/modification
When OFF: Requests pass through, logged to history

Intercept and Forward Requests

Process intercepted traffic:

  1. Set intercept toggle to Intercept on
  2. Navigate to target URL in browser
  3. Observe request held in Proxy > Intercept tab
  4. Review request contents (headers, parameters, body)
  5. Click Forward to send request to server
  6. Continue forwarding subsequent requests until page loads

View HTTP History

Access complete traffic log:

  1. Go to Proxy > HTTP history tab
  2. Click any entry to view full request/response
  3. Sort by clicking column headers (# for chronological order)
  4. Use filters to focus on relevant traffic

Phase 2: Modifying Requests

Intercept and Modify

Change request parameters before forwarding:

  1. Enable interception: Intercept on
  2. Trigger target request in browser
  3. Locate parameter to modify in intercepted request
  4. Edit value directly in request editor
  5. Click Forward to send modified request

Common Modification Targets

TargetExamplePurpose
Price parametersprice=1Test business logic
User IDsuserId=adminTest access control
Quantity valuesqty=-1Test input validation
Hidden fieldsisAdmin=trueTest privilege escalation

Example: Price Manipulation

POST /cart HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

productId=1&quantity=1&price=100

# Modify to:
productId=1&quantity=1&price=1

Result: Item added to cart at modified price.

Phase 3: Setting Target Scope

Define Scope

Focus testing on specific target:

  1. Go to Target > Site map
  2. Right-click target host in left panel
  3. Select Add to scope
  4. When prompted, click Yes to exclude out-of-scope traffic

Filter by Scope

Remove noise from HTTP history:

  1. Click display filter above HTTP history
  2. Select Show only in-scope items
  3. History now shows only target site traffic

Scope Benefits

  • Reduces clutter from third-party requests
  • Prevents accidental testing of out-of-scope sites
  • Improves scanning efficiency
  • Creates cleaner reports

Phase 4: Using Burp Repeater

Send Request to Repeater

Prepare request for manual testing:

  1. Identify interesting request in HTTP history
  2. Right-click request and select Send to Repeater
  3. Go to Repeater tab to access request

Modify and Resend

Test different inputs efficiently:

1. View request in Repeater tab
2. Modify parameter values
3. Click Send to submit request
4. Review response in right panel
5. Use navigation arrows to review request history

Repeater Testing Workflow

Original Request:
GET /product?productId=1 HTTP/1.1

Test 1: productId=2    → Valid product response
Test 2: productId=999  → Not Found response  
Test 3: productId='    → Error/exception response
Test 4: productId=1 OR 1=1 → SQL injection test

Analyze Responses

Look for indicators of vulnerabilities:

  • Error messages revealing stack traces
  • Framework/version information disclosure
  • Different response lengths indicating logic flaws
  • Timing differences suggesting blind injection
  • Unexpected data in responses

Phase 5: Running Automated Scans

Launch New Scan

Initiate vulnerability scanning (Professional only):

  1. Go to Dashboard tab
  2. Click New scan
  3. Enter target URL in URLs to scan field
  4. Configure scan settings

Scan Configuration Options

ModeDescriptionDuration
LightweightHigh-level overview~15 minutes
FastQuick vulnerability check~30 minutes
BalancedStandard comprehensive scan~1-2 hours
DeepThorough testingSeveral hours

Monitor Scan Progress

Track scanning activity:

  1. View task status in Dashboard
  2. Watch Target > Site map update in real-time
  3. Check Issues tab for discovered vulnerabilities

Review Identified Issues

Analyze scan findings:

  1. Select scan task in Dashboard
  2. Go to Issues tab
  3. Click issue to view:
    • Advisory: Description and remediation
    • Request: Triggering HTTP request
    • Response: Server response showing vulnerability

Phase 6: Intruder Attacks

Configure Intruder

Set up automated attack:

  1. Send request to Intruder (right-click > Send to Intruder)
  2. Go to Intruder tab
  3. Define payload positions using § markers
  4. Select attack type

Attack Types

TypeDescriptionUse Case
SniperSingle position, iterate payloadsFuzzing one parameter
Battering ramSame payload all positionsCredential testing
PitchforkParallel payload iterationUsername:password pairs
Cluster bombAll payload combinationsFull brute force

Configure Payloads

Positions Tab:
POST /login HTTP/1.1
...
username=§admin§&password=§password§

Payloads Tab:
Set 1: admin, user, test, guest
Set 2: password, 123456, admin, letmein

Analyze Results

Review attack output:

  • Sort by response length to find anomalies
  • Filter by status code for successful attempts
  • Use grep to search for specific strings
  • Export results for documentation

Quick Reference

Keyboard Shortcuts

ActionWindows/LinuxmacOS
Forward requestCtrl+FCmd+F
Drop requestCtrl+DCmd+D
Send to RepeaterCtrl+RCmd+R
Send to IntruderCtrl+ICmd+I
Toggle interceptCtrl+TCmd+T

Common Testing Payloads

# SQL Injection
' OR '1'='1
' OR '1'='1'--
1 UNION SELECT NULL--

# XSS
<script>alert(1)</script>
"><img src=x onerror=alert(1)>
javascript:alert(1)

# Path Traversal
../../../etc/passwd
..\..\..\..\windows\win.ini

# Command Injection
; ls -la
| cat /etc/passwd
`whoami`

Request Modification Tips

  • Right-click for context menu options
  • Use decoder for encoding/decoding
  • Compare requests using Comparer tool
  • Save interesting requests to project

Constraints and Guardrails

Operational Boundaries

  • Test only authorized applications
  • Configure scope to prevent accidental out-of-scope testing
  • Rate-limit scans to avoid denial of service
  • Document all findings and actions

Technical Limitations

  • Community Edition lacks automated scanner
  • Some sites may block proxy traffic
  • HSTS/certificate pinning may require additional configuration
  • Heavy scanning may trigger WAF blocks

Best Practices

  • Always set target scope before extensive testing
  • Use Burp's browser for reliable interception
  • Save project regularly to preserve work
  • Review scan results manually for false positives

Examples

Example 1: Business Logic Testing

Scenario: E-commerce price manipulation

  1. Add item to cart normally, intercept request
  2. Identify price=9999 parameter in POST body
  3. Modify to price=1
  4. Forward request
  5. Complete checkout at manipulated price

Finding: Server trusts client-provided price values.

Example 2: Authentication Bypass

Scenario: Testing login form

  1. Submit valid credentials, capture request in Repeater
  2. Send to Repeater for testing
  3. Try: username=admin' OR '1'='1'--
  4. Observe successful login response

Finding: SQL injection in authentication.

Example 3: Information Disclosure

Scenario: Error-based information gathering

  1. Navigate to product page, observe productId parameter
  2. Send request to Repeater
  3. Change productId=1 to productId=test
  4. Observe verbose error revealing framework version

Finding: Apache Struts 2.5.12 disclosed in stack trace.

Troubleshooting

Browser Not Connecting Through Proxy

  • Verify proxy listener is active (Proxy > Options)
  • Check browser proxy settings point to 127.0.0.1:8080
  • Ensure no firewall blocking local connections
  • Use Burp's embedded browser for reliable setup

HTTPS Interception Failing

  • Install Burp CA certificate in browser/system
  • Navigate to http://burp to download certificate
  • Add certificate to trusted root

Content truncated.

More by davila7

View all skills by davila7

scroll-experience

davila7

Expert in building immersive scroll-driven experiences - parallax storytelling, scroll animations, interactive narratives, and cinematic web experiences. Like NY Times interactives, Apple product pages, and award-winning web experiences. Makes websites feel like experiences, not just pages. Use when: scroll animation, parallax, scroll storytelling, interactive story, cinematic website.

6332

software-architecture

davila7

Guide for quality focused software architecture. This skill should be used when users want to write code, design architecture, analyze code, in any case that relates to software development.

8125

senior-fullstack

davila7

Comprehensive fullstack development skill for building complete web applications with React, Next.js, Node.js, GraphQL, and PostgreSQL. Includes project scaffolding, code quality analysis, architecture patterns, and complete tech stack guidance. Use when building new projects, analyzing code quality, implementing design patterns, or setting up development workflows.

8122

senior-security

davila7

Comprehensive security engineering skill for application security, penetration testing, security architecture, and compliance auditing. Includes security assessment tools, threat modeling, crypto implementation, and security automation. Use when designing security architecture, conducting penetration tests, implementing cryptography, or performing security audits.

6819

game-development

davila7

Game development orchestrator. Routes to platform-specific skills based on project needs.

5414

2d-games

davila7

2D game development principles. Sprites, tilemaps, physics, camera.

4812

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

643969

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

591705

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318399

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

340397

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

452339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Related MCP Servers

Browse all servers
Figma ContextFigma Context

Unlock seamless Figma to code: streamline Figma to HTML with Framelink MCP Server for fast, accurate design-to-code work

13,4900 tools
Laravel BoostLaravel Boost

Official Laravel-focused MCP server for augmenting AI-powered local development. Provides deep context about your Larave

3,3240 tools
GrafanaGrafana

Safely connect cloud Grafana to AI agents with MCP: query, inspect, and manage Grafana resources using simple, focused o

2,4940 tools
PerplexityPerplexity

Empower your workflows with Perplexity Ask MCP Server—seamless integration of AI research tools for real-time, accurate

1,9990 tools
Azure DevOpsAzure DevOps

Boost your productivity by managing Azure DevOps projects, pipelines, and repos in VS Code. Streamline dev workflows wit

1,37377 tools
Ref ToolsRef Tools

Boost AI coding agents with Ref Tools—efficient documentation access for faster, smarter code generation than GitHub Cop

1,0040 tools

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.