| Intercepting Proxy |
Captures & modifies HTTP/HTTPS traffic between browser and target |
Change a request parameter (price=10 → price=1) to test for parameter tampering in an e-commerce app |
| Target Mapping |
Maps all discovered endpoints, parameters, cookies |
See that /admin endpoint exists but is hidden in the app, useful for forced browsing |
| Spider |
Crawls the app to discover hidden content and links |
Finds a hidden /backup/ folder containing old files with sensitive data |
| Scanner (Pro) |
Automated vulnerability scanning |
Detects reflected XSS in a search box |
| Intruder |
Automated customized attacks (brute force, fuzzing) |
Brute-force a login page with a password list |
| Repeater |
Manually resend/modify requests |
Change JWT claims in an Authorization header and resend to test broken access control |
| Comparer |
Compare two requests/responses side by side |
Compare logged-in vs logged-out responses → spot missing access control checks |
| Sequencer |
Analyzes randomness of session tokens |
Detects predictable session IDs in a banking app → risk of session hijacking |
| Decoder |
Encode/decode/transform data (Base64, URL, JWT, Hash) |
Decode cGFzc3dvcmQxMjM= to reveal plaintext password123 from Basic Auth header |
| Extender (BApp Store) |
Install extensions for extra functionality |
Use “Autorize†extension to test if admin-only APIs are accessible by normal users |
| Collaborator (Pro) |
Out-of-band interaction testing (SSRF, blind XSS) |
Detect SSRF when a request triggers a DNS/HTTP callback to Burp Collaborator |
| Session Handling Rules |
Automate login macros & session handling |
Keep an authenticated session active while scanning an app behind login |
| Project & Reporting |
Save all results and generate reports |
Create a professional HTML report for a client with proof of SQLi/XSS findings |