How to Install Burp Suite in 2026 — Complete Setup and Penetration Testing Roadmap With Cyberecurity AI
BURP SUITE - Web APPLICATION TESTING 2026
By Vikas Thakur | The Frustrated Hacker
Introduction
sat down and properly learned Burp Suite.
Everything changed.
Not because Burp Suite is magic. It is not. It is a tool — a very powerful one — but it only becomes powerful once you understand what it is actually doing and why. That is what most installation guides miss completely. They show you how to download a file and click Next. They do not show you what to do after.
This guide fixes that.
We are covering the complete picture — how to install Burp Suite Community Edition on Windows, Linux, and macOS in 2026, how to configure it correctly from the very first launch, and a full penetration testing roadmap that takes you from your first intercepted request all the way to advanced web application attacks used by professional penetration testers.
Whether you just heard of Burp Suite for the first time or you have been clicking around in it without really knowing what you are doing — this is the guide you need.
What Is Burp Suite and Why Do Penetration Testers Use It
Burp Suite is a web application security testing platform developed by PortSwigger. It sits between your browser and the web application you are testing — intercepting every HTTP and HTTPS request that flows between them — giving you complete visibility and control over the traffic.
Think of it this way. When you visit a website your browser sends requests and receives responses. Normally you never see the raw content of those requests. Burp Suite makes them fully visible, fully editable, and fully repeatable. This is the foundation of web application penetration testing.
Professional penetration testers use Burp Suite on virtually every web application engagement. Bug bounty hunters use it to find vulnerabilities worth hundreds of thousands of dollars. Security researchers use it to understand how modern web applications process data and where that processing goes wrong.
There are three versions. Burp Suite Community Edition is completely free and covers everything in this guide. Burp Suite Professional costs $449 per year and adds automated scanning, a more advanced intruder module, and collaboration features. Burp Suite Enterprise is designed for large organisations running automated scans at scale.
For learning, for CTF competitions, for bug bounty hunting at the beginner level, and for small professional engagements — Community Edition is everything you need.
System Requirements for 2026
Before downloading, verify your system meets these requirements. Burp Suite is a Java application and runs on the JDK — Java Development Kit.
- RAM: 8GB minimum, 16GB recommended for comfortable use
- Storage: 2GB free space for installation
- Java: JDK 17 or higher (Burp Suite 2026 bundles its own JRE — you do not need to install Java separately in most cases)
- OS: Windows 10/11, macOS 12+, or any modern Linux distribution
- Browser: Firefox (recommended for proxy configuration — easier than Chrome)
Installation Guide — Windows
Step 1 — Download Burp Suite Community Edition
Go to portswigger.net/burp/communitydownload. Click the Windows installer button. The download is approximately 650MB. Do not download from any third-party site — only from PortSwigger's official website.
Step 2 — Run the Installer
Double-click the downloaded .exe file. Windows Defender
SmartScreen may show a warning — click "More info" then "Run anyway."
This is normal for security tools. The installer is safe when downloaded
directly from PortSwigger.
Follow the installation wizard. Default settings are fine. The installer creates a desktop shortcut and a Start menu entry automatically.
Step 3 — First Launch
Open Burp Suite from the Start menu or desktop shortcut. On first launch you will see the project options screen. Select "Temporary project" and click Next. Select "Use Burp defaults" and click "Start Burp."
Burp Suite will open. You will see the main dashboard with tabs across the top — Proxy, Target, Scanner, Intruder, Repeater, Sequencer, Decoder, Comparer, Logger, and Extender.
Step 4 — Verify Java Version (if Burp fails to launch)
If Burp Suite fails to open, open Command Prompt and type:
java -version
If Java is not found, download JDK 21 LTS from adoptium.net, install it, then relaunch Burp Suite.
Installation Guide — Linux (Kali Linux and Ubuntu)
Kali Linux — Burp Suite is Pre-Installed
If you are running Kali Linux, Burp Suite Community Edition is already installed. Find it at:
Applications → Web Application Analysis → burpsuite
Or launch it directly from the terminal:
burpsuite
To update to the latest 2026 version on Kali:
sudo apt update && sudo apt upgrade burpsuite -y
Ubuntu and Other Debian-Based Distributions
Download the Linux installer from portswigger.net/burp/communitydownload. Select the Linux installer. Once downloaded, make it executable and run it:
chmod +x burpsuite_community_linux_*.sh
./burpsuite_community_linux_*.sh
Follow the graphical installer. Once complete, launch from your applications menu or from terminal:
/opt/BurpSuiteCommunity/BurpSuiteCommunity
Add a terminal alias for quick access:
echo "alias burp='/opt/BurpSuiteCommunity/BurpSuiteCommunity'" >> ~/.bashrc
source ~/.bashrc
Now you can simply type burp in any terminal to launch it.
Installation Guide — macOS
Step 1 — Download the macOS Installer
Go to portswigger.net/burp/communitydownload. Select the macOS installer. The file downloads as a .dmg file.
Step 2 — Install from DMG
Double-click the .dmg file. Drag the Burp Suite icon into your Applications folder. Eject the DMG.
Step 3 — Handle Gatekeeper (macOS Security Prompt)
On first launch macOS will say "Burp Suite Community Edition cannot be opened because it is from an unidentified developer." This is Gatekeeper — macOS security feature.
To bypass it: Go to System Settings → Privacy & Security → scroll down to the Security section → you will see a message about Burp Suite being blocked → click "Open Anyway."
Alternatively right-click the Burp Suite icon in Applications → click Open → click Open in the dialog box.
Step 4 — Launch and Verify
Burp Suite opens normally after the Gatekeeper override. Select Temporary project → Use Burp defaults → Start Burp. You are in.
Configuring Burp Suite — The Setup Most Guides Skip
Installation is the easy part. Correct configuration is where beginners go wrong and why their testing produces nothing useful.
Step 1 — Configure the Proxy Listener
Burp Suite's Proxy intercepts traffic on localhost port 8080 by
default. Go to Proxy → Proxy settings → Proxy listeners. You should see 127.0.0.1:8080 listed and running. If it shows as not running click the toggle to enable it.
Step 2 — Configure Firefox to Use Burp as Proxy
Firefox is strongly recommended over Chrome for Burp Suite because Firefox has a standalone proxy setting that does not affect your entire system.
Open Firefox → Settings → scroll to bottom → Network Settings → click Settings → select Manual proxy configuration:
HTTP Proxy: 127.0.0.1 Port: 8080
HTTPS Proxy: 127.0.0.1 Port: 8080
Check "Also use this proxy for HTTPS." Click OK.
Step 3 — Install the Burp Suite CA Certificate
This is the step that breaks HTTPS interception for most beginners. Without the CA certificate installed, Burp cannot intercept HTTPS traffic and your browser will show security warnings on every site.
With Firefox configured to use Burp's proxy, navigate to:
http://burpsuite
Click "CA Certificate" in the top right. Save the file as cacert.der.
In Firefox go to Settings → Privacy & Security → scroll to
Certificates → click "View Certificates" → click "Import" → select the cacert.der file you just downloaded → check both trust boxes → click OK.
Burp Suite can now intercept HTTPS traffic without browser warnings. This is essential for testing modern web applications.
Step 4 — Test the Intercept
In Burp Suite go to Proxy → Intercept → click "Intercept is off" to turn it on. In Firefox navigate to any website. Firefox will freeze — waiting. Switch to Burp Suite. You will see the raw HTTP request in the Intercept tab. Click "Forward" to allow it through. You are now intercepting live web traffic.
Turn intercept back off after testing — leaving it on will freeze every request in your browser.
The Burp Suite Penetration Testing Roadmap
Now that Burp Suite is installed and configured correctly, here is the structured roadmap that takes you from first steps to professional-level web application penetration testing.
Stage 1 — Understanding the Proxy (Week 1–2)
Your first goal is to become completely comfortable with traffic interception. Spend time on PortSwigger's Web Security Academy — it is completely free and the best Burp Suite learning resource that exists.
Practice these fundamentals daily:
HTTP history review — go to Proxy → HTTP history after browsing any application. Read every request. Understand what each parameter does. Look at the difference between GET and POST requests. Notice where authentication tokens appear. This passive analysis builds pattern recognition that makes you a better tester.
Request modification — intercept a request, change a parameter value, forward it. Observe how the application responds. Change a username field. Modify a price parameter. Add characters the developer probably did not expect. This is the foundation of manual testing.
Repeater for manual testing — right-click any request in HTTP history → Send to Repeater. The Repeater tab lets you modify and resend requests repeatedly without re-intercepting them. This is your primary manual testing workspace. Every time you find something interesting in HTTP history, send it to Repeater for deeper investigation.
Stage 2 — Finding Your First Vulnerabilities (Week 3–6)
With traffic interception mastered, move to actively testing for specific vulnerability classes using PortSwigger's Web Security Academy labs.
SQL Injection — start here. SQL injection occurs when user input is incorporated into database queries without proper sanitisation. In Burp Suite, intercept a request that contains a parameter passed to a database — typically a search field, login form, or item ID. Send to Repeater. Add a single quote to the parameter value. Observe the response. An SQL error message, a changed response, or a server error all indicate potential injection points.
Basic test payloads:
parameter=value'
parameter=value' OR '1'='1
parameter=value' OR '1'='1'--
Cross-Site Scripting (XSS) — XSS occurs when user input is reflected in the page output without sanitisation, allowing script injection. Send a request with a parameter that appears in the response to Repeater. Replace the parameter value with:
<script>alert(1)</script>
If an alert box fires in your browser, you found a reflected XSS vulnerability. In a real engagement this means an attacker could inject malicious scripts that execute in the victim's browser context.
Broken Authentication — use Burp Suite's Intruder module to test for weak authentication. Capture a login request. Send to Intruder. Set the password field as the payload position. Load a wordlist (Burp Suite Community includes a small wordlist — SecLists on GitHub has comprehensive ones). Run the attack. Look for responses with different lengths or status codes — these indicate successful authentication with a guessed credential.
Stage 3 — Advanced Testing Techniques (Month 2–4)
Once you consistently find basic vulnerabilities in practice applications, advance to these techniques.
Burp Suite Scanner (Community Edition passive scanning) — Community Edition does not include active scanning but does perform passive scanning automatically as you browse. Go to Target → Site map after browsing an application. Burp builds a complete map of every endpoint, parameter, and resource it observed. Right-click any item → Scan → Passive scan. Review the Issues tab for automatically detected problems.
Extensions via BApp Store — go to Extender → BApp Store. Install these extensions that work with Community Edition:
- Retire.js — detects vulnerable JavaScript libraries
- Software Vulnerability Scanner — maps CVEs to observed software
- JSON Web Tokens — JWT analysis and manipulation
- Param Miner — discovers hidden parameters
Parameter discovery with Param Miner — once installed, right-click any request → Extensions → Param Miner → Guess everything. Param Miner sends requests with thousands of potential parameter names and identifies ones the server responds to differently. Hidden parameters are a frequent source of critical vulnerabilities in bug bounty programmes.
Stage 4 — Professional Workflow (Month 4+)
At this stage you are building a professional methodology rather than just running individual techniques.
Scope management — go to Target → Scope → add your target application. Right-click in Site map → Add to scope. In Proxy settings enable "Don't intercept requests to out-of-scope items." This keeps your testing focused and your data clean — exactly how professional engagements are run.
Session handling rules — go to Project options → Sessions → Session handling rules. Configure Burp to automatically re-authenticate when sessions expire during automated testing. This prevents false negatives where tests fail simply because the session timed out rather than because a vulnerability does not exist.
Generating professional reports — for every vulnerability record: the affected endpoint, the request that demonstrates it, the response that confirms it, the CVSS severity score, and your remediation recommendation. This documentation habit is what professional penetration testing is built on.
Burp Suite Keyboard Shortcuts That Save Hours
These are the shortcuts that professional Burp Suite users rely on daily. Learn them and your workflow accelerates significantly.
| Shortcut | Action |
|---|---|
Ctrl + R | Send request to Repeater |
Ctrl + I | Send request to Intruder |
Ctrl + Shift + R | Switch to Repeater tab |
Ctrl + F | Search in current tab |
Ctrl + Z | Undo in request editor |
Ctrl + Space | Auto-complete in request editor |
F12 | Toggle Proxy intercept on/off |
Common Burp Suite Problems and Exact Fixes
Problem: Browser shows "Your connection is not private" on HTTPS sites
Fix: The CA certificate is not installed correctly. Repeat the CA
certificate installation steps above precisely. Make sure you imported
to Firefox's certificate store — not your OS certificate store.
Problem: Burp Suite intercepts nothing — HTTP history stays empty
Fix: Firefox is not routing through the proxy. Open Firefox → Settings →
Network Settings → verify proxy is set to 127.0.0.1 port 8080. Also
verify Burp's proxy listener is running on 127.0.0.1:8080 in Proxy →
Proxy settings.
Problem: Burp Suite crashes on launch with Java error
Fix: Memory allocation issue. Go to your Burp Suite installation folder → find BurpSuiteCommunity.vmoptions → open with text editor → change -Xmx200m to -Xmx2048m → save → relaunch. This allocates 2GB RAM to Burp Suite.
Problem: Intruder attack is extremely slow
Fix: This is intentional rate limiting in Community Edition. For basic
brute force testing use Hydra from the command line instead:
hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
Practice Targets — Where to Use These Skills Legally
Never use Burp Suite on any real application without written permission. These free platforms give you legal targets to develop your skills:
- PortSwigger Web Security Academy — the best free web security learning platform available. Hundreds of labs covering every major vulnerability class.
- DVWA on VirtualBox — Damn Vulnerable Web Application. Run it locally in VirtualBox for complete control. Every vulnerability type in a single practice application.
- HackTheBox and TryHackMe — both have dedicated web application machines that require Burp Suite for exploitation.
- OWASP Juice Shop — run it locally with Docker:
docker pull bkimminich/juice-shop
docker run --rm -p 3000:3000 bkimminich/juice-shop
Access at http://localhost:3000 and start testing.
Frequently Asked Questions
Q: Is Burp Suite Community Edition free forever?
Yes — Burp Suite Community Edition is permanently free with no time
limit. PortSwigger does not require registration or a licence key to use
it. The limitations compared to Professional are rate-limited Intruder,
no active scanner, no Burp Collaborator, and no saved projects. For
learning and beginner bug bounty hunting Community Edition is completely
sufficient.
Q: Do I need to know coding to use Burp Suite?
No coding knowledge is required to use Burp Suite's core features.
Understanding basic HTTP request structure — methods, headers,
parameters, status codes — is essential and can be learned in a few
hours. Python knowledge becomes useful when writing custom Burp
extensions but this is an advanced topic not required for beginners.
Q: What is the difference between Burp Suite and OWASP ZAP?
Both are web application security testing tools that work as
intercepting proxies. Burp Suite is more widely used in professional
penetration testing engagements and bug bounty hunting. OWASP ZAP is
completely open source and free including its scanner. For professional
work Burp Suite is the industry standard.
Q: Can Burp Suite be detected by web application firewalls?
Yes — Burp Suite's default scanner sends recognisable traffic patterns
that modern WAFs and intrusion detection systems can identify. During
professional engagements penetration testers modify Burp's user agent,
request timing, and header patterns to reduce detection likelihood.
Q: Is Burp Suite legal to use in India?
Burp Suite itself is completely legal software. Using it against any
system you own or have explicit written permission to test is legal.
Using it against any system without authorisation is illegal under
Section 66 of the IT Act 2000 regardless of your intent. Always test
within legal boundaries.
Legal Requirement
This applies to every tool we cover on The Frustrated Hacker and Burp Suite is no exception.
Only use Burp Suite against applications you own or have explicit written permission to test. Web application penetration testing without authorisation is illegal under the Computer Fraud and Abuse Act in the US, Section 66 of the IT Act in India, and equivalent legislation in virtually every country.
For practice use deliberately vulnerable applications. DVWA (Damn Vulnerable Web Application), OWASP WebGoat, Juice Shop, and PortSwigger's own Web Security Academy labs are all designed specifically for this purpose. Every exercise in this guide assumes you are working against one of these legal practice targets.
Conclusion — From the Frustrated Hacker
Here is what I want you to take away from this guide.
Burp Suite is not a hacking tool. It is a visibility tool. It shows you what is actually happening between a browser and a web application — the raw HTTP traffic that most developers write without ever thinking about how an attacker might manipulate it.
The frustrating reality of web application security is that the same vulnerabilities — SQL injection, XSS, broken authentication — have existed for 25 years and they are still being introduced into production applications every single day. Not because developers are careless. Because the pressure to ship features is relentless and security is still treated as an afterthought in most organisations.
Burp Suite gives you the ability to see those vulnerabilities before attackers do. That visibility is valuable. Treat it responsibly, practice it legally, document everything you find, and you are on the path to being exactly the kind of security professional this industry desperately needs.
Install it today. Break something in your lab. Come back when you get stuck.
That is what The Frustrated Hacker is here for.
— Vikas Thakur
The Frustrated Hacker
Related reading on The Frustrated Hacker:
→ Ethical Hacking — The Complete Guide from Beginner to Advanced
→ How Gemini, ChatGPT and Claude Really Improve Cybersecurity in 2026