Tools
T1592Burp Suite
What Burp Suite is, how security testers and attackers use it to intercept and manipulate web traffic, and how defenders detect its use on their networks.
View on Graph
What It Is and What Analysts Use It For
- Burp Suite is an integrated platform for web application security testing developed by PortSwigger. Security teams often pair it with Nmap for initial reconnaissance before web application testing.
- It operates as an intercepting proxy — it sits between the browser and the target web application, capturing every HTTP request and response so the tester can inspect, modify, replay, and automate attacks against the application.
- MITRE ATT&CK maps client configuration gathering to
T1592(Gather Victim Host Information), and Burp Suite is a primary tool for sub-techniqueT1592.002(Software) — attackers use it to fingerprint web server technology and identify vulnerable software versions.
Key Features and How Attackers Use Them
| Feature | Legitimate Use | Attacker Use | Detection Signal |
|---|---|---|---|
| Proxy (intercepting) | Inspect and modify HTTP traffic in real-time | Modify parameters to test for SQLi, XSS, privilege escalation | Repeated requests with payload variations from the same IP |
| Repeater | Re-send a single request with modifications | Brute-force parameter fuzzing — send the same request hundreds of times | Identical base URL with slightly varied parameters |
| Intruder | Automated parameter fuzzing with payload positions | Automated injection testing across multiple parameters | High request volume to multiple endpoints, sequential parameter variation |
| Scanner (Pro only) | Automated web vulnerability scanning | Same — automated vulnerability discovery | Aggressive scanning: requests to known-sensitive paths (/admin, /.git, /WEB-INF), spidering behavior |
| Decoder | Encode/decode data | Decode base64, URL-encode, hex-encode payloads to bypass WAF | Can be paired with Intruder — encoded payloads in parameters. Use CyberChef to analyze encoded payloads offline. |
| Collaborator | Out-of-band detection for blind vulnerabilities | Blind SSRF, blind SQLi, blind XXE detection | DNS queries to Burp Collaborator domains (*.burpcollaborator.net) |
Detection — Identifying Burp Suite on Your Network
Detection via Proxy Certificate
When Burp Suite intercepts HTTPS traffic, the browser must trust Burp’s CA certificate. If an attacker is using Burp Suite to intercept traffic, they will have installed the Burp CA certificate on the victim’s machine.
How to check:
- Check the certificate store for PortSwigger CA (
PortSwigger CAin Trusted Root Certification Authorities) - Check for Registry keys:
HKLM\SOFTWARE\PortSwiggerorHKCU\SOFTWARE\PortSwigger - Burp creates an
audit.logfile in its installation directory — if this exists on a host, Burp Suite has been run
Detection via PortSwigger CA Certificate (Windows)
# Check for Burp CA certificate in the trust store
Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object {$_.Issuer -like "*PortSwigger*"}
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Issuer -like "*PortSwigger*"}
If found, the Burp CA certificate has been accepted — possible HTTPS interception in progress.
Detection via Burp Collaborator DNS Queries
Burp Suite’s Collaborator feature generates DNS queries to *.burpcollaborator.net. If you see any DNS query to this domain that is NOT from an authorized penetration test or security team, it indicates active scanning.
SPL query — detect Burp Collaborator usage:
index=dns sourcetype=dns_query
| search query IN ("*burpcollaborator.net*")
| stats values(query) as BurpDomains, values(src_ip) as Sources by _time
| eval alert = "MEDIUM — Burp Collaborator DNS query detected from " . Sources
| table _time, Sources, BurpDomains, alert
This query can be run in Splunk or any SIEM platform that supports SPL-style syntax.
Detection via User-Agent and HTTP Headers
Burp Suite sends distinctive HTTP headers that are not present in legitimate browser traffic:
| Header | Example | Why It Matters |
|---|---|---|
X-Forwarded-For | 127.0.0.1 | Burp may add this when forwarding. Not inherently malicious but unusual in external traffic. |
X-Burp-Suite | (header present) | Burp does not add this header by default, but if the tester configured it, it is a dead giveaway. |
Unusual Accept-Language | Burp defaults may differ from browser | Compare against normal baseline. |
Connection: close | Burp’s keep-alive behavior differs from browsers | Most browsers use keep-alive. Burp may close connections after each request. |
Detection via Behavioral Patterns
Burp Suite produces distinctive traffic patterns that differ from legitimate users:
- Spidering behavior: The attacker uses Burp’s Spider to crawl the application. This generates requests to every link, URL parameter, and form action — much more comprehensive than any normal user session.
- Sequential parameter fuzzing: Intruder sends
?id=1,?id=2,?id=3… or?id=1',?id=1'',?id=1'''— machine-like accuracy with no human variation. - Encoding variations: Intruder automatically URL-encodes payloads, producing requests with high proportions of
%20,%27,%3D,%3C(spaces, quotes, equals, angle brackets). - High request rate: A single IP sending 100+ requests per minute to the same application with varied parameters is suspicious.
SPL query — detect automated scanning (possible Burp Intruder) by request rate:
index=web sourcetype=access_combined
| timechart span=1m count by client_ip
| where count > 100
| eval alert = "MEDIUM — high request rate from " . client_ip . " (" . count . "/minute) — possible automated scanning"
| sort - count
Investigation Workflow
| Finding | Action |
|---|---|
| Burp Collaborator DNS query from internal workstation | Check if the user is authorized to scan. If not, investigate for unauthorized web application testing or an attacker using Burp. |
| Burp CA certificate on a non-admin workstation | Investigate immediately — Burp is not normally installed on standard workstations. Could indicate an attacker using Burp for reconnaissance. |
| High request rate with payload variations from a single IP | Check WAF logs for blocked requests. If the WAF is blocking, the application is being scanned. If requests are reaching the app, investigate for exploitation. |
| Unusual HTTP headers from an internal IP to an internal web server | Could be an attacker testing an internal web application. Check if the IP corresponds to an authorized security tool. |
| Burp audit.log on a server | Someone has run Burp Suite on the server. Investigate who and why. Unauthorized execution is a security incident. |
Prevention
| Control | What It Prevents |
|---|---|
| Application allowlisting | Blocks unauthorized binaries including Burp Suite |
| WAF with rate limiting | Makes automated scanning impractical (if the WAF blocks high request rates). Pair with Snort and Suricata-based IDS for layered detection. |
| Burp Collaborator sinkholing | Blocks out-of-band detection — sinkhole *.burpcollaborator.net DNS |
| Monitoring for Burp CA certificate | Detects HTTPS interception setup |
| Disallow proxy configuration changes | Prevents users from configuring Burp as the system proxy |
Related
- Azure Sentinel — detection and response for T1654 techniques
- BloodHound — detection and response for T1087 techniques
- Cobalt Strike — Detection and Beacon Analysis — detection and response for T1055, T1572, T1071 techniques
