Tools

T1592

Burp Suite

What Burp Suite is, how security testers and attackers use it to intercept and manipulate web traffic, and how defenders detect its use on their networks.

View on Graph

What It Is and What Analysts Use It For

  • Burp Suite is an integrated platform for web application security testing developed by PortSwigger. Security teams often pair it with Nmap for initial reconnaissance before web application testing.
  • It operates as an intercepting proxy — it sits between the browser and the target web application, capturing every HTTP request and response so the tester can inspect, modify, replay, and automate attacks against the application.
  • MITRE ATT&CK maps client configuration gathering to T1592 (Gather Victim Host Information), and Burp Suite is a primary tool for sub-technique T1592.002 (Software) — attackers use it to fingerprint web server technology and identify vulnerable software versions.

Key Features and How Attackers Use Them

FeatureLegitimate UseAttacker UseDetection Signal
Proxy (intercepting)Inspect and modify HTTP traffic in real-timeModify parameters to test for SQLi, XSS, privilege escalationRepeated requests with payload variations from the same IP
RepeaterRe-send a single request with modificationsBrute-force parameter fuzzing — send the same request hundreds of timesIdentical base URL with slightly varied parameters
IntruderAutomated parameter fuzzing with payload positionsAutomated injection testing across multiple parametersHigh request volume to multiple endpoints, sequential parameter variation
Scanner (Pro only)Automated web vulnerability scanningSame — automated vulnerability discoveryAggressive scanning: requests to known-sensitive paths (/admin, /.git, /WEB-INF), spidering behavior
DecoderEncode/decode dataDecode base64, URL-encode, hex-encode payloads to bypass WAFCan be paired with Intruder — encoded payloads in parameters. Use CyberChef to analyze encoded payloads offline.
CollaboratorOut-of-band detection for blind vulnerabilitiesBlind SSRF, blind SQLi, blind XXE detectionDNS queries to Burp Collaborator domains (*.burpcollaborator.net)

Detection — Identifying Burp Suite on Your Network

Detection via Proxy Certificate

When Burp Suite intercepts HTTPS traffic, the browser must trust Burp’s CA certificate. If an attacker is using Burp Suite to intercept traffic, they will have installed the Burp CA certificate on the victim’s machine.

How to check:

  • Check the certificate store for PortSwigger CA (PortSwigger CA in Trusted Root Certification Authorities)
  • Check for Registry keys: HKLM\SOFTWARE\PortSwigger or HKCU\SOFTWARE\PortSwigger
  • Burp creates an audit.log file in its installation directory — if this exists on a host, Burp Suite has been run

Detection via PortSwigger CA Certificate (Windows)

# Check for Burp CA certificate in the trust store
Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object {$_.Issuer -like "*PortSwigger*"}
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Issuer -like "*PortSwigger*"}

If found, the Burp CA certificate has been accepted — possible HTTPS interception in progress.

Detection via Burp Collaborator DNS Queries

Burp Suite’s Collaborator feature generates DNS queries to *.burpcollaborator.net. If you see any DNS query to this domain that is NOT from an authorized penetration test or security team, it indicates active scanning.

SPL query — detect Burp Collaborator usage:

index=dns sourcetype=dns_query
| search query IN ("*burpcollaborator.net*")
| stats values(query) as BurpDomains, values(src_ip) as Sources by _time
| eval alert = "MEDIUM — Burp Collaborator DNS query detected from " . Sources
| table _time, Sources, BurpDomains, alert

This query can be run in Splunk or any SIEM platform that supports SPL-style syntax.

Detection via User-Agent and HTTP Headers

Burp Suite sends distinctive HTTP headers that are not present in legitimate browser traffic:

HeaderExampleWhy It Matters
X-Forwarded-For127.0.0.1Burp may add this when forwarding. Not inherently malicious but unusual in external traffic.
X-Burp-Suite(header present)Burp does not add this header by default, but if the tester configured it, it is a dead giveaway.
Unusual Accept-LanguageBurp defaults may differ from browserCompare against normal baseline.
Connection: closeBurp’s keep-alive behavior differs from browsersMost browsers use keep-alive. Burp may close connections after each request.

Detection via Behavioral Patterns

Burp Suite produces distinctive traffic patterns that differ from legitimate users:

  • Spidering behavior: The attacker uses Burp’s Spider to crawl the application. This generates requests to every link, URL parameter, and form action — much more comprehensive than any normal user session.
  • Sequential parameter fuzzing: Intruder sends ?id=1, ?id=2, ?id=3… or ?id=1', ?id=1'', ?id=1''' — machine-like accuracy with no human variation.
  • Encoding variations: Intruder automatically URL-encodes payloads, producing requests with high proportions of %20, %27, %3D, %3C (spaces, quotes, equals, angle brackets).
  • High request rate: A single IP sending 100+ requests per minute to the same application with varied parameters is suspicious.

SPL query — detect automated scanning (possible Burp Intruder) by request rate:

index=web sourcetype=access_combined
| timechart span=1m count by client_ip
| where count > 100
| eval alert = "MEDIUM — high request rate from " . client_ip . " (" . count . "/minute) — possible automated scanning"
| sort - count

Investigation Workflow

FindingAction
Burp Collaborator DNS query from internal workstationCheck if the user is authorized to scan. If not, investigate for unauthorized web application testing or an attacker using Burp.
Burp CA certificate on a non-admin workstationInvestigate immediately — Burp is not normally installed on standard workstations. Could indicate an attacker using Burp for reconnaissance.
High request rate with payload variations from a single IPCheck WAF logs for blocked requests. If the WAF is blocking, the application is being scanned. If requests are reaching the app, investigate for exploitation.
Unusual HTTP headers from an internal IP to an internal web serverCould be an attacker testing an internal web application. Check if the IP corresponds to an authorized security tool.
Burp audit.log on a serverSomeone has run Burp Suite on the server. Investigate who and why. Unauthorized execution is a security incident.

Prevention

ControlWhat It Prevents
Application allowlistingBlocks unauthorized binaries including Burp Suite
WAF with rate limitingMakes automated scanning impractical (if the WAF blocks high request rates). Pair with Snort and Suricata-based IDS for layered detection.
Burp Collaborator sinkholingBlocks out-of-band detection — sinkhole *.burpcollaborator.net DNS
Monitoring for Burp CA certificateDetects HTTPS interception setup
Disallow proxy configuration changesPrevents users from configuring Burp as the system proxy

Sources