Burp Suite’s free Community Edition is plenty powerful for basic proxying, but its real magic unlocks when you understand how to configure your browser to talk to it.
Let’s get your browser slinging traffic through Burp. We’ll use Firefox for this example, but the principles apply to Chrome and others.
First, fire up Burp Suite. You’ll see a dashboard; click the "Proxy" tab, then the "Options" sub-tab. Under "Proxy Listeners," you’ll see a default configuration: 127.0.0.1:8080. This is Burp’s listening address and port. Keep this in mind; it’s what your browser needs to know.
Now, let’s tell Firefox about Burp. Open Firefox, go to Preferences (or Settings), and search for "proxy." Click "Settings…" under "Network Settings."
In the "Connection Settings" window, select "Manual proxy configuration."
For "HTTP Proxy," enter 127.0.0.1 and for "Port," enter 8080. Make sure "Use this proxy server for all protocols" is checked. If you’re also going to proxy HTTPS traffic (which you absolutely should), this setting handles it. If you only wanted to proxy HTTP, you’d uncheck it and configure 127.0.0.1:8080 for the "HTTP Proxy" and 127.0.0.1:8080 for the "HTTPS Proxy" separately. But for general use, checking the box is simpler and covers both.
Crucially, click "OK" to save these settings. If you forget this step, nothing will route through Burp.
Now, head back to Burp Suite, to the "Proxy" tab, and click the "Intercept" sub-tab. Make sure "Intercept is on" is displayed prominently.
Open a new tab in Firefox and try to visit http://example.com.
Boom. The request should land in Burp’s intercept tab. You’ll see the raw HTTP request, and Firefox will hang, waiting for Burp to forward it. This is your moment. You can inspect, modify, or drop the request. To let it through, click "Forward." If you want to send it to Burp’s other tools (like Repeater or Intruder), click "Send to Repeater" or "Send to Intruder."
The real trick, the one that trips everyone up initially, is understanding how Burp handles HTTPS. When you try to visit an HTTPS site (like https://google.com) for the first time after setting up Burp, Firefox will likely complain about a security risk. This is because Burp needs to decrypt and re-encrypt the traffic.
To fix this, you need to install Burp’s CA certificate into Firefox. Go back to Burp Suite, click the "Proxy" tab, then "Options." Scroll down to "TLS Certificate" and click "Import / export CA certificate." Choose "Certificate in DER format" and click "Download." Save the file, perhaps as burp-ca.der.
Now, in Firefox, go to Preferences (or Settings), search for "certificates," and click "View Certificates…". Go to the "Authorities" tab, then click "Import…". Select the burp-ca.der file you just downloaded.
A "Downloading Certificate" dialog will pop up. Check "Trust this CA to identify websites" and click "OK."
Now, try visiting https://google.com again. The request should intercept in Burp, and the browser should not show a security warning. You can forward it as before.
If you’re using Chrome, the process is similar: go to Settings -> Privacy and security -> Security -> Manage certificates and import the .der file into the "Authorities" tab.
This setup means all your browser traffic, HTTP and HTTPS, is now flowing through Burp. You can switch intercept on and off as needed via the "Intercept" tab in Burp.
The next hurdle is realizing that if you want to proxy traffic from other applications (like mobile apps or command-line tools), you’ll need to configure their proxy settings to point to Burp’s 127.0.0.1:8080 address, and potentially set up a system-wide proxy.