Course 1 - BurpSuite Bug Bounty Web Hacking from Scratch | Episode 4: Burp Suite Proxy: Configuration, Request Interception, and Repeater

In this lesson, you’ll learn about:Burp Proxy tab — purpose & subtabs: Intercept (toggle request interception), HTTP History (record of proxied requests), and Options (listen address/port configuration).How the proxy works: Burp listens for browser traffic on a configured IP and port (default 127.0.0.1:8080); the browser must be configured for manual proxying to point to the same host/port.Intercept workflow: with Intercept on you can view request details (headers, cookies, params, user-agent), then Forward the request to the server or Drop it to stop it.Configuring the listening interface: use Proxy → Options to change the bind address/port or add additional listener entries (useful for VM / remote testing).Recommended browser: use a separate testing browser (Mozilla Firefox recommended) to avoid contaminating your daily browser profile.Handling HTTPS traffic: Burp generates per-host SSL certs signed by its own CA — install Burp’s CA certificate into the browser (visit http://burp while proxied to download it), then mark it trusted (“Trust this CA to identify websites”) and restart the browser. This allows Burp to intercept HTTPS without browser warnings.Security caution: only install Burp’s CA in a dedicated testing profile or VM; remove it from normal/production profiles to avoid trusting a local CA inadvertently.Repeater tool — purpose: used for manual, iterative testing of a single request—edit, resend, and observe responses without redoing actions in the browser.Sending requests to Repeater: from Proxy Intercept or HTTP History use “Send to Repeater” (or Ctrl+R) to move a request into Repeater.Repeater workflow: edit the HTTP message in the text editor, press Go to send, and inspect response metadata (status, length, timing) and body to assess effects.Use cases for Repeater: manual vulnerability verification and PoC creation (e.g., testing XSS payloads, parameter tampering, SQLi strings) by injecting payloads and observing returned HTML/headers.Round-trip to browser for client validation: after modifying a request in Repeater you can generate/replay a URL in the browser to validate client-side behavior (useful for DOM/XSS checks).Practical recommendations: verify proxy and CA settings with a simple request first, keep scope/legal authorization documented, and use an isolated VM/profile for all interception tasks.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy