Penetration testing workflow

Burp Suite includes a range of automated and manual tools that you can use in your penetration testing workflow. The tutorials in this section are designed to teach you how to use Burp Suite to:

1. Map your target application.
2. Analyze the attack surface.
3. Test for a range of vulnerabilities.

You can complete most of the tutorials as a stand-alone exercise. If you're just starting out, you can use the tutorials to get an overview of a typical penetration testing workflow. Otherwise you can select tutorials to learn how to combine different Burp tools to perform a specific task.

You can practice the processes outlined in most of the tutorials using our deliberately vulnerable website, ginandjuice.shop, or a deliberately vulnerable lab from the Web Security Academy. We provide a link to a suitable lab where necessary.

Tutorials

• Setting the test scope
• Mapping the website
• Analyzing the attack surface

• Testing for vulnerabilities:

  • Authentication mechanisms
  • Session management mechanisms
  • Access controls
  • Input validation
  • Clickjacking
  • SSRF
  • WebSockets
• Working with GraphQL in Burp Suite
• Complementing your manual testing with Burp Scanner