After this lesson, you will be able to: Test web applications with BurpSuite for SQLi, XSS, IDOR.
Web is where most modern attacks happen. BurpSuite is the standard interception proxy, letting you modify every request in flight. This lesson gets you SQLi-ing PicoCTF challenges through Burp.
Proxy, intercepts every browser request. Repeater, replay/modify a single request. Intruder, automate parameter fuzzing. Decoder, encode/decode base64, URL, hex.
1. Download Burp Community.
2. Configure browser proxy → 127.0.0.1:8080.
3. Install Burp's CA cert in browser (for HTTPS interception).
4. Browse target → see every request in Proxy → HTTP history.
5. Right-click → Send to Repeater for manual testing.
Send each via Repeater, watch the response:
# Authentication bypassusername=admin' --username=admin' OR '1'='1' --# UNION-based extraction (after finding column count)id=1 UNION SELECT 1,2,3,database()--id=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--# Time-based blindid=1 AND SLEEP(5)--
Change `/orders/123` to `/orders/124`, do you see another user's order? That's IDOR. One of the most common bugs in real apps because it's invisible to scanners.
Sign in and purchase access to unlock this lesson.