Learning Tracks

Your roadmap to real skills.

Four tracks, dozens of sub-tracks, and every lesson available self-paced or live, 1-on-1, with a volunteer tutor.

Burp Suite: Web Application Testing

Zero to professional web app tester.

~12 hours · 16 lessons

View track details →

Introduction

1 lessons

What is Burp Suite and Why Do Security Professionals Use It?

Understand what Burp Suite is, the editions, what you will be able to do, and why Burp proficiency is in nearly every web security job.

Mini-Track 1: Setup and Core Concepts

3 lessons

Installing Burp Suite and Configuring Your Browser

Install Burp, understand the proxy concept, route your browser through Burp, install the CA certificate, and intercept your first request.

The Burp Suite Interface

Navigate every panel a professional uses daily: Dashboard, Target, Proxy, Intruder, Repeater, Decoder, Comparer, Logger, Sequencer, Extensions.

HTTP History and Scope

Read and filter HTTP history, understand requests/responses in depth, set scope, and map an application's attack surface.

Mini-Track 2: Repeater and Manual Testing

3 lessons

Burp Repeater: The Core of Manual Testing

Send, modify, and resend requests in Repeater, read responses, and manually find a SQL injection point without automation.

Testing Authentication and Session Management

Analyze cookies and tokens, find IDOR, test reset flows and session fixation, and analyze JWTs (including alg:none).

Testing for Injection Vulnerabilities

Manually test for SQLi (error/boolean/time-based), XSS (reflected/stored/DOM), command injection, XXE, and SSTI.

Mini-Track 3: Intruder and Automated Attacks

3 lessons

Burp Intruder: Automated Customized Attacks

Use positions and payloads, the four attack types (Sniper/Battering Ram/Pitchfork/Cluster Bomb), Grep-Match/Extract, and the Community workaround.

Fuzzing and Parameter Discovery

Fuzz for hidden content/params (and when to use feroxbuster/gobuster), use SecLists, and Turbo Intruder for speed.

Burp Scanner (Professional)

Understand passive vs active scanning, crawling, reading results, tuning audit profiles, and the limits of automation.

Mini-Track 4: Advanced Techniques

4 lessons

Burp Extensions and the BApp Store

Install and use essential extensions, and write a basic extension with the Burp (Montoya) API.

Testing for Business Logic Flaws

Find logic flaws scanners miss: price/quantity manipulation, workflow bypass, and trust-boundary violations.

Advanced Web Vulnerabilities

Test HTTP request smuggling, WebSocket security, OAuth 2.0 attacks, CORS misconfigurations, and prototype pollution.

Bug Bounty Methodology with Burp Suite

Run a complete bug-bounty workflow: recon to scope, structured methodology, project files, responsible disclosure, and great reports.

Capstone and Career

2 lessons

Burp Suite Passion Project

Complete three PortSwigger Practitioner labs across three vulnerability categories and write a professional bug report for each, compiled into a portfolio PDF.

Burp Suite Job Readiness

Translate Burp proficiency into a web-security career: job titles, certifications (especially BSCP), and a portfolio checklist.

Start for free