Why I'm learning Burp Suite (and you should too)

You can't test a web app you can't see. Burp Suite is how you see it.

The mental model: Browser → Burp → server. Burp sits in the middle. Every request, every response, you can read, modify, or replay before it lands.

The four tools you'll use 90% of the time:

1. Proxy — the firehose. Watch requests fly by. Pause one, edit it, send it.
2. Repeater — take a request, change one parameter at a time, observe how the server reacts. This is where bug hunting actually happens.
3. Intruder — automated parameter fuzzing. Slow on the free Community edition, fine for learning.
4. Decoder — base64, URL encoding, HTML entities. You'll need this constantly.

Setup gotcha I lost an hour to: Firefox doesn't use the system proxy by default. Either configure it manually under network settings or install the FoxyProxy extension and toggle Burp on/off per tab.

Free alternatives:

• OWASP ZAP — open source, similar power, less polished UI
• mitmproxy — terminal-only, scriptable, my favorite for headless work

For eJPT, learn Burp. For day-to-day pentesting work, mix all three.