The Hacker's Arsenal

Lesson 3: Setting Up Your Hacking Lab

February 2, 2025 20 min read Beginner

Your Hacking Toolkit

In Lesson 1, you hacked a website with just a browser. That's fine for simple vulnerabilities, but real web hacking requires better tools.

Today we're setting up Burp Suite — the industry-standard tool for web application testing. By the end of this lesson, you'll be able to intercept, inspect, and modify any HTTP request your browser makes.

What You'll Install

  1. Burp Suite Community Edition — Free proxy and testing tool
  2. Browser Proxy Configuration — Route traffic through Burp
  3. Burp's CA Certificate — Intercept HTTPS traffic
  4. FoxyProxy (optional) — Easy proxy switching

Step 1: Download Burp Suite

  1. Go to portswigger.net/burp/communitydownload
  2. Download the installer for your operating system:
    • Windows: .exe installer
    • Mac: .dmg file
    • Linux: .sh script
  3. Install it like any other application
  4. Launch Burp Suite

First Launch: Accept the terms, choose "Temporary project", then "Use Burp defaults" and click "Start Burp".

Step 2: Understand the Interface

When Burp opens, you'll see several tabs. Here are the important ones:

TabPurpose
ProxyIntercept and modify requests
TargetMap out the application
RepeaterManually modify and resend requests
IntruderAutomated attacks (limited in Community)
DecoderEncode/decode data

For now, focus on the Proxy tab. This is where the magic happens.

Step 3: Configure Your Browser

Burp acts as a proxy — it sits between your browser and the internet, letting you see and modify everything.

Option A: Manual Browser Configuration

Firefox (Recommended for Testing)

  1. Open Firefox Settings
  2. Search for "proxy"
  3. Click "Settings..." in Network Settings
  4. Select "Manual proxy configuration"
  5. Enter:
    • HTTP Proxy: 127.0.0.1 Port: 8080
    • Check "Also use this proxy for HTTPS"
  6. Click OK

Chrome

  1. Chrome uses system proxy settings
  2. Go to your OS network settings
  3. Set HTTP/HTTPS proxy to 127.0.0.1:8080

Option B: Use FoxyProxy (Easier)

FoxyProxy is a browser extension that makes switching proxies easy.

  1. Install FoxyProxy for Firefox or Chrome
  2. Click the FoxyProxy icon → Options
  3. Add a new proxy:
    • Title: Burp Suite
    • Proxy Type: HTTP
    • Proxy IP: 127.0.0.1
    • Port: 8080
  4. Save and select "Burp Suite" from the FoxyProxy menu when testing

Step 4: Test the Connection

  1. Make sure Burp Suite is running
  2. In Burp, go to Proxy → Intercept and make sure "Intercept is on"
  3. In your configured browser, visit http://example.com
  4. Nothing happens! The page doesn't load.
  5. Check Burp — you should see the request waiting in the Intercept tab
  6. Click Forward to send the request
  7. The page loads in your browser

Congratulations! You just intercepted your first HTTP request.

Step 5: Install Burp's CA Certificate

Right now, you can intercept HTTP traffic. But most sites use HTTPS. Try visiting https://google.com — you'll get a security error.

Burp needs to perform a "man-in-the-middle" attack on HTTPS traffic. For this to work without errors, you need to trust Burp's certificate.

Download the Certificate

  1. With your browser proxied through Burp, visit: http://burp
  2. Click "CA Certificate" to download cacert.der

Install on Firefox

  1. Open Firefox Settings
  2. Search for "certificates"
  3. Click "View Certificates"
  4. Go to "Authorities" tab
  5. Click "Import"
  6. Select the cacert.der file you downloaded
  7. Check "Trust this CA to identify websites"
  8. Click OK

Install on Chrome (Mac)

  1. Open Keychain Access
  2. Drag cacert.der into the "System" keychain
  3. Double-click "PortSwigger CA"
  4. Expand "Trust"
  5. Set "When using this certificate" to "Always Trust"
  6. Close and enter your password

Install on Chrome (Windows)

  1. Open certmgr.msc
  2. Navigate to Trusted Root Certification Authorities → Certificates
  3. Right-click → All Tasks → Import
  4. Import cacert.der

Test HTTPS Interception

  1. Visit https://google.com
  2. No security errors!
  3. Check Burp — you can see the HTTPS request

Step 6: Basic Proxy Usage

Now let's learn the core proxy workflow.

Intercept Mode

With "Intercept is on", every request pauses for your review:

  • Forward — Send the request as-is
  • Drop — Block the request entirely
  • Action — Send to other Burp tools

This is useful when you want to modify specific requests.

Passive Mode

Click the button so it says "Intercept is off". Now requests flow through automatically, but everything is logged in Proxy → HTTP history.

This is useful for:

  • Exploring an application normally
  • Reviewing requests after the fact
  • Finding interesting endpoints

HTTP History

Go to Proxy → HTTP history to see every request your browser made.

Click any request to see:

  • Full request (right panel, top)
  • Full response (right panel, bottom)

Step 7: The Repeater — Your New Best Friend

The Repeater is where you'll spend most of your time. It lets you manually modify and resend requests.

Send a Request to Repeater

  1. In HTTP history, find an interesting request
  2. Right-click → "Send to Repeater"
  3. Go to the Repeater tab

Modify and Resend

In Repeater, you can:

  • Edit any part of the request
  • Click "Send" to make the request
  • See the response immediately
  • Modify again and resend

Try it:

  1. Send any request to Repeater
  2. Find a parameter in the URL or body
  3. Change its value
  4. Click Send
  5. See how the response changes

This is manual vulnerability testing. Change something, see what happens.

Pro Tips

Tip 1: Use a Separate Browser
Keep one browser (Firefox) for testing with proxy, and another (Chrome) for normal browsing. This prevents accidentally proxying personal traffic.
Tip 2: Scope Your Target
In Target → Scope, add your target domain. Then in Proxy settings, you can filter to only show in-scope items.
Tip 3: Use Keyboard Shortcuts
Ctrl+R — Send to Repeater
Ctrl+I — Send to Intruder
Ctrl+Shift+T — Switch to Target tab
Ctrl+Shift+P — Switch to Proxy tab
Tip 4: Save Your Work
Go to Burp → Save project regularly. You don't want to lose hours of reconnaissance.

What You Can Do Now

With this setup, you can:

  • See every request your browser makes
  • Intercept and modify requests before they're sent
  • Replay requests with different parameters
  • Test for vulnerabilities manually
  • Understand exactly how a web application works

This is the foundation for everything that comes next.

Challenge: Explore a Test Site

  1. Configure your browser to proxy through Burp
  2. Visit http://testphp.vulnweb.com/
  3. Browse around — check the search, login, guest book
  4. Find at least 5 interesting requests in your HTTP history
  5. Send them to Repeater
  6. Try adding ' to parameters — do you get any errors?

This site is intentionally vulnerable. You have permission to test it.

What's Next?

You've got your lab set up. In Lesson 4: Cross-Site Scripting (XSS), we'll use these tools to find and exploit XSS vulnerabilities systematically — not just the obvious ones.

Time to hunt.