We will walk through basic usage of Burp Suite to start testing embedded web applications. The following examples will be using the Burp Suite professional edition; however, the same setup steps can also be applied to the free edition:

1. Set up Burp proxy listener settings to 127.0.0.1 with port 8080, as seen in the following screenshot:

2. Set up browser proxy settings with FoxyProxy to our Burp Suite listener address we set in the previous step:

3. Select the configured proxy to route all traffic to our Burp proxy listener:

4. Next, we need to download and install Burp's CA certificate by navigating to http://burp/cert, save the certificate in a folder, and import the certificate into the browser's certificate manager. Importing Burp's CA certificate allows for the proxying of HTTPS connections, which may come in handy in the future:

5. Navigate to about:preferences#advanced in Firefox and select Certificates then Authorities:

6. Click on the Import... button and select the Burp Suite certificate that was saved locally:

Now we can view HTTP /HTTPS request and responses.

7. Once we have basic proxy settings configured for our browser and Burp Suite, navigate to a target web application. Add our target application to scope by right-clicking its address and select Add to scope, as seen in the following screenshot:

8. Once the scope is selected, requests can be scanned via Burp's scanning engine by right-clicking a request and selecting Do an active scan:

9. View the scan results by navigating to Scan queue:

10. Sometimes we may want to replay requests using a Repeater for observing application responses or for tweaking payloads. This can be done by right-clicking the target request and sending it to the Repeater. The following screenshot shows the alias parameter being tweaked with a payload:

11. While on the subject of tweaking payloads, we may need to encode or decode certain characters to ensure our payload executes using Burp Suite's decoder facility. The following screenshot shows a decoded value (top) being URL encoded (bottom):

12. A more manual approach for fuzzing parameters with specific targeted payloads can be accomplished using Burp Suite's Intruder. First, a target parameter needs to be specified. In this case, we use the alias parameter as the target:

13. Next, select the attack payloads to be used (Fuzzing - XSS in this case) and click Start attack:

A separate window will pop up, where attack results will be viewable: