01step · watch first

A guided tour of Burp Suite — the tool that sits in the middle.

A five-minute intro to Burp Suite Community — getting it set up, turning on Intercept, reading a message your browser sends, and editing one the website sends back. The moment you can freeze a message and change it, every guess the website made about what your browser will send is up for grabs.

▶ Lesson · Burp Suite basics ~5 min

≡ Summary what to remember

1Burp sits in the middle of your browser and the website. Every message stops there — you can read it, edit it, or throw it away.
2That scrambled pass is just shuffled, not locked. dXNlcg== simply spells user — anyone can shuffle it straight back with base64 -d.
3Freeze the website's reply, unscramble the pass, change user to admin (which scrambles to YWRtaW4=), and click Forward.
4Your browser is now treated as an admin because the website believes whatever role the pass claims. It double-checks nothing.
5Defence: the website must check 'are you allowed?' on its own side, every time. Give out passes with a tamper-proof seal, and never trust the visitor's browser. Who's an admin should live in the website's own records — not on the pass.

intermediate 350 xp ~60 min track · CODE

? Quick check · before you continue 1 question · pick one

QWhen you log in, the website hands your browser a pass: role=dXNlcg==. Unscrambled, that just reads user. What's the smallest move that gets you in as an admin?