The request froze mid-flight. A raw HTTP packet sat in the "Intercept" tab, waiting. Anya’s eyes scanned the headers. There it was: a custom header— X-API-Verify: checksum-abc123 . Not a token. A checksum . And it was static.
The results bloomed. A clean, no-nonsense site from PortSwigger. Community Edition – Free. No crypto miners, no fake "download now" buttons screaming for attention. Just the tool.
As the .jar file downloaded, Anya felt the familiar shiver—the same one a safecracker feels when their stethoscope finds the first tumbler. She launched it. The interface unfolded like a surgeon’s toolkit: Proxy, Intruder, Repeater, Scanner. burp suite download
The tool was free. The lesson—priceless.
Then she turned interception on .
Anya stared at the login screen. "ACCESS DENIED," it blinked, mocking her. She’d spent three weeks mapping the new banking app’s surface, but its authentication layer was a black box. Every SQL injection, every fuzzed parameter, bounced back with a sterile, generic error.
Later, in her report, she would write: "Vulnerability: Client-side trust of checksum header. Remediation: Server-side revalidation. Discovery method: Manual testing using Burp Suite Community Edition." The request froze mid-flight
She configured her browser’s local proxy to 127.0.0.1:8080 . Turned off "intercept." Clicked the bank’s login link. In the "Target" tab, the site’s hierarchy appeared—a tree of endpoints, cookies, and parameters.