Burp Suite is an Intercepting Proxy. You configure your browser to send traffic to Burp, and Burp sends it to the internet. This allows you to Pause a request, Modify it (e.g., change `price=100` to `price=1`), and Forward it.
The Repeater
The most powerful tool in Burp.
1. Capture a request (e.g., Login).
2. Send it to Repeater (Ctrl+R).
3. Now you can edit the request and re-send it as many times as you want without using the browser.
This is how you fuzz for SQL Injection manually.
1. The Intruder (Automation)
Want to brute-force a login or guess filenames?
1. Send request to Intruder.
2. Highlight the password field.
3. Load a wordlist (e.g., `rockyou.txt`).
4. Start Attack. Burp will send thousands of requests, injecting each password from the list.
2. Burp Pro Scanner
The paid version (Professional) includes an automated scanner.
You just browse the site, and Burp passively scans in the background, alerting you to XSS, SQLi, and Config issues.
It enables "Active Scanning" which sends test attacks to verify vulnerabilities.