Burp Suite
Burp Suite, developed by PortSwigger, is the industry-standard toolkit for web application security testing. Used by penetration testers, bug bounty hunters, and security teams worldwide, it provides an integrated platform for the entire testing workflow — from mapping an application's attack surface to finding and exploiting vulnerabilities.
At its core, Burp Suite acts as an intercepting proxy that sits between the browser and the target application, allowing testers to inspect, modify, and replay HTTP/HTTPS traffic in real time. Key tools include the Repeater for manual request manipulation, Intruder for automated parameter fuzzing, Scanner for automated vulnerability detection, and Sequencer for analyzing token randomness.
Burp's extensibility is one of its greatest strengths. The BApp Store offers hundreds of community-built extensions, and the Extender API allows custom plugins in Java, Python (via Jython), and Montoya API. Common extensions add capabilities like active scanning enhancements, authentication handling, and integration with other security tools.
PortSwigger also maintains the Web Security Academy — one of the best free resources for learning web security, with interactive labs that pair directly with Burp Suite testing techniques.
This page collects Burp Suite tutorials, extension guides, tips and tricks, and resources for getting the most out of the tool in your security testing workflow.
From PortSwigger
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-05-03 2026 | GitHub - SharonBrizinov/Holy-Grail-PCAP: "Holy Grail PCAP" is a capture file offering exceptional coverage across nearly all tcpdump/Wireshark encapsulation types and dissectors. beginner | The "Holy Grail PCAP" is a comprehensive packet capture file developed by Sharon Brizinov. It boasts extensive coverage of nearly all encapsulation types and dissectors supported by tcpdump and Wireshark. This resource is valuable for network analysis and security testing due to its broad applicability. |
| 2026-04-22 2026 | SulphurAPI: Burp Suite extension for automating OWASP API Top 10 detection intermediate | Extension for automating OWASP API Top 10 detection within Burp Suite. SulphurAPI includes checks for mass assignment, authentication, and authorization vulnerabilities, alongside OpenID Connect/OAuth2 management and advanced OpenAPI parsing for versions 2.0 to 3.1.1. |
| 2026-04-22 2026 | Awesome Burp Extensions 2025 intermediate | Library of curated Burp extensions for enhancing web application penetration testing. Features include scanners for vulnerabilities like Log4Shell (CVE-2021-44228), HTTP Request Smuggling, and Java deserialization. Additional extensions aid in discovering Content Security Policy (CSP) bypasses, identifying software versions, detecting reverse proxies, and testing for Cloudflare origin IPs, among many other specialized checks and integrations. |
| 2026-04-22 2026 | Top 10 Web Hacking Techniques of 2025: Call for Nominations news | Survey of 2025 web hacking techniques, including nominations for novel practical research. Highlighted techniques involve JNDI Injection, Exploiting XXE with Local DTD Files, Eclipse on Next.js, Next.js cache poisoning, Go parser bypasses, HTTP/1.1 desync, Chromium DOM clobbering, cross-protocol desynchronization (Opossum Attack), SAML authentication bypasses, ambiguous chunk terminators for request smuggling, Cross-Site WebSocket Hijacking, SVG filter clickjacking, nonce CSP bypass, SSRF via redirect loops, Unicode normalization exploits, SOAP proxy RCE, PHP warnings for quirks mode, ORM field smuggling, parser differentials, and DOM-based extension clickjacking. → portswigger.net |
| 2026-04-22 2026 | The Future of Security Testing: AI-Powered Extensibility in Burp advanced | Library for AI-powered extensibility in Burp Suite Professional, leveraging the Montoya API to integrate AI capabilities for enhanced security testing and automation. This allows for seamless integration of AI, exemplified by Gareth Heyes' enhanced Hackvertor extension, which enables custom transformations without coding. Users receive free AI credits to experiment and build their own AI-powered extensions, with options to submit them to the BApp store. → portswigger.net |
| 2026-04-22 2026 | Filtering the WebSockets history with scripts intermediate | Library for filtering WebSockets history in Burp Suite, allowing users to create and load custom Java-based scripts. Users can write new scripts from templates, convert existing filter settings into scripts, or import scripts from their Bambda library. The library supports two key Montoya API objects, `ProxyWebSocketMessage` and `Utilities`, to facilitate script development for analyzing and filtering WebSocket traffic based on criteria like message direction and payload length. → portswigger.net |
| 2026-04-22 2026 | Filtering the HTTP history with scripts (Bambdas) intermediate | Library for creating custom Java-based scripts, known as Bambdas, to filter Burp Suite's HTTP history. Users can load pre-existing scripts from their library or create new ones using built-in templates or by converting existing filter settings. The library leverages the Montoya API and provides a GitHub repository for community contributions and examples, enabling advanced traffic analysis based on criteria like response status codes and cookie presence. → portswigger.net |
| 2026-04-22 2026 | Developing AI features in Burp extensions advanced | Library for integrating AI capabilities into Burp Suite extensions via the Montoya API. This resource details how extensions must declare AI feature support using `EnhancedCapability.AI_FEATURES` and verify availability with `Ai.isEnabled()`. It explains sending single-shot and multi-turn prompts using `Message` objects for system, user, and assistant roles, and handling responses through `PromptResponse`. → portswigger.net |
| 2026-04-22 2026 | Burp AI - PortSwigger Documentation beginner | Library integrating AI capabilities into Burp Suite for enhanced security testing. Features include AI in Repeater for custom prompts, Explore Issue for autonomous vulnerability investigation, and Explainer for understanding web technologies. It also offers AI-powered false positive reduction for Broken Access Control, automated recorded logins, and extensible AI features via the Montoya API, all while prioritizing user control, data privacy, and industry-standard security. → portswigger.net |
| 2026-04-22 2026 | Bambdas - PortSwigger Documentation beginner | Library for scripting Burp Suite's interface to personalize tasks. Bambdas allow for custom match-and-replace rules, table columns, filters, and scan checks. Scripts can be saved, imported from sources like the Bambdas GitHub repository, and reused across projects. PortSwigger warns that Bambda scripts can execute arbitrary code, advising caution with unverified sources. → portswigger.net |
| 2026-04-19 2026 | Pentest-Mapper: Burp Extension for Pentesters & Bug Bounty intermediate | Library for Burp Suite that maps application testing flows with custom checklists. Pentest-Mapper logs API calls, allowing users to connect them to specific vulnerabilities from a loaded checklist. It also tracks test cases, enables vulnerability mapping with severity, and offers auto-save, import/export functionality, and auto-logging of scoped APIs. |
| 2026-04-19 2026 | Burp Suite Extension: Copy For — Black Hills InfoSec intermediate | Library for Burp Suite that generates command-line syntax for security tools like `curl`, `ffuf`, `jwt_tool.py`, `Nikto`, `Nmap`, `Nuclei`, and `wget` directly from requests. It supports variable substitution and configurable flags, allowing users to create custom commands. |
| 2026-04-19 2026 | Burp AI — PortSwigger intermediate | Burp AI — PortSwigger → portswigger.net |
| 2026-04-19 2026 | Pentest Mapper: Burp Extension for Application Pentesting intermediate | Extension for Burp Suite that integrates request logging with a custom application testing checklist. It enables users to map application flows and API calls, link them to vulnerabilities from a customizable checklist, and track parameters and severity. Features include auto-saving, import/export functionality, and the ability to map individual requests to vulnerabilities with optional CVSS scoring. |
| 2026-04-19 2026 | Pentest Mapper — PortSwigger BApp Store intermediate | Library for mapping application flows during penetration testing. Pentest Mapper integrates Burp Suite request logging with a custom checklist, allowing testers to connect API calls to specific functions and map identified vulnerabilities. This Burp Suite extension facilitates a structured approach to application analysis and vulnerability assessment. → portswigger.net |
| 2026-04-16 2026 | Burp Suite Professional Testing Handbook beginner | Library for Burp Suite Professional, an HTTP interception proxy with features for web application security testing. It aids in identifying server-side and client-side vulnerabilities by intercepting and manipulating requests/responses, fuzzing payloads with Intruder, and analyzing traffic with Proxy and Scanner. The handbook also mentions Burp's DOM Invader extension and Trail of Bits webinars on mastering web research with Burp Suite. → appsec.guide |
| 2026-04-16 2026 | Bambdas Collection for Burp Suite Professional and Community intermediate | Library of Bambdas for Burp Suite, offering scripts for table filters, custom columns, Repeater actions, match and replace rules, and custom scan checks. Developed by PortSwigger and the community, these scripts enhance Burp Suite's functionality, with Java-based checks available in this repository and BChecks in a separate repo. Instructions cover importing, updating, and contributing scripts, with security warnings about executing arbitrary code. Resources include detailed documentation and video tutorials on various Bambda functionalities. |
| 2026-04-16 2026 | Turbo Intruder: Embracing the Billion-Request Attack advanced | Library for high-speed, scalable web application attacks. Turbo Intruder is a Burp Suite extension built from scratch with a custom HTTP stack, outperforming many asynchronous scripts. It supports flexible Python-based attack configuration for complex needs like signed requests, handles malformed requests, and filters results with an advanced diffing algorithm. It can achieve millions of requests with flat memory usage, and offers command-line operation for optimized performance by co-locating with targets. → portswigger.net |
| 2026-04-16 2026 | BurpSuite for Pentester - Vulnerability Hunting Cheatsheet beginner | Library for penetration testers and bug bounty hunters, this practical Burp Suite cheat sheet aids in efficiently discovering web application vulnerabilities from P4 to P1. It offers a structured reference for web application security testing, guiding users on leveraging Burp Suite's features for traffic interception, request analysis, parameter fuzzing, and identifying vulnerabilities in modern web applications. |
| 2026-04-16 2026 | Weaponize Your Burp - Bug Bounty Hunting Automation intermediate | Library for automating Burp Suite for bug bounty hunting. This project weaponizes Burp Suite with extensions like Burp Bounty Pro, Logger++, and AutoRepeater. It details a methodology for integrating custom payloads into AutoRepeater and using Logger++ filters to identify potential vulnerabilities, then sending suspicious requests to Repeater for exploitation. Examples demonstrate configuring custom payloads to enhance bug hunting capabilities. |
| 2026-04-16 2026 | Smart Automation with Burp Suite - YesWeHack intermediate | Library for automating Burp Suite workflows, this resource details using passive scanners like the built-in passive scanner and passive crawler, alongside extensions such as BChecks, Burp Bounty, and Logger++, to streamline bug bounty efforts. It explains how to combine active and passive scanning to efficiently gather information and discover vulnerabilities, emphasizing the importance of custom headers for tracking BCheck requests and leveraging error messages for deeper analysis, while still advocating for manual testing to complement automated findings. → yeswehack.com |
| 2026-04-16 2026 | A Guide to Build Burp Suite Extensions Using Montoya API and Java intermediate | A Guide to Build Burp Suite Extensions Using Montoya API and Java |
| 2026-04-16 2026 | Power Up Pen Tests: Create Burp Suite Extensions with Montoya API intermediate | Library for developing Burp Suite extensions using the Montoya API, streamlining tasks like authentication handling, API data mining, and UI visualization. This API, introduced in Burp Suite 2022.9.5, offers improved object-oriented design, WebSocket support, and simplified HTTP message manipulation compared to the older extender API, enabling developers to create more robust and flexible tools like the example "BurpCage" extension that replaces images with Nicolas Cage photos. |
| 2026-04-16 2026 | Burp Suite Extensions - Overview and Introduction with Kotlin beginner | Library for developing Burp Suite extensions, focusing on the modern MontoyaApi with Kotlin. This resource details how to create powerful extensions, introducing concepts like Bambdas for filtering and BChecks for custom scan checks. It showcases the development of the HeaderMate extension, which automates server response header evaluation against OWASP recommendations and configurable rules, offering features like selective host checking, issue creation toggling, and CSV export. |
| 2026-04-16 2026 | Creating Burp Extensions: A Beginner's Guide - Black Hills InfoSec beginner | Library for creating Burp Suite extensions. This resource guides beginners through developing custom functionalities for Burp Suite, a web application proxy essential for security testing. It explains what Burp extensions are, why they enhance testing capabilities, and covers the necessary tools and languages for development. The presentation introduces the Montoya API for integration and showcases a practical example of a JWT editor extension, illustrating how these additions expand Burp Suite's utility beyond its default features. |
| 2026-04-10 2026 | Burp Suite Certified Practitioner Guide 2026 beginner | Guide to the Burp Suite Certified Practitioner (BSCP) exam, PortSwigger’s hands-on web application security certification. This resource details the exam format, including its remote, proctored, timed structure with two live applications, and the three sequential stages required per application. It emphasizes demonstrating exploit impact, using Burp Suite Professional and allowed third-party tools like ysoserial, and mastering techniques such as XSS exploitation, SQL injection, and SSRF. The guide offers preparation strategies, including PortSwigger’s official prep path, practice exams, and sample 30, 60, and 90-day study plans, to help candidates achieve certification. |
| 2026-04-10 2026 | Top 10 Burp Extensions Every Pentester Should Use beginner | Top 10 Burp Extensions Every Pentester Should Use |
| 2026-04-10 2026 | Burp AI in 2026: Real Workflow Changes intermediate | Library integrating AI into Burp Suite Professional (v2025.2+) for enhanced web security testing. Features include Burp AI in Repeater for auditable HTTP message analysis, Explainer for quick understanding of unfamiliar artifacts, and Explore Issue for automated follow-up on Burp Scanner findings. Usage is consumption-based via AI credits assigned per user, requiring careful management of prompts for cost-effectiveness and accurate validation of vulnerabilities. → penligent.ai |
| 2026-04-10 2026 | Burp Suite Professional 2026.1 Release news | Library update introducing the Discover tab for feature exploration, command palette for faster table navigation, improved time-based SQL injection detection filtering WAF delays, and SPNEGO support for NTLM authentication. This release also includes a Java update to 25.0.1 and a browser upgrade to Chromium 143. → portswigger.net |
| 2026-04-10 2026 | Burp Suite Professional 2025.5 Release news | Library release notes for Burp Suite Professional 2025.5 detailing new AI-powered custom actions in Repeater for context-aware HTTP message analysis, including a sample action to explain text and a template for testing race condition vulnerabilities. The release also incorporates Montoya API updates for direct extension settings integration, and quality-of-life improvements such as access to timing data for custom actions and faster body encoding switching. → portswigger.net |
| 2026-04-10 2026 | 10 Burp Suite Extensions That Will Instantly Boost Your Work intermediate | 10 Burp Suite Extensions That Will Instantly Boost Your Work |
| 2026-04-10 2026 | How Burp Suite DAST Is Leveling Up Enterprise Security in 2025 intermediate | Tool updates to Burp Suite DAST in 2025 enhance enterprise security testing by automating scan scheduling for portfolios, organizing assets with custom tags, and improving API scanning with automatic token refreshes. It accelerates vulnerability detection by crawling and auditing SPAs in parallel and integrates seamlessly with Jira for streamlined remediation tracking, supporting parent-child issue hierarchies and automated ticket creation. New onboarding packages aim to shorten learning curves and ensure fast results. → portswigger.net |
| 2026-04-10 2026 | Burp Suite Professional 2025.2: Built-in AI Integration news | Burp Suite Professional 2025.2: Built-in AI Integration → gbhackers.com |
| 2026-04-10 2026 | 100+ Burp Suite Online Courses for 2026 beginner | 100+ Burp Suite Online Courses for 2026 |
| 2026-04-10 2026 | Burp Suite AI Extension for Pentester intermediate | Burp Suite AI Extension for Pentester |
| 2026-04-10 2026 | Burp Suite Goes AI: Revolutionizing Web Pentesting intermediate | Library integration of AI-powered extensions into Burp Suite Professional, developed by PortSwigger, automates web pentesting tasks. This update offers security professionals enhanced efficiency and deeper vulnerability insights, with features like custom tag generation in Hackvertor using natural language prompts. The integration aims to simplify AI model management and allows extensions to be shared via the BApp Store, including an initial offering of 10,000 free AI credits. |
| 2026-04-10 2026 | Burp Suite Integration for Neuron intermediate | Library that streamlines the security testing workflow by integrating Burp Suite findings directly into the Neuron platform. The Neuron Burp Suite Extension allows testers to push identified issues from Burp, automatically creating structured findings within Neuron, complete with request/response evidence, linked to specific web applications and endpoints. This eliminates redundant work by enabling findings to be directly associated with defined web application assets, including hostnames, endpoints, parameters, and scope metadata, facilitating clearer reporting and a standardized system of record for web application security testing across teams. |
| 2026-04-10 2026 | The Future of Pentesting: Burp Suite + Cursor AI beginner | The Future of Pentesting: Burp Suite + Cursor AI |
| 2026-04-06 2026 | Toolchain: Nmap, Burp Suite, and Metasploit - A Practical Workflow Guide beginner | Library for practical penetration testing workflows, integrating Nmap, Burp Suite, and Metasploit. Nmap maps the attack surface by identifying live hosts, open ports, service versions, and OS fingerprints. Burp Suite then tests web applications, intercepting and modifying HTTP requests to find vulnerabilities like SQL injection, XSS, and IDOR. Finally, Metasploit validates identified vulnerabilities, demonstrating exploitability and impact, leveraging modules for specific exploits and post-exploitation actions. |
| 2026-04-06 2026 | Top 10 Burp Suite Extensions Every Pentester Should Use beginner | Top 10 Burp Suite Extensions Every Pentester Should Use |
| 2026-04-03 2026 | Installing Extensions from BApp Store | PortSwigger beginner | Installing Extensions from BApp Store | PortSwigger → portswigger.net |
| 2026-04-03 2026 | 3 Powerful Burp Suite Extensions Every Pentester Should Use intermediate | 3 Powerful Burp Suite Extensions Every Pentester Should Use |
| 2026-04-03 2026 | BApp Store | PortSwigger beginner | Library of Burp Suite extensions featuring tools for identifying and bypassing common web application vulnerabilities. This collection includes extensions for automating 403 bypasses, detecting SQL injection and XSS through AI analysis, fuzzing LLM prompts, scanning for AWS and cloud storage misconfigurations, and finding DOM-based vulnerabilities. Specific extensions like "Anonymous Cloud, Configuration and Subdomain Takeover Scanner" and "AI HTTP Analyzer" are detailed, alongside capabilities for AES payload manipulation and CSP header analysis. → portswigger.net |
| 2026-04-03 2026 | Burp Suite Professional BApps: Maximizing Pentester Productivity intermediate | Library of Burp Suite Professional BApps that enhance pentester productivity by automating workflows, accelerating discovery, and reducing manual effort. These extensions integrate into Burp Suite Professional to customize capabilities, standardize penetration testing workflows, reduce tool fragmentation, increase analyst efficiency, improve consistency across engagements, and enhance the scalability of security operations. BApps allow for a balance between customization and centralized control, leading to measurable productivity improvements and supporting operational maturity by automating discovery and reducing manual workloads. |
| 2026-04-03 2026 | Burp Bounty - Scan Check Builder Extension intermediate | Library for improving Burp Suite's active and passive scanners via personalized rules. It features an intuitive graphical interface for advanced pattern searching and payload enhancement, enabling users to create custom issue profiles. This extension supports the creation of unique scanning rules and integrates with Burp Collaborator for tasks like Blind RCE detection. |
| 2026-04-03 2026 | Burp Suite - Top Extensions | KSEC ARK Pentesting Knowledge Base beginner | Library of Burp Suite extensions includes tools for detecting vulnerable JavaScript libraries with Retire.js, identifying authorization flaws via Autorize, testing JOSE/JWE with JOSEPH, logging requests/responses with Logger++, and enhancing active scanning with ActiveScan++. Specific vulnerabilities mentioned include Drupalgeddon (CVE-2014-3704), Joomla SQL injection (CVE-2017-8917), WordPress SQL injection in plugins, CSRF, and numerous SSL vulnerabilities such as Heartbleed and POODLE. |
| 2026-04-03 2026 | Top 10 Must-Have Burp Suite Extensions for Web Application Security (2024) beginner | Top 10 Must-Have Burp Suite Extensions for Web Application Security (2024) |
| 2026-04-03 2026 | Top 10 Pentesting Tools and Extensions in Burp Suite | PortSwigger beginner | Library of 10 Burp Suite extensions designed to enhance penetration testing workflows, including Logger++, Autorize, Turbo Intruder, J2EEScan, Backslash Powered Scanner, Upload Scanner, Retire.js, JSON Beautifier, AuthMatrix, and Param Miner. These tools automate tasks like access control testing, bruteforcing, vulnerability detection for J2EE applications, file upload analysis, identifying outdated JavaScript libraries, JSON formatting, privilege escalation testing, and discovering hidden parameters for cache poisoning attacks. → portswigger.net |
| 2026-04-03 2026 | Top 20 Useful Burp Suite Extensions for Web Application Pentesting beginner | Library of 20 Burp Suite extensions enhances web application penetration testing by automating tasks and discovering vulnerabilities. These tools include Param Miner for hidden parameter discovery, JS Miner for JavaScript analysis, Secret Finder for detecting exposed secrets, and 403 Bypasser for access control evasion. They also cover authorization testing with Autorize, out-of-band detection via Collaborator Everywhere, high-speed brute-forcing with Turbo Intruder, and API assessment with GraphQL Raider. Other notable extensions address JWT analysis, Java deserialization flaws, and vulnerable JavaScript library detection with Retire.js. |
| 2026-04-02 2026 | Top 10 Best Dynamic Application Security Testing (DAST) Platforms in 2026 news | Top 10 Best Dynamic Application Security Testing (DAST) Platforms in 2026 https://ift.tt/W8V2b1i → gbhackers.com |
| 2026-04-02 2026 | Network Penetration Testing Tools Market Is Going to Boom |? Nessus ? Burp Suite ? Metasploit news | Network Penetration Testing Tools Market Is Going to Boom |? Nessus ? Burp Suite ? Metasploit https://ift.tt/fCDeuAg |
| 2026-02-11 2026 | SILENTCHAIN AI - AI-Powered Security Testing beginner AI | Platform for AI-powered security testing across web applications, source code, and network infrastructure. It leverages a RAG Knowledge Engine with over 80,000 security documents, supporting five AI providers including local Ollama. Features include OWASP Top 10 detection, advanced Burp Suite extension with WAF evasion, standalone web application scanning with CI/CD integration, AI-powered static code analysis with attack chain construction, and automated network penetration testing. Cross-product correlation escalates findings when multiple tools agree, with specific examples like SSRF + internal access and SQLi + sensitive traffic. |
| 2026-01-29 2026 | How I Made Burp Suite My IDOR-Finding Robot Butler (And Found 20+ Bugs) 🤖🔍 intermediate Bug Bounty IDOR | The content titled "How I Made Burp Suite My IDOR-Finding Robot Butler (And Found 20+ Bugs)" likely discusses utilizing the Burp Suite tool to automate the discovery of Insecure Direct Object Reference (IDOR) vulnerabilities, leading to the identification of over 20 bugs. The author shares their experience and strategies for leveraging Burp Suite effectively in bug hunting. The content may provide insights into the process of using automation tools for security testing and the successful outcomes achieved through this approach. → infosecwriteups.com |
| 2026-01-24 2026 | Burp Suite | Pentest Book beginner | Burp Suite | Pentest Book |
| 2026-01-20 2026 | MantisSTS/JSReconduit: Passive JavaScript reconnaissance for penetration testers — bridging Burp Suite traffic into structured, AST-based analysis in VSCode. intermediate Recon | Library bridging Burp Suite traffic into VSCode for passive JavaScript reconnaissance. It captures JavaScript assets via a Burp Suite extension and performs Abstract Syntax Tree (AST) analysis within VSCode, rendering findings like API endpoints, routes, drift detection, clusters, dataflow traces, and secrets. The tool supports source-to-sink tracing, lazy chunk extraction, optional deobfuscation, and various export formats including JSON, CSV, and SARIF. Custom signature packs can be integrated for enhanced detection. |
| 2026-01-17 2026 | pwviptbl/ProxyHunter: Aplicação Python com interface gráfica que permite configurar regras de interceptação para modificar parâmetros de requisições HTTP. Quando o navegador envia uma requisição para uma rota configurada, o proxy intercepta, modifica apenas os parâmetros especificados e encaminha a requisição mantendo todos os outros parâmetros originais. intermediate API Sec Python | Library for intercepting and modifying HTTP request parameters, featuring a GUI built with PySide6. It supports rule-based interception for GET and POST requests, manual interception with forward/drop capabilities inspired by Burp Suite, and WebSocket support. Additional modules include an advanced Intruder for automated attacks, a vulnerability scanner detecting SQL injection, XSS, CSRF, Path Traversal, and exposed sensitive information, a spider for site discovery, a request comparator, and a command-line interface for headless operation. |
| 2026-01-16 2026 | Included Skills: 𝐛𝐮𝐫𝐩𝐬𝐮𝐢𝐭𝐞-𝐩𝐫𝐨𝐣𝐞𝐜𝐭-𝐩𝐚𝐫𝐬𝐞𝐫 - Search/extract data from Burp Suite projects 𝐝𝐢𝐟𝐟𝐞𝐫𝐞𝐧𝐭𝐢𝐚𝐥-𝐫𝐞𝐯𝐢𝐞𝐰 - Security-focused differential review of code changes intermediate | The content discusses two included skills: searching/extracting data from Burp Suite projects and conducting a security-focused differential review of code changes. These skills are valuable for individuals involved in cybersecurity or software development. The link provided likely offers more detailed information on these skills. |
| 2026-01-02 2026 | repplus/rep: rep+ — Burp-style HTTP Repeater for Chrome DevTools with built‑in AI to explain requests and suggest attacks intermediate | Library: rep+ is a Chrome DevTools extension mimicking Burp's Repeater, enhanced with AI. It captures and replays HTTP requests without proxy setup, offering features like multi-tab capture, hierarchical grouping, and robust filtering. Built-in AI can explain requests, suggest attack vectors, and modify requests directly. It supports detailed secret and endpoint extraction, parameter risk assessment, and generates Postman collections. rep+ integrates with Claude, Gemini, and Ollama, featuring a chat interface for contextual analysis across multiple requests, and offers extensive theming options. |
| 2025-12-30 2025 | Teycir/BurpAPISecuritySuite: Burp Suite extension for API security testing with 15 attack types, 108+ payloads, intelligent fuzzing, BOLA/IDOR detection, AI integration, and automated reconnaissance. Supports REST/GraphQL/SOAP APIs with Nuclei, Turbo Intruder, and external tool integration. OWASP API Top 10 coverage. intermediate API Sec Fuzzing GraphQL | Library for comprehensive API security testing within Burp Suite. It consolidates 15 attack types, including BOLA, IDOR, SQLi, and GraphQL specific vulnerabilities, leveraging over 108 payloads and intelligent fuzzing. Features include automated reconnaissance, smart normalization of API endpoints, AI integration for payload generation, and seamless integration with external tools like Nuclei, Turbo Intruder, HTTPX, and SQLMap. It covers the OWASP API Top 10 and offers differential-first logic coverage and token lifecycle drift analysis. |
| 2025-12-10 2025 | Web App Hacking: Finding Web App Vulnerabilities with Caido Scanner news | Caido just became a serious Burp killer. Scanner plugin auto-detects vulns as you browse + launches targeted attacks on suspicious endpoints: https://t.co/wkiXeRK5CU |
| 2025-12-03 2025 | Web App Hacking: Finding Web App Vulnerabilities with Caido Scanner news | Caido just became a serious Burp killer. Scanner plugin auto-detects vulns as you browse + launches targeted attacks on suspicious endpoints: https://t.co/GqmmOXsL75 @three_cube |
| 2025-08-14 2025 | d0ge/sign-saboteur: SignSaboteur is a Burp Suite extension for editing, sig intermediate | Library for editing, signing, verifying, and attacking signed tokens within Burp Suite. It supports numerous token types including Django, ItsDangerous, Express, OAuth2 Proxy, Tornado, Ruby Rails, Nimbus JOSE + JWT, and unknown signed strings. Features include automatic detection and in-line editing, signing, and brute-force attacks against signed token implementations, with modes for known keys, fast, balanced, and deep attacks, alongside authorization attacks like user claims and wrapped user claims. |
| 2025-08-14 2025 | 254Labs/awesome-bambdas: A collection of Burp Suite Lambda Filters ~ Bambda intermediate | Library of Bambdas (Burp Suite's Lambdas) that customize Burp Suite's workflow. This collection, housed in the 254Labs/awesome-bambdas GitHub repository, categorizes filters by request or response object methods. Users can switch to Bambda mode in the HTTP Proxy history's "Configure filter" menu, then copy or download a bambda to the editor. Contributions are welcomed via pull requests. |
| 2025-08-14 2025 | Burp Extension Dev Part 4: GUI Design - TCM Security intermediate | Library for developing Burp Suite extensions, focusing on GUI design. This resource details how to create user interfaces for custom tools within Burp Suite, enabling security professionals to build more effective and integrated application security testing workflows. |
| 2025-08-14 2025 | GitHub - federicodotta/Burp-Suite-Extender-Montoya-Course: This repository beginner | Library containing Burp Suite extension examples built with the Montoya API. This resource offers practical code for creating plugins that inspect and modify HTTP/WebSocket traffic, add custom context menu items, and integrate active/passive scanner checks, including BChecks and custom scan checks. It covers environment setup, basic extension development, and advanced features like Collaborator integration. |
| 2025-08-14 2025 | GitHub - dwisiswant0/ngocok: ngrok Collaborator Link — yet another Burp Col intermediate | Library for intercepting out-of-band requests, serving as an alternative to Burp Collaborator by leveraging ngrok. It allows users to establish ngrok tunnels for capturing HTTP or TCP requests, with authentication managed via an authtoken flag, NGROK_AUTHTOKEN environment variable, or the ngrok configuration file. Ngocok can also log incoming requests to a specified file. |
| 2025-08-14 2025 | Burp Extension Dev Part 1: Setup & Basics - TCM Security beginner | Library for developing Burp extensions, this guide focuses on setup and basic functionalities, aiming to equip users with practical skills for uncovering vulnerabilities like injection flaws and broken access controls within web applications, ultimately strengthening security posture. |
| 2025-08-14 2025 | Writing Burp Bambda Filters Like a Boss intermediate | Library for creating custom Burp Suite Proxy HTTP history filters using Java snippets. This feature, named "Bambdas," allows for advanced filtering beyond standard options, such as identifying specific JWT algorithms like HS512 within Authorization headers. Users can write and save these filters via the UI, leveraging interfaces like `ProxyHttpRequestResponse` and `Utilities` for complex request analysis. → danaepp.com |
| 2025-08-14 2025 | synfron/ReshaperForBurp intermediate | Extension for Burp Suite that allows triggering actions and reshaping HTTP request/response and WebSocket traffic via configurable Rules. These Rules process messages based on criteria like content type, event direction, source tool, scope, and text matches, executing actions such as building HTTP messages, dropping connections, extracting values, logging, prompting, running scripts, saving files, and setting variables. It supports sharing values across rules and can be built and run within IntelliJ for debugging. |
| 2025-08-14 2025 | Improve your API Security Testing with Burp BCheck Scripts intermediate | Library for Burp Suite Professional that enables API security testing automation through BCheck scripts. These scripts, written in BSL, allow automated requests, response validation, Collaborator interaction, and programmatic payload injection. The library simplifies creating custom checks, like detecting missing Authorization headers (CWE-864), by integrating with Burp's scanner engine, thus accelerating manual testing workflows and improving efficiency. → danaepp.com |
| 2025-08-14 2025 | DNS Analyzer - Finding DNS vulnerabilities with Burp Suite - SEC Consult intermediate | Burp extension for discovering DNS vulnerabilities in web applications, leveraging Burp Collaborator to analyze DNS name resolution. The tool helps identify predictable UDP source ports and DNS IDs, key indicators for Kaminsky-style DNS cache poisoning attacks. Users generate a unique collaborator domain, trigger DNS resolutions (e.g., via user registration or password reset), and analyze interaction data through scatter plots and statistical metrics like standard deviation and direction bias to assess the predictability of DNS query parameters. |
| 2025-08-14 2025 | 7 Essential Burp Extensions for Hacking APIs - Security Boulevard intermediate | Extensions for Burp Suite that enhance API security testing, including Logger++ for advanced log filtering and analysis, OpenAPI Parser for generating baseline requests from documentation, Param Miner for discovering hidden parameters, Autorize for detecting authorization flaws like BOLA/IDOR, JOSEPH for tampering with JWTs, Content Type Converter for format manipulation to find XXE and other vulnerabilities, and Attack Surface Detector for mapping risk levels. → securityboulevard.com |
| 2025-08-14 2025 | Burp Suite: The Basics TryHackMe Writeup beginner | The content is about a writeup on using Burp Suite for basic tasks on TryHackMe. Burp Suite is a popular web application testing tool used for security assessments. The writeup likely covers introductory information, tutorials, and practical exercises related to using Burp Suite in a simulated hacking environment provided by TryHackMe. This content is likely to provide insights into how to use Burp Suite effectively for testing and securing web applications. |
| 2025-08-14 2025 | https://github.com/lucsemassa/burp_bug_finder intermediate | Library for automated web vulnerability discovery within Burp Suite. This Python-based plugin focuses on identifying XSS and error-based SQL injection vulnerabilities. It automatically injects payloads into intercepted requests, including parameters and cookies, and analyzes responses for malicious patterns or SQL error messages. Users can configure targets via the scope and receive alerts in the Burp Suite dashboard for identified issues. Installation requires Jython. |
| 2025-08-14 2025 | Vulnerabilities detected by Burp Scanner - PortSwigger beginner | The content provided is a title mentioning vulnerabilities detected by Burp Scanner, a web vulnerability scanner developed by PortSwigger. It suggests that the focus is on identifying security weaknesses in web applications through the use of this tool. The summary lacks detailed information about specific vulnerabilities or how they are detected, but it highlights the importance of using tools like Burp Scanner to enhance the security of web applications. → portswigger.net |
| 2025-08-14 2025 | botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study intermediate | The content appears to be a study guide or resource related to preparing for the Burp Suite Certified Practitioner Exam. It seems to be created by a user named botesjuan. The content likely includes information, tips, and resources to help individuals study and prepare for the certification exam. |
| 2025-08-14 2025 | xnl-h4ck3r/GAP-Burp-Extension intermediate | Extension for Burp Suite that identifies additional potential parameters, links for testing, and generates target-specific wordlists for fuzzing. It enhances the original `getAllParams` extension by supporting various parameter types like XML and GraphQL, and offers modes for finding parameters, words, and improved link discovery. Installation involves setting up Jython, installing required modules via `pip`, and loading the `GAP.py` script within Burp. |
| 2025-08-14 2025 | nccgroup/AutoRepeater: Automated HTTP Request Repeating With Burp Suite intermediate | Library for Burp Suite that automates HTTP request repeating, streamlining authorization testing. It allows researchers to duplicate, modify, and resend requests with conditional replacements for headers, cookies, and parameters. Unlike AuthMatrix, Authz, and Autorize, AutoRepeater offers general-purpose replacements and a familiar interface, facilitating testing for issues like account takeover or privilege escalation by automatically evaluating response differences. |
| 2025-08-14 2025 | My First Burp Suite Extension beginner | Library for developing custom Burp Suite extensions in Java. This project details the creation of a simple extension that checks for specific HTTP response headers, demonstrating how to set up the development environment, implement `IBurpExtender` and `IScannerCheck` interfaces, and define custom `IScanIssue` objects for reporting findings. The code is available on GitHub. |
| 2025-08-14 2025 | The Top 8 Burp Suite Extensions - Think outside the box beginner | The content briefly mentions the top 8 Burp Suite extensions, encouraging users to think creatively and explore beyond the standard features of the tool. It suggests that by utilizing these extensions, users can enhance their security testing capabilities and discover new ways to improve their testing processes. The emphasis is on expanding one's toolkit and considering innovative approaches to maximize the benefits of using Burp Suite. |
| 2025-08-14 2025 | Open Security Research: Extending Burp Proxy With Extensions intermediate | The content discusses open security research focused on extending Burp Proxy with extensions. It likely explores the development and implementation of additional functionalities or features within Burp Proxy to enhance its capabilities for security testing and analysis. The article may delve into the benefits, methods, and potential outcomes of extending Burp Proxy through the use of extensions, aiming to provide insights and guidance for security researchers and professionals seeking to optimize their security testing tools. |
| 2025-08-14 2025 | PortSwigger Web Security Blog: Writing your first Burp Suite extension beginner | Library for writing Burp Suite extensions, detailing the creation of both Java and Python plugins. It guides users through setting up an IDE, exporting Burp's Extender interface files, writing basic `BurpExtender` code, compiling Java JARs, and configuring Jython for Python extensions. The entry also notes potential `OutOfMemoryError` issues with Python extensions and suggests solutions. |
| 2025-08-14 2025 | Authorization Testing: AuthMatrix - Part 1 | White Oak Security intermediate | Tool explaining Authorization Testing with AuthMatrix, focusing on practical implementation for identifying and mitigating access control vulnerabilities. This resource covers how to effectively test for authorization flaws within applications to enhance overall security posture. → whiteoaksecurity.com |
| 2025-08-14 2025 | Web App Pentesting With Burp Suite Scan Profiles | White Oak beginner | Guide to optimizing Burp Suite scan profiles for web application penetration testing. It details how to configure profiles to enhance efficiency and effectiveness during security assessments, ensuring comprehensive coverage of potential vulnerabilities. → whiteoaksecurity.com |
| 2025-08-14 2025 | https://portswigger.net/blog/some-of-the-best-burp-extensions-as-chosen-by-you intermediate | Extensions from the Burp Suite BApp Store are highlighted, including Autorize for testing authentication vulnerabilities, Turbo Intruder for high-speed automated attacks, Hackvertor for tag-based encoding and escaping, Burp Bounty for custom scan checks, and Param Miner for identifying hidden parameters to hunt for web cache poisoning. → portswigger.net |
| 2025-08-14 2025 | Great getting started resources for new users of Burp Suite Professional | beginner | Library of resources for new Burp Suite Professional users, including video tutorials on UI basics and Scanner setup, blog posts detailing exclusive features like Intruder and Collaborator client, and the free Web Security Academy with learning paths on SQL injection and other topics. Community content from creators like InsiderPhD, webpwnized, and STÖK showcases practical applications, alongside the BApp Store for extensions and Extender documentation for custom development. → portswigger.net |
| 2025-08-14 2025 | https://www.whiteoaksecurity.com/web-app-pentesting-burp-suite-scan-profile/ intermediate | Profile for Burp Suite web application penetration testing, detailing how to configure scans to effectively identify vulnerabilities. This profile emphasizes a security-led approach, offering comprehensive IT services, penetration testing, and risk management solutions. It guides companies from initial assessment and practical implementation to ongoing support and strategic security elevation, advising on regulatory compliance standards. → whiteoaksecurity.com |
| 2025-08-14 2025 | Authentication Token Obtain and Replace (ATOR) Burp Plugin: Fast and Reliab intermediate | The content is about the Authentication Token Obtain and Replace (ATOR) Burp Plugin, which is described as fast and reliable. It likely focuses on a tool or extension that aids in obtaining and replacing authentication tokens within the Burp Suite software. The plugin is designed to streamline the process of managing authentication tokens, enhancing efficiency and reliability in security testing and web application assessments. |
| 2025-08-14 2025 | BurpSuite Extensions: Some Favorites - VDA Labs beginner | Library of Burp Suite extensions offering enhanced application security testing. Features include Taborator for out-of-band interactions, beautifiers for response readability, Active Scan++ and Additional Scanner Checks for broader issue detection, Freddy for deserialization vulnerabilities, HTML5 Auditor, CSP-Bypass for header analysis, AWS Security Checks, Retire.js for outdated JavaScript, SSL Scanner for TLS assessment, J2EEScan for J2EE vulnerabilities (including CVE-2010-1871, CVE-2011-2730, and S2-016), Error Message Checks, Software Vulnerability Scanner using Vulners.com API, CSRF Scanner, Collaborator Everywhere for backend interaction discovery, and Upload Scanner for file upload bypasses. |
| 2025-08-14 2025 | Burp Share Requests - PortSwigger intermediate | Extension for Burp Suite that generates shareable links to specific HTTP requests. Users can right-click requests in various Burp tabs and select "create link" to add them to the "Burp Share Requests" tab. From there, HTML or direct browser links can be generated for easy sharing with other Burp Suite users, streamlining collaboration and analysis of captured traffic. → portswigger.net |
| 2025-08-14 2025 | https://www.infosecurity-magazine.com/news/portswigger-launches-web-security/ news | Academy providing free, interactive labs and reading materials for web security training. Developed by PortSwigger, makers of Burp Suite, it addresses the global cybersecurity talent shortage. The platform offers continuously updated content on topics like clickjacking, WebSocket, HTTP request smuggling, server-side request forgery, and XXE injection, in a safe, risk-free testing environment. Users can track progress and compete on leaderboards. → infosecurity-magazine.com |
| 2025-08-14 2025 | https://gist.github.com/righettod/862728e1476c0551f1ddf38f099a1803 beginner | The content in the provided link discusses the importance of securing web applications against common vulnerabilities like SQL injection, cross-site scripting, and cross-site request forgery. It emphasizes the significance of implementing security measures such as input validation, output encoding, and parameterized queries to prevent these attacks. The author also highlights the significance of keeping software components updated and conducting regular security assessments to identify and address potential vulnerabilities. Overall, the content stresses the critical role of proactive security practices in safeguarding web applications from malicious exploitation. |
| 2025-08-14 2025 | https://github.com/snoopysecurity/awesome-burp-extensions beginner | Library of curated Burp extensions enhancing security testing capabilities. This extensive list includes tools for passive and active scanning, such as ActiveScan++, Burp Vulners Scanner, and J2EEScan. It also features extensions for specific vulnerabilities like CSRF, HTML5 security risks, Java deserialization, and Log4Shell (CVE-2021-44228), alongside utilities for Content Security Policy bypass, HTTP request smuggling, and GraphQL security testing with InQL Scanner. Extensions are categorized for easy navigation, covering areas like Cloud Security, OAuth, Information Gathering, and Web Application Firewall Evasion. |
| 2025-08-14 2025 | Using Burp to Test a REST API | Burp Suite Support Center intermediate | Guide to testing REST APIs using Burp Suite, demonstrating how to identify API endpoints and map the attack surface by proxying traffic and analyzing JSON or XML responses. The guide details using the Repeater tab to identify vulnerable parameters, such as those susceptible to arithmetic evaluation, and then performing SQL injection attacks by crafting specific SQL syntax to verify vulnerabilities. |
| 2025-08-14 2025 | https://www.kitploit.com/2018/11/aes-killer-v30-burp-plugin-to-decrypt.html?utm_source=dlvr.it&utm_medium=twitter&m=1 intermediate | The content discusses AES Killer v3.0, a Burp Suite plugin designed to decrypt AES encrypted traffic in real-time. It allows security professionals to analyze encrypted traffic and identify potential vulnerabilities. The plugin can be used to decrypt HTTPS traffic and view the plaintext data for security testing purposes. This tool enhances the capabilities of Burp Suite for security researchers and penetration testers. → kitploit.com |
| 2025-08-14 2025 | PortSwigger/param-miner beginner | Extension that identifies hidden, unlinked parameters, significantly aiding in the discovery of web cache poisoning vulnerabilities. Param Miner employs advanced diffing logic and a binary search technique to probe up to 65,000 parameter names per request, drawing from both a built-in wordlist and harvested terms from in-scope traffic. It integrates seamlessly with Burp Suite, reporting findings as scanner issues in Pro versions or listing them under the Extender tab, and supports scalable multi-request attacks and auto-mining of traffic. |
| 2025-08-14 2025 | GitHub - nccgroup/BurpSuiteHTTPSmuggler: A Burp Suite extension to help pen intermediate | Extension for Burp Suite designed to assist pentesters in bypassing Web Application Firewalls (WAFs) or assessing their efficacy through various HTTP request encoding techniques. Developed by NCC Group, its initial release (v0.1) focuses on the complex task of encoding, with future versions planned to incorporate additional bypass methods. |
| 2025-08-14 2025 | The Top 5 Burp Suite Extensions beginner | Library of Burp Suite extensions enhancing penetration testing capabilities. This collection highlights tools like XSS Validator for accurate vulnerability identification, Burp Notes for organized documentation, Sentinel as a free alternative scanner, Random IP Address Header to bypass WAFs, and Bupy/Python Scripter for custom script development, ultimately boosting researcher productivity and profitability. |
| 2025-08-14 2025 | SleuthQL - Burp History Parsing Tool To Discover Potential SQL Injection Po intermediate | SleuthQL is a Burp Suite tool designed for parsing history to uncover potential SQL injection vulnerabilities. It aids in identifying security flaws related to SQL injection by analyzing Burp's history. → kitploit.com |
| 2025-08-14 2025 | https://www.hackingarticles.in/burp-suite-for-pentester-hackbar/ intermediate XSS XXE | Library for Burp Suite, HackBar streamlines manual penetration testing by providing pre-defined payloads for common vulnerabilities like SQL Injection, Cross-Site Scripting, and Local File Inclusion. This Java-based plugin, installed via its GitHub repository, offers dropdown lists of exploit dictionaries, significantly speeding up the process of testing injection points and identifying exploitable flaws within applications. |
| 2025-04-30 2025 | #burp #pentest #ai #hackerassociate #cybersecurity #infosec… | Harshad Shah intermediate AI Talks | Setting Up #Burp MCP Server on Claude Desktop #Pentest Modern App with #Ai ⇢ Learn how to set up a 𝗕𝘂𝗿𝗽 𝗠𝗖𝗣 𝗦𝗲𝗿𝘃𝗲𝗿 on your 𝗖𝗹𝗮𝘂𝗱𝗲 𝗱𝗲𝘀𝗸𝘁𝗼𝗽 in this easy-to-follow tutorial. ⇢ Get your server up and... |
| 2025-04-10 2025 | Best Browser Extensions for Bug Hunting and Cybersecurity beginner Bug Bounty | If you are getting into bug hunting or cybersecurity the right tools can make a huge difference. Browser extensions help automate tasks, find hidden vulnerabilities and protect your privacy. Here is… → infosecwriteups.com |
| 2025-04-03 2025 | Sticky Burp, Reusable and Replaceable Environment Variables intermediate | Library for managing reusable environment variables ("stickies") within Burp Suite. This tool allows users to capture selected text from request and response panes across various Burp tabs, such as Proxy and Repeater. Stickies are stored with names, values, source information, and notes, enabling quick replacement of payload content with these stored variables, useful for exploit server URLs, authentication tokens, or dynamic response data. Professional editions persist stickies across Burp projects. → portswigger.net |
| 2025-03-10 2025 | GitHub - vsec7/BurpSuite-Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage. intermediate Secrets | Extension for Burp Suite that passively scans webpages to extract sensitive strings like keys, secrets, and tokens. It lists these findings as information issues within Burp's issues box and output extender, aiding in the identification of potential security vulnerabilities by highlighting credential leakage. |
| 2025-03-08 2025 | GitHub - trufflesecurity/trufflehog-burp-suite-extension: Official TruffleHog Burp Suite Extension. Scan Burp Suite traffic for 800+ different types of secrets (API keys, passwords, SSH keys, etc) using TruffleHog. intermediate Secrets | Extension for Burp Suite that leverages TruffleHog to scan traffic for over 800 types of secrets, including API keys, passwords, and SSH keys. The extension writes HTTP traffic to disk, which TruffleHog then scans every 10 seconds, reporting any found secrets in a dedicated tab. It offers features like secret verification and configurable scan intervals, with the ability to scan traffic from various Burp Suite tools beyond just the proxy. |
| 2025-02-01 2025 | A Burpsuite Extension For JS Reconnaissance - Jsmon intermediate Recon | Extension for Burpsuite that integrates Jsmon's JavaScript scanning and monitoring capabilities, automatically analyzing HTTP history for client-side exposures and secrets. Features include automatic or manual analysis, scope filtering to optimize API calls, and seamless integration within Burpsuite's workflow for enhanced web security testing. |
| 2025-01-30 2025 | BChecks - IntelliJ IDEs Plugin | Marketplace intermediate | Provides support for the BCheck language, used to provide custom scan checks for Burp Suite Professional and Burp Suite Enterprise. Key features: Syntax highlighting... |
| 2025-01-28 2025 | GitHub - IckoGZ/burp-deepseek: A quick and dirty (and a little shitty) burp extension that uses cheap deepseek api to send request and response and maybe found something interesting. intermediate | Library integrating the DeepSeek API into Burp Suite for AI-driven security analysis. This beta-stage plugin allows users to send HTTP requests and responses from Burp Suite's Proxy or Repeater to DeepSeek for vulnerability detection and sensitive data identification. It features context menu integration, asynchronous API calls, customizable prompts, and generates "DeepSeek Analysis" issues within Burp's Scanner. |
| 2024-12-31 2024 | GitHub - hackerassociate/SSRF-Hacks-IP-Decimal: A Burp Suite extension that converts IP addresses to decimal notation, useful for SSRF bypass and WAF evasion testing. Created by Harshad Shah. intermediate SSRF | Extension for Burp Suite that converts IPv4 addresses to decimal notation. Developed by Harshad Shah, this tool aids penetration testers in bypassing security controls by automatically replacing IP addresses within requests with their decimal equivalents. It integrates into the context menu and logs conversions, proving useful for SSRF bypass and WAF evasion testing. |
| 2024-12-12 2024 | API Testing with Insomnia and Burp Suite: An Alternative to Postman beginner API Sec | Library for API testing and hacking, demonstrating how to use Insomnia and Burp Suite as an alternative to Postman. It details capturing API requests with mitmproxy, converting them to OpenAPI 3.0 format using mitmproxy2swagger for import into Insomnia, and leveraging Insomnia's features like variable management and Burp Suite integration for testing vulnerabilities such as Improper Asset Management. |
| 2024-12-03 2024 | burp-extensions-montoya-api-examples/customlogger/src/main/java/example/customlogger/MyTableModel.java at main · PortSwigger/burp-extensions-montoya-api-examples intermediate | Library example demonstrating how to create a custom table model within a Burp Suite extension using the Montoya API. This code snippet focuses on logging HTTP responses, specifically capturing the `toolSource` and the URL of the `initiatingRequest`, and displaying them in a tabular format. The `MyTableModel` class extends `AbstractTableModel` and manages a list of `HttpResponseReceived` objects, providing methods for adding new entries and retrieving data for display. |
| 2024-12-03 2024 | Hacking API discovery with a custom Burp extension intermediate API Sec | Library for enhancing API discovery within Burp Suite, this extension dynamically generates over 4,000 potential API documentation paths, including Swagger and OpenAPI formats, and recursively checks discovered directories. It employs an exponential backoff strategy for resilient requests and utilizes parallel processing to accelerate the discovery of API documentation artifacts. → danaepp.com |
| 2024-12-03 2024 | Burp-Montoya-Utilities/src/main/java/com/coreyd97/BurpExtenderUtilities/PopOutPanel.java at master · CoreyD97/Burp-Montoya-Utilities intermediate | Library code for a Burp Suite extension featuring a `PopOutPanel` component. This Java class enables users to detach and display Swing components in a separate JFrame, offering functionality to pop components in and out of their original context within the Burp Suite interface. |
| 2024-11-29 2024 | Python Twisted proxy - how to intercept packets intermediate Python | Library for intercepting HTTP request and response bodies using Python's Twisted framework. This resource demonstrates how to build a simple proxy that logs and potentially modifies traffic, enabling detailed analysis and manipulation of web communication. → stackoverflow.com |
| 2024-11-25 2024 | burp-extensions-montoya-api-examples/collaborator/src/main/java/example/collaborator/CollaboratorExample.java at main · PortSwigger/burp-extensions-montoya-api-examples · GitHub intermediate | Library demonstrating the use of the Burp Collaborator Client API within a custom extension. This example shows how to create or restore a `CollaboratorClient`, log interactions received, register a request handler, and poll for new interactions periodically. It includes code for persisting the Collaborator secret key using `PersistedObject` to allow for client restoration across extension reloads, and graceful shutdown of the polling mechanism. |
| 2024-10-05 2024 | Mindmap/Burp Suite/Burp Suite Normal.png at main · Ignitetechnologies/Mindmap beginner | This repository will contain many mindmaps for cyber security technologies, methodologies, courses, and certifications in a tree structure to give brief details about them - Ignitetechnologies/Mindmap |
| 2024-10-03 2024 | Top 10 Browser Extensions Every Bug Bounty Hunter Needs beginner Bug Bounty | As bug bounty hunters, we need to save time by avoiding constant switching between the terminal, multiple tabs, Burp Suite (including… |
| 2024-09-21 2024 | Proving API exploitability with Burp Collaborator intermediate API Sec | Library for demonstrating API exploitability using Burp Collaborator. This technique leverages out-of-band application security testing (OAST) to prove vulnerabilities like insecure deserialization, SSRF, open redirects, and blind XXE without requiring reverse shells. It works by sending crafted payloads that interact with Burp Collaborator's mock network services, capturing DNS, HTTP/HTTPS, or SMTP interactions to confirm an attack's potential. The article details how to configure and use Burp Collaborator, referencing its application in testing CVE-2023-40044 and crAPI. → danaepp.com |
| 2024-09-16 2024 | PyCript: Burp Suite extension that allows for bypassing client-side encryption intermediate Python | Library for Burp Suite that bypasses client-side encryption by enabling manual and automated decryption/encryption of requests. PyCript allows for custom logic via JavaScript and Node.js, handles encryption keys and IVs within request headers or bodies, and integrates with Burp Scanner, SQLMap, and Intruder for testing in plain text. |
| 2024-08-30 2024 | GitHub - e1abrador/Burp-Encode-IP: Burp Suite extension to encode an IP address focused to bypass application IP / domain blacklist. intermediate | Library for Burp Suite that encodes IP addresses using various techniques like Unicode, IPv6 formats, hexadecimal, octal, and mixed integer representations. It aims to bypass application IP or domain blacklists, aiding in testing SSRF, Open Redirect, and RFI vulnerabilities. The extension also supports DNS rebinding and collaborator integration for advanced testing scenarios. |
| 2024-08-22 2024 | BChecks/vulnerability-classes/injection at main · PortSwigger/BChecks · GitHub beginner RCE SQLi XSS | BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition - PortSwigger/BChecks |
| 2024-08-16 2024 | GitHub - 0x999-x/jsluicepp: jsluice++ is a Burp Suite extension designed for passive and active scanning of JavaScript traffic using the CLI tool jsluice intermediate | Extension integrating the jsluice CLI tool with Burp Suite for passive and active scanning of JavaScript traffic. It extracts URLs, paths, and secrets from JavaScript files, offering features like context menu processing, passive proxy scanning, URL monitoring with diff detection, and sending findings to Repeater. It also supports secret detection and scoped processing. |
| 2024-08-03 2024 | Testing Handbook - Burp beginner Talks | Watch the recording Testing Handbook: Burp Suite Professional https://appsec.guide → docs.google.com |
| 2024-08-03 2024 | Mastering Web Research with Burp Suite beginner | Mastering Web Research with Burp Suite |
| 2024-08-02 2024 | GitHub - synacktiv/HopLa: HopLa Burp Suite Extender plugin - Adds autocompletion support and useful payloads in Burp Suite intermediate | Library enhancing Burp Suite with AI-powered autocompletion, chat, and request transformation. Integrates with OpenAI, Gemini, and Ollama, offering dynamic payload insertion, collaborator domains, and custom keyword management. Supports extensive YAML-based payload customization and hotkeys for efficient testing, building upon concepts from PayloadsAllTheThings. |
| 2024-07-31 2024 | Extending Burp Suite for fun and profit - The Montoya way - Part 5 - hn security intermediate | Setting up the environment + Hello […] |
| 2024-07-30 2024 | Here's how I get the most out of Burp Suite reporting intermediate | Library for extracting detailed vulnerability data from Burp Suite Professional, enabling comprehensive reporting. It covers generating HTML reports from scanner findings, including full requests and responses, and exporting raw HTTP history from Proxy and Repeater tabs as XML. The library facilitates structured reporting for both technical and non-technical audiences by providing access to scan results, proxy logs, and repeater sessions, crucial for effective vulnerability communication. → danaepp.com |
| 2024-07-30 2024 | JS Link Finder Burp Suite Extension Guide intermediate Bug Bounty | Improve your bug bounty hunting, pentesting, and appsec skills with the JS Link Finder Burp Suite Extension. Discover hidden endpoints and… |
| 2023-12-06 2023 | videos[1] = "GAP Burp Extension" intermediate | videos[1] = "GAP Burp Extension" https://www.youtube.com/watch?v=Os3bN0zUROA |
| 2023-11-07 2023 | Example Collaborator-based check intermediate | BCheck for detecting SSRF vulnerabilities using Burp Collaborator. This check inserts a Burp Collaborator interaction ID into the Referer header of requests. If Burp Collaborator receives any interactions in response, an SSRF issue is reported with high severity and firm confidence, indicating the target fetches arbitrary URLs from the Referer header. → portswigger.net |
| 2023-11-03 2023 | Burp Suite Shorts | Automatic Session Handling beginner AuthN | The content is a video titled "Burp Suite Shorts | Automatic Session Handling" available on YouTube. It likely provides a concise tutorial or demonstration on how to utilize automatic session handling within the Burp Suite tool. This feature can streamline the process of managing and maintaining sessions during security testing and web application assessments. Viewers can expect to learn how to automate session handling tasks to enhance efficiency and effectiveness in their security testing workflows. |
| 2023-11-03 2023 | Burp Suite Shorts | Automatic Session Handling intermediate AuthN | Burp Suite Shorts | Automatic Session Handling https://www.youtube.com/watch?v=yoENNJjC4NY |
| 2023-10-29 2023 | PortSwigger/BChecks: BChecks collection for Burp Suite Professional intermediate | Library of BChecks written in the BChecks language for Burp Suite Professional and DAST. This collection includes custom scan checks developed by PortSwigger and the community, covering vulnerabilities like Blind SSRF, exposed git directories, leaked AWS Tokens, Log4Shell, Server Side Prototype Pollution, and suspicious input transformations, with specific checks for CVE-identified vulnerabilities. Documentation, examples, and a definition reference are available for creating and testing your own BChecks. |
| 2023-10-05 2023 | How to build custom scanners for web security research automation intermediate Fuzzing Recon | Library for building custom web security scanners, exemplified by an approach to detect race conditions. It details automating the "probe" phase of manual testing, leveraging concurrent requests and techniques like the single-packet attack, and discusses the use of "gadgets" such as embedded user data to identify race-infoleak vulnerabilities. The library, released as the Backslash Powered Scanner and installable via the Burp Suite BApp store, aims to assist researchers in automating the discovery of under-appreciated attack classes. → portswigger.net |
| 2023-10-04 2023 | A lightweight web security auditing toolkit beginner | Toolkit for web security auditing that enhances manual testing with AI and teamwork. Caido integrates with LLM providers like Anthropic, Google, and OpenAI through OpenRouter, enabling AI-powered plugins and programmatic access via its Client SDK. Features include autonomous agents for payload generation and task execution, precise request/response searching with HTTPQL, and ad-hoc automation via a node-based system. The platform boasts over 6,000 active users, 54+ community plugins, and a Discord community of 4,500+ members. |
| 2023-09-15 2023 | burp.IBurpExtenderCallbacks java code examples intermediate | burp.IBurpExtenderCallbacks java code examples https://ift.tt/je1FMoP |
| 2023-09-03 2023 | Proxying Burp Traffic through VPS using SOCKS Proxy intermediate | Tunnel your BurpSuite traffic through VPS to bypass restrictions using SOCKS proxy. |
| 2023-08-13 2023 | Swing in Python Burp Extensions - Part 1 intermediate Python | Library for creating custom Jython Swing GUIs within Burp extensions, detailing the implementation of `ITab` interfaces, `JPanel` layout managers, `JButton` action listeners, `JSplitPane` dividers, `JList` selection events with `ListSelectionListener` and `valueChanged`, `JTabbedPane` for organizing UI elements, and `StyledDocument` for text styling and content insertion into `JTextPane`, as well as loading URLs into `JEditorPane`. |
| 2023-08-03 2023 | Proxying MetaSploit through BurpSuite intermediate | Proxying MetaSploit through BurpSuite https://ift.tt/ZHsxq1m |
| 2023-07-19 2023 | Web App Hacking with Caido.io beginner API Sec | Web App Hacking with Caido.io https://www.youtube.com/watch?v=lW-u_2EByT4 |
| 2023-07-02 2023 | DNS Analyzer - Finding DNS vulnerabilities with Burp Suite intermediate Recon | Library for discovering DNS vulnerabilities in web applications. This Burp Suite extension leverages Burp Collaborator to analyze DNS name resolution, helping identify potential abuse of "Forgot password?" features for account takeovers, reminiscent of Kaminsky-style attacks. It provides a Kaminsky status, scatter plots, and statistics to assess the predictability of UDP source ports and DNS IDs in DNS queries, offering a more accessible alternative to setting up dedicated DNS analysis servers. |
| 2023-06-17 2023 | Web Application Hacking with Burp Suite beginner | Library of hands-on exercises for mastering Burp Suite, covering information disclosure, insecure decentralization, web socket testing, directory traversal, XXE, XSS, and SQL injection vulnerabilities. This course emphasizes practical application, guiding users through tool setup and real-world examples to equip them for comprehensive web application security testing. |
| 2023-05-29 2023 | RepeaterSearch intermediate Fuzzing | Extension that adds a search bar to Burp Suite's Repeater tab. This tool enables users to efficiently locate requests and/or responses containing a specific string, with support for both simple text matching and regular expressions. It highlights matching repeater tabs, streamlining the process of analyzing and identifying vulnerabilities within HTTP traffic. |
| 2023-04-13 2023 | How to use Burp Suite Like a PRO? beginner | How to use Burp Suite Like a PRO? https://ift.tt/fbstnRg |
| 2023-04-09 2023 | aress31/burpgpt intermediate AI | Library leveraging OpenAI's GPT models to detect security vulnerabilities missed by traditional scanners. BurpGPT integrates with Burp Suite, sending web traffic for analysis via customizable prompts and a placeholder system, generating automated reports of potential issues. It supports various OpenAI models, allows granular control over token usage and prompt length, and offers example use cases for tailored analysis, such as identifying CVE-related library flaws or biometric authentication vulnerabilities. |
| 2023-02-17 2023 | Burp Suite Extensions Rarely Utilized but Quite Useful beginner | The content discusses the underutilization of Burp Suite extensions despite their usefulness. It highlights that these extensions can enhance the functionality of Burp Suite, aiding in various security testing tasks. The article likely delves into the benefits of utilizing these extensions, such as improving efficiency, expanding capabilities, and enhancing the overall experience of using Burp Suite for security testing purposes. Overall, it emphasizes the value of exploring and incorporating these extensions into one's workflow to maximize the potential of Burp Suite. |
| 2023-02-16 2023 | A Step-by-Step Guide to Writing Extensions for API Pentesting in BurpSuite intermediate | Library for creating custom BurpSuite extensions in Python, focusing on API penetration testing. It guides users through setting up a development environment with Jython, writing a basic "Hello World" extension, and then constructing a more advanced "UUID Inspector" that identifies v1 UUIDs during passive scans, registering them as issues in BurpSuite's dashboard. → danaepp.com |
| 2022-06-20 2022 | Favorite tweet by @Burp_Suite news XSS | Favorite tweet: Burp Suite 2022.6 released to the Early Adopter channel. Includes grouped tabs for Repeater, connection reuse for HTTP/1 requests, and new preset scan modes. Also introduces the abili... |
| 2022-06-20 2022 | Favorite tweet by @PortSwigger news XSS | Favorite tweet: Finding Client-Side Prototype Pollution (CSPP) with DOM Invader by @garethheyes - now available on the Early Adopter channel https://t.co/ut1Buup1so — PortSwigger (@PortSwigger) Jun ... |
| 2022-04-20 2022 | Favorite tweet by @Jhaddix beginner | Favorite tweet: Asking for a friend: What's the current best low-cost, self-study, Burp Suite training out there? — Jason Haddix (@Jhaddix) Apr 19, 2022 |
| 2022-04-14 2022 | Favorite tweet by @e11i0t_4lders0n news Bug Bounty XSS | Favorite tweet: Burp Extension for XSS Thread 🧵 #bugbounty #bugbountytip #bugbountytips — Tushar Verma 🇮🇳 (@e11i0t_4lders0n) Apr 14, 2022 |
| 2022-03-21 2022 | Favorite tweet by @cedoxX intermediate | Favorite tweet: Nuclei-Burp-Plugin - A @Burp_Suite plugin intended to help with Nuclei template generation. https://t.co/wseZPcgBE0 @KitPloit #RedTeam #Tools #Cyber #Hacker #BugBounty #Hacking https:... |
| 2022-03-06 2022 | Favorite tweet by @fardeenahmed411 news Bug Bounty Recon | Favorite tweet: Top 10 essential tools for Bug-Bounty Hunting : 1. Burp Suite / ZAP-Proxy 2. Google Dorking Script 3. DNS-Discovery 4. Reverse IP Lookup 5. Wapiti 6. INalyzer 7. IronWASP 8. Wfuzz 9. ... |
| 2022-03-02 2022 | Favorite tweet by @ptracesecurity intermediate Recon | Favorite tweet: Nuclei-Burp Extension: run nuclei scanner directly from burp https://t.co/5eXxgjapf7 #Pentesting #BurpSuite #WebSecurity #Infosec https://t.co/xwhsoQfhRo — Ptrace Security GmbH (@ptr... |
| 2022-01-03 2022 | BUG BOUNTY HUNTING WITH BURP SUITE beginner Bug Bounty | BUG BOUNTY HUNTING WITH BURP SUITE |
| 2021-11-22 2021 | Burp Suite for Pentester: Software Vulnerability Scanner & Retire.js beginner | Library for Burp Suite, "Software Vulnerability Scanner" leverages the vulners.com API to identify software versions vulnerable via CPE fingerprints or path matching. It also includes "Retire.js" to detect outdated JavaScript libraries within web applications. |
| 2021-10-29 2021 | Improvements to Burp Suite authenticated scanning intermediate AuthZ | Library improvements to Burp Suite's authenticated scanning in version 2021.9.1 enhance testing of complex web applications by enabling recording and replay within iframes. The update addresses issues with animated elements, SVG icons within buttons, and JavaScript-driven redirections, improving accuracy and efficiency. It also adds support for multi-select elements, further streamlining the process of scanning privileged areas of modern web applications. → portswigger.net |
| 2021-09-07 2021 | Authorization Testing: AuthMatrix - Part 1 | White Oak Security intermediate | This article is not an application security library and does not describe specific techniques, tools, CVEs, vulnerabilities, or vendors. It appears to be marketing material for an IT and cybersecurity services company. → whiteoaksecurity.com |
| 2021-08-30 2021 | Web App Pentesting With Burp Suite Scan Profiles | White Oak intermediate | This article is a summary of a DEF CON 32 talk on hardware fault injection. The talk covered techniques like voltage glitching and clock manipulation to bypass security mechanisms. It also discussed common hardware vulnerabilities found in embedded systems and IoT devices, and presented methods for exploiting them. → whiteoaksecurity.com |
| 2021-08-30 2021 | Web App Pentesting With Burp Suite Scan Profiles intermediate | Guide on optimizing Burp Suite scan profiles for effective web application penetration testing, detailing strategies for vulnerability discovery and risk management. → whiteoaksecurity.com |
| 2021-08-25 2021 | Burp Suite for Pentester: Repeater beginner | Library for Burp Suite Professional's Repeater, enabling pentesters to modify and resend HTTP requests to analyze server responses. Features include tab renaming, changing request methods (GET, POST, etc.), navigating request history, pasting URLs directly as requests, automatic URL encoding for easier parameter handling, configurable redirection following, and search functionality within requests and responses for efficient analysis of web application behavior. |
| 2021-08-21 2021 | Why u should use burp to test Path Traversal Vulnerability and also get RXSS intermediate XSS | Why u should use burp to test Path Traversal Vulnerability and also get RXSS |
| 2021-07-25 2021 | burpa: Burp Automator intermediate | Library for automating Burp Suite scans, burpa offers a high-level CLI and Python interfaces to launch Dynamic Application Security Testing (DAST) scans. It utilizes the official REST API for scan execution and report generation, supporting authenticated scans with application credentials. Configuration can be managed via environment variables or `.env` files. Burpa provides commands for scanning URLs, generating reports, scheduling scans, stopping Burp Suite, and testing API connectivity. |
| 2021-07-19 2021 | Top 11 extensions to turn your browser into an advance hacking tool intermediate Bug Bounty | This content lists eleven browser extensions designed to transform a web browser into an advanced hacking tool. The article aims to equip users with resources for penetration testing and security analysis directly within their browser environment. The extensions likely offer functionalities for tasks such as network scanning, vulnerability assessment, and code inspection. |
| 2021-07-19 2021 | Leveraging Burp Suite extension for finding IDOR(Insecure Direct Object Reference). intermediate IDOR | This content focuses on using a Burp Suite extension to discover Insecure Direct Object References (IDOR) vulnerabilities. IDORs occur when an application allows users to access resources they are not authorized to by manipulating parameters like IDs. The Burp Suite extension likely automates or assists in identifying these flaws within web applications, making security testing more efficient. No specific bug bounty payout amounts are mentioned. |
| 2021-07-14 2021 | RequestBin Collect inspect and debug HTTP requests and webhooks beginner API Sec | Tool for inspecting and debugging HTTP requests and webhooks. This platform, reliable since 2018 and SOC 2 compliant, offers cloud storage for persistent data access across devices, enabling real-time request monitoring, detailed analytics, and collaborative debugging for distributed teams, with free and upgrade options available. |
| 2021-06-30 2021 | Introducing DOM Invader: DOM XSS just got a whole lot easier to find beginner XSS | Library for finding DOM-based XSS vulnerabilities in web applications. DOM Invader, a Burp Suite extension, simplifies DOM XSS discovery through its Augmented DOM feature, presenting a tree view of sources and sinks. It aids in identifying issues by highlighting user input within sinks and supports testing for web-message vulnerabilities, including spoofing origins and generating proof-of-concept exploits. The library also includes a ranked list of common sources and sinks, such as `eval` and `document.write`. → portswigger.net |
| 2021-06-05 2021 | Automating Burp Suite -4 | Understanding And Customising Custom Header From intermediate | The content discusses the creation of a Burp Extension using Jython to automate Burp Suite tasks. Specifically, it focuses on adding custom headers to requests. This is the fourth tutorial in the series, emphasizing understanding and customizing custom headers. The tutorial likely provides step-by-step instructions on how to implement this feature within Burp Suite for automated testing and customization purposes. → infosecwriteups.com |
| 2021-05-05 2021 | PimpMyBurp intermediate | PimpMyBurp is a collection of Burp Suite extensions designed to enhance its functionality. It provides a variety of tools to improve the efficiency of security professionals. These extensions offer features for tasks such as advanced scanning, request manipulation, and data analysis, ultimately aiding in the discovery and exploitation of vulnerabilities. |
| 2021-05-04 2021 | Detecting and annoying Burp users intermediate | Technique for detecting and disrupting Burp Suite usage, including methods for identifying the web interface via favicon MD5 hashes and localhost resolution, detecting TLS man-in-the-middle with PortSwigger issuer checks and JA3 fingerprinting, exploiting infinitely chunked responses, enumerating EventListeners to detect browser extensions, and leveraging Brotli compression and user-agent discrepancies. It also details ways to break Burp's crawler with unusual characters, confuse its active scanner with delays and collaborator interactions, bypass decoding, and exploit Intruder's marker character handling with PHP. |
| 2021-04-22 2021 | Web App Pentesting With Burp Suite Scan Profiles | White Oak intermediate | Reference for configuring Burp Suite scan profiles to enhance web application penetration testing. This document, from White Oak Security, focuses on practical application of Burp Suite features to identify vulnerabilities efficiently. → whiteoaksecurity.com |
| 2020-12-03 2020 | My First Burp Suite Extension beginner | Library for creating custom Burp Suite extensions, written in Java. This resource details the process of setting up a Java IDE like Netbeans to debug extensions directly within Burp Suite, implementing the `IBurpExtender` and `IScannerCheck` interfaces, and constructing `IScanIssue` objects to report findings. The example extension checks for the presence of specific response headers during passive scans. |
| 2020-05-30 2020 | BurpSuite Extensions: Some Favorites - VDA Labs intermediate | Library of Burp Suite extensions featuring Taborator for out-of-band interactions, JSON Beautifier and .NET Beautifier for improved readability, Active Scan++ for enhanced issue detection including Shellshock, and Freddy for deserialization vulnerabilities. Additional tools like HTML5 Auditor, CSP-Bypass, AWS Security Checks, Retire.js for outdated JavaScript, SSL Scanner for TLS issues, J2EEScan with CVE-2010-1871 and CVE-2011-2730, Error Message Checks, Software Vulnerability Scanner via Vulners.com API, CSRF Scanner, Collaborator Everywhere for backend systems, and Upload Scanner for file upload bypasses are also detailed. |
| 2019-11-14 2019 | PortSwigger Launches Web Security Academy beginner | Academy launched by PortSwigger, offering free interactive labs and reading materials to address global cybersecurity talent shortages. The platform features content on clickjacking, WebSocket, HTTP request smuggling, server-side request forgery, and XXE injection, allowing users to practice in a safe, risk-free environment and track their progress. The content will be continually updated to reflect evolving cyber threats. → infosecurity-magazine.com |
| 2019-08-23 2019 | How i exploit out-of-band resource load (HTTP) using burp suite extension plugin (taborator) intermediate | The content discusses exploiting out-of-band resource load using a Burp Suite extension plugin called Taborator. It focuses on the background of the issue, likely related to leveraging HTTP requests to manipulate or extract data from a target system. The use of Burp Suite, a popular web vulnerability scanner, in combination with the Taborator plugin suggests a method for identifying and potentially exploiting vulnerabilities related to out-of-band resource loading. This technique could be used for security testing and identifying weaknesses in web applications. |
| 2019-03-10 2019 | The Top 5 Burp Suite Extensions intermediate | Extensions for Burp Suite enhance its capabilities for security researchers. XSS Validator aids in confirming cross-site scripting vulnerabilities by using PhantomJS to verify findings. Burp Notes improves documentation by allowing detailed saving of target and attack information. Sentinel offers a free alternative to Burp Pro's scanner. Random IP Address Header helps evade WAFs by periodically altering the IP address. Bupy and Python Scripter enable custom script development for advanced Burp manipulation. |
| 2018-11-08 2018 | AES-Killer v3.0 - Burp Plugin To Decrypt AES Encrypted Traffic Of Mobile Apps On The Fly intermediate | AES-Killer v3.0 is a Burp plugin designed to decrypt AES encrypted traffic from mobile apps in real-time. This tool allows for the decryption of encrypted data on the fly, aiding in the analysis of mobile app traffic for security testing and debugging purposes. → kitploit.com |
| 2018-06-08 2018 | SleuthQL - Burp History Parsing Tool To Discover Potential SQL Injection Po intermediate | SleuthQL is a tool designed to parse Burp history and identify potential SQL injection points. It aims to assist in discovering vulnerabilities related to SQL injection by analyzing requests and responses within Burp Suite. This tool is useful for security professionals and researchers looking to enhance their testing capabilities and identify potential weaknesses in web applications. → kitploit.com |
| 2016-12-28 2016 | The Top 8 Burp Suite Extensions - Think outside the box intermediate | The content is a title mentioning the top 8 Burp Suite extensions and encourages thinking outside the box when using these tools. It suggests that these extensions can enhance the functionality of Burp Suite, a popular web application security testing tool. The focus is on exploring innovative ways to utilize these extensions to improve security testing processes. |
Frequently Asked Questions
- What is Burp Suite used for?
- Burp Suite is a web application security testing platform. It intercepts HTTP/HTTPS traffic between your browser and target application, allowing you to inspect, modify, and replay requests. Key tools include Proxy (traffic interception), Repeater (manual request testing), Intruder (automated fuzzing), and Scanner (automated vulnerability detection).
- What is the difference between Burp Suite Community and Pro?
- Burp Suite Community Edition provides the core proxy, repeater, and decoder tools for free. The Professional edition adds the automated vulnerability scanner, Intruder with full speed (Community is throttled), the Collaborator client for out-of-band testing, project saving, and content discovery features.
- What are the most useful Burp Suite extensions?
- Essential extensions include Autorize (authorization testing), Active Scan++ (enhanced scanning), Logger++ (advanced logging), Param Miner (hidden parameter discovery), Turbo Intruder (high-speed fuzzing with Python), and Hackvertor (encoding/decoding). The BApp Store contains hundreds of community extensions.
Weekly AppSec Digest
Get new resources delivered every Monday.