https://appsec.fyi/tools.html#burp-suite Curated Burp Suite resources from appsec.fyi en-us Sun, 07 Jun 2026 04:05:35 +0000 carl@chs.us (Carl Sampson) https://x.com/Sultane221/status/2059426422876229951 https://x.com/Sultane221/status/2059426422876229951 Mahmoud BARRY ( Docteur JS👨‍💻): Day #11 of #100DaysOfCyber | Exploitation d'un #SSRF Avant hier, on a vu la théorie derrière le SSRF (Server-Side Request Forgery). Aujourd'hui, place au lab pratique d... Burp Suite intermediate Wed, 27 May 2026 00:13:46 +0000 https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability Lab walkthrough demonstrating exploitation of a mass assignment vulnerability to purchase a product. The lab involves logging in with `wiener:peter`, adding an item to the basket, and then identifying and manipulating a `chosen_discount` parameter within the `/api/checkout` POST request. By adding this hidden parameter and altering its value, users can bypass credit limitations and solve the exercise. Burp Suite intermediate Wed, 22 Apr 2026 12:52:30 +0000 https://py-us3r.github.io/burp-writeup-graphql/ https://py-us3r.github.io/burp-writeup-graphql/ Writeup detailing GraphQL vulnerabilities and exploitation techniques. It covers bypassing introspection query regex validation, brute-forcing logins using aliases to circumvent rate limiting, and performing CSRF by converting requests to `x-www-form-urlencoded`. The entry also demonstrates how to find hidden GraphQL endpoints using directory fuzzing with Gobuster. Burp Suite intermediate Wed, 22 Apr 2026 12:51:49 +0000 https://github.com/I-TRACING-ASO/SulphurAPI https://github.com/I-TRACING-ASO/SulphurAPI Extension for automating OWASP API Top 10 detection within Burp Suite. SulphurAPI includes checks for mass assignment, authentication, and authorization vulnerabilities, alongside OpenID Connect/OAuth2 management and advanced OpenAPI parsing for versions 2.0 to 3.1.1. Burp Suite intermediate Wed, 22 Apr 2026 12:51:30 +0000 https://github.com/rm-rf-tools/awesome-burp-extensions-2025 https://github.com/rm-rf-tools/awesome-burp-extensions-2025 Library of curated Burp extensions for enhancing web application penetration testing. Features include scanners for vulnerabilities like Log4Shell (CVE-2021-44228), HTTP Request Smuggling, and Java deserialization. Additional extensions aid in discovering Content Security Policy (CSP) bypasses, identifying software versions, detecting reverse proxies, and testing for Cloudflare origin IPs, among many other specialized checks and integrations. Burp Suite intermediate Wed, 22 Apr 2026 12:51:29 +0000 https://portswigger.net/blog/the-future-of-security-testing-harness-ai-powered-extensibility-in-burp-nbsp https://portswigger.net/blog/the-future-of-security-testing-harness-ai-powered-extensibility-in-burp-nbsp Library for AI-powered extensibility in Burp Suite Professional, leveraging the Montoya API to integrate AI capabilities for enhanced security testing and automation. This allows for seamless integration of AI, exemplified by Gareth Heyes' enhanced Hackvertor extension, which enables custom transformations without coding. Users receive free AI credits to experiment and build their own AI-powered extensions, with options to submit them to the BApp store. Burp Suite advanced Wed, 22 Apr 2026 12:51:27 +0000 https://portswigger.net/burp/documentation/desktop/tools/proxy/websockets-history/scripts https://portswigger.net/burp/documentation/desktop/tools/proxy/websockets-history/scripts Library for filtering WebSockets history in Burp Suite, allowing users to create and load custom Java-based scripts. Users can write new scripts from templates, convert existing filter settings into scripts, or import scripts from their Bambda library. The library supports two key Montoya API objects, `ProxyWebSocketMessage` and `Utilities`, to facilitate script development for analyzing and filtering WebSocket traffic based on criteria like message direction and payload length. Burp Suite intermediate Wed, 22 Apr 2026 12:51:26 +0000 https://portswigger.net/burp/documentation/desktop/tools/proxy/http-history/scripts https://portswigger.net/burp/documentation/desktop/tools/proxy/http-history/scripts Library for creating custom Java-based scripts, known as Bambdas, to filter Burp Suite's HTTP history. Users can load pre-existing scripts from their library or create new ones using built-in templates or by converting existing filter settings. The library leverages the Montoya API and provides a GitHub repository for community contributions and examples, enabling advanced traffic analysis based on criteria like response status codes and cookie presence. Burp Suite intermediate Wed, 22 Apr 2026 12:51:25 +0000 https://portswigger.net/burp/documentation/desktop/extend-burp/extensions/creating/creating-ai-extensions/developing-ai-features https://portswigger.net/burp/documentation/desktop/extend-burp/extensions/creating/creating-ai-extensions/developing-ai-features Library for integrating AI capabilities into Burp Suite extensions via the Montoya API. This resource details how extensions must declare AI feature support using `EnhancedCapability.AI_FEATURES` and verify availability with `Ai.isEnabled()`. It explains sending single-shot and multi-turn prompts using `Message` objects for system, user, and assistant roles, and handling responses through `PromptResponse`. Burp Suite advanced Wed, 22 Apr 2026 12:51:25 +0000 https://portswigger.net/burp/documentation/desktop/burp-ai https://portswigger.net/burp/documentation/desktop/burp-ai Library integrating AI capabilities into Burp Suite for enhanced security testing. Features include AI in Repeater for custom prompts, Explore Issue for autonomous vulnerability investigation, and Explainer for understanding web technologies. It also offers AI-powered false positive reduction for Broken Access Control, automated recorded logins, and extensible AI features via the Montoya API, all while prioritizing user control, data privacy, and industry-standard security. Burp Suite beginner Wed, 22 Apr 2026 12:51:24 +0000 https://portswigger.net/burp/documentation/desktop/extend-burp/bambdas https://portswigger.net/burp/documentation/desktop/extend-burp/bambdas Library for scripting Burp Suite's interface to personalize tasks. Bambdas allow for custom match-and-replace rules, table columns, filters, and scan checks. Scripts can be saved, imported from sources like the Bambdas GitHub repository, and reused across projects. PortSwigger warns that Bambda scripts can execute arbitrary code, advising caution with unverified sources. Burp Suite beginner Wed, 22 Apr 2026 12:51:23 +0000 https://thexssrat.medium.com/hunting-for-idor-and-bac-vulnerabilities-in-b2b-applications-with-burp-suites-authorize-extension-597877b53d94 https://thexssrat.medium.com/hunting-for-idor-and-bac-vulnerabilities-in-b2b-applications-with-burp-suites-authorize-extension-597877b53d94 Hunting for IDOR and BAC in B2B Apps with Burp Authorize Burp Suite intermediate Wed, 22 Apr 2026 12:50:30 +0000 https://github.com/6h4ack/IDOR-Scanner https://github.com/6h4ack/IDOR-Scanner Extension for Burp Suite that automatically detects Insecure Direct Object Reference (IDOR) vulnerabilities. It passively scans HTTP requests and responses for numeric fields in URL paths, query parameters, JSON, and form data. Actively, it increments these numeric fields, sending modified requests to identify confirmed IDORs by checking for differing response sizes and 200 OK statuses. An option to right-click and scan specific issues is also provided. Burp Suite intermediate Wed, 22 Apr 2026 12:50:28 +0000 https://www.helpnetsecurity.com/2026/04/20/meta-bug-bounty-portswigger-partnership/ https://www.helpnetsecurity.com/2026/04/20/meta-bug-bounty-portswigger-partnership/ Library. This partnership between Meta Bug Bounty and PortSwigger integrates Meta’s bug bounty program with Burp Suite Professional, aiming to enhance vulnerability discovery and researcher skills. Selected HackerPlus Silver league researchers receive Burp Suite Professional licenses to leverage its technical capabilities alongside Meta's collaborative program, fostering improved tooling and education for the security community. Burp Suite news Mon, 20 Apr 2026 08:49:31 +0000 https://github.com/Anof-cyber/Pentest-Mapper https://github.com/Anof-cyber/Pentest-Mapper Library for Burp Suite that maps application testing flows with custom checklists. Pentest-Mapper logs API calls, allowing users to connect them to specific vulnerabilities from a loaded checklist. It also tracks test cases, enables vulnerability mapping with severity, and offers auto-save, import/export functionality, and auto-logging of scoped APIs. Burp Suite intermediate Sun, 19 Apr 2026 02:21:55 +0000 https://www.blackhillsinfosec.com/copy-for/ https://www.blackhillsinfosec.com/copy-for/ Library for Burp Suite that generates command-line syntax for security tools like `curl`, `ffuf`, `jwt_tool.py`, `Nikto`, `Nmap`, `Nuclei`, and `wget` directly from requests. It supports variable substitution and configurable flags, allowing users to create custom commands. Burp Suite intermediate Sun, 19 Apr 2026 02:21:54 +0000 https://portswigger.net/burp/ai https://portswigger.net/burp/ai Burp AI — PortSwigger Burp Suite intermediate Sun, 19 Apr 2026 02:21:53 +0000 https://github.com/PortSwigger/pentest-mapper https://github.com/PortSwigger/pentest-mapper Extension for Burp Suite that integrates request logging with a custom application testing checklist. It enables users to map application flows and API calls, link them to vulnerabilities from a customizable checklist, and track parameters and severity. Features include auto-saving, import/export functionality, and the ability to map individual requests to vulnerabilities with optional CVSS scoring. Burp Suite intermediate Sun, 19 Apr 2026 02:21:52 +0000 https://portswigger.net/bappstore/af490ae7e79546fa81a28d8d0b90874e https://portswigger.net/bappstore/af490ae7e79546fa81a28d8d0b90874e Library for mapping application flows during penetration testing. Pentest Mapper integrates Burp Suite request logging with a custom checklist, allowing testers to connect API calls to specific functions and map identified vulnerabilities. This Burp Suite extension facilitates a structured approach to application analysis and vulnerability assessment. Burp Suite intermediate Sun, 19 Apr 2026 02:21:52 +0000 https://www.blackhatethicalhacking.com/articles/maximizing-idor-detection-with-burp-suites-autorize/ https://www.blackhatethicalhacking.com/articles/maximizing-idor-detection-with-burp-suites-autorize/ Library for Burp Suite's Autorize extension, this resource details how to leverage it for identifying Insecure Direct Object Reference (IDOR) vulnerabilities by automatically testing authorization with low-privileged user session cookies. It explains the extension's functionality, including its enforcement status detection and customizable filters for identifying authorization bypasses, and provides installation and usage instructions with examples against OWASP Juice Shop. Burp Suite intermediate Fri, 17 Apr 2026 14:47:28 +0000 https://www.levelblue.com/blogs/levelblue-blog/manual-and-semi-automated-testing-for-idors-using-burp-suite https://www.levelblue.com/blogs/levelblue-blog/manual-and-semi-automated-testing-for-idors-using-burp-suite Library for semi-automated and manual testing of Insecure Direct Object References (IDORs) using Burp Suite. It details how to leverage the Autorize plugin for automated checks by sending captured requests from different user contexts and offers a manual approach by identifying and manipulating object identifiers within Burp Suite's Repeater tool, referencing PortSwigger labs as an example. Burp Suite intermediate Fri, 17 Apr 2026 14:47:27 +0000 https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors Library for testing Insecure Direct Object References (IDORs), a common access control vulnerability where an application directly uses user-supplied input to access objects. This resource guides users through identifying potential IDORs in parameters, forwarding requests to Burp Intruder, configuring a Sniper attack with payload positions, and analyzing responses to confirm unauthorized access, using an example involving a user ID parameter. Burp Suite beginner Fri, 17 Apr 2026 14:47:26 +0000 https://herish.me/blog/idor-bug-bounty-burp-suite/ https://herish.me/blog/idor-bug-bounty-burp-suite/ Tool for hunting Insecure Direct Object Reference (IDOR) vulnerabilities, focusing on a $1,000 bug bounty case. It details how Burp Suite's Proxy, Repeater, and Intruder features can be used to identify and automate the discovery of IDORs by tampering with object identifiers and analyzing responses. The entry also covers common IDOR scenarios in APIs, including GraphQL and RESTful endpoints, and provides developer-side prevention techniques like server-side authorization checks and the use of indirect or signed references. Burp Suite intermediate Thu, 16 Apr 2026 21:03:51 +0000 https://github.com/doyensec/inql https://github.com/doyensec/inql Library for advanced GraphQL security testing, InQL integrates with Burp Suite. It offers a scanner for auto-generating queries and mutations, customizable scans with 'Points of Interest' analysis for vulnerability detection, and circular reference detection. InQL also supports batch queries, custom headers, engine fingerprinting even when introspection is disabled, and interactive schema visualization through GraphiQL and GraphQL Voyager. Burp Suite intermediate Thu, 16 Apr 2026 21:03:47 +0000 https://appsec.guide/docs/web/burp/ https://appsec.guide/docs/web/burp/ Library for Burp Suite Professional, an HTTP interception proxy with features for web application security testing. It aids in identifying server-side and client-side vulnerabilities by intercepting and manipulating requests/responses, fuzzing payloads with Intruder, and analyzing traffic with Proxy and Scanner. The handbook also mentions Burp's DOM Invader extension and Trail of Bits webinars on mastering web research with Burp Suite. Burp Suite beginner Thu, 16 Apr 2026 21:03:23 +0000 https://github.com/PortSwigger/bambdas https://github.com/PortSwigger/bambdas Library of Bambdas for Burp Suite, offering scripts for table filters, custom columns, Repeater actions, match and replace rules, and custom scan checks. Developed by PortSwigger and the community, these scripts enhance Burp Suite's functionality, with Java-based checks available in this repository and BChecks in a separate repo. Instructions cover importing, updating, and contributing scripts, with security warnings about executing arbitrary code. Resources include detailed documentation and video tutorials on various Bambda functionalities. Burp Suite intermediate Thu, 16 Apr 2026 21:03:22 +0000 https://github.com/Ignitetechnologies/BurpSuite-For-Pentester https://github.com/Ignitetechnologies/BurpSuite-For-Pentester Library for penetration testers and bug bounty hunters, this practical Burp Suite cheat sheet aids in efficiently discovering web application vulnerabilities from P4 to P1. It offers a structured reference for web application security testing, guiding users on leveraging Burp Suite's features for traffic interception, request analysis, parameter fuzzing, and identifying vulnerabilities in modern web applications. Burp Suite beginner Thu, 16 Apr 2026 21:03:21 +0000 https://github.com/cyspad/Weaponize-Your-Burp https://github.com/cyspad/Weaponize-Your-Burp Library for automating Burp Suite for bug bounty hunting. This project weaponizes Burp Suite with extensions like Burp Bounty Pro, Logger++, and AutoRepeater. It details a methodology for integrating custom payloads into AutoRepeater and using Logger++ filters to identify potential vulnerabilities, then sending suspicious requests to Repeater for exploitation. Examples demonstrate configuring custom payloads to enhance bug hunting capabilities. Burp Suite intermediate Thu, 16 Apr 2026 21:03:20 +0000 https://www.yeswehack.com/learn-bug-bounty/smart-automation-with-burp-suite https://www.yeswehack.com/learn-bug-bounty/smart-automation-with-burp-suite Library for automating Burp Suite workflows, this resource details using passive scanners like the built-in passive scanner and passive crawler, alongside extensions such as BChecks, Burp Bounty, and Logger++, to streamline bug bounty efforts. It explains how to combine active and passive scanning to efficiently gather information and discover vulnerabilities, emphasizing the importance of custom headers for tracking BCheck requests and leveraging error messages for deeper analysis, while still advocating for manual testing to complement automated findings. Burp Suite intermediate Thu, 16 Apr 2026 21:03:19 +0000 https://medium.com/@hosam.gemeai/a-guide-to-build-burp-suite-extensions-using-montoya-api-java-a8256a169bee https://medium.com/@hosam.gemeai/a-guide-to-build-burp-suite-extensions-using-montoya-api-java-a8256a169bee A Guide to Build Burp Suite Extensions Using Montoya API and Java Burp Suite intermediate Thu, 16 Apr 2026 21:03:19 +0000 https://bishopfox.com/blog/power-pen-tests-with-montoya-api https://bishopfox.com/blog/power-pen-tests-with-montoya-api Library for developing Burp Suite extensions using the Montoya API, streamlining tasks like authentication handling, API data mining, and UI visualization. This API, introduced in Burp Suite 2022.9.5, offers improved object-oriented design, WebSocket support, and simplified HTTP message manipulation compared to the older extender API, enabling developers to create more robust and flexible tools like the example "BurpCage" extension that replaces images with Nicolas Cage photos. Burp Suite intermediate Thu, 16 Apr 2026 21:03:18 +0000 https://www.scip.ch/en/?labs.20250911 https://www.scip.ch/en/?labs.20250911 Library for developing Burp Suite extensions, focusing on the modern MontoyaApi with Kotlin. This resource details how to create powerful extensions, introducing concepts like Bambdas for filtering and BChecks for custom scan checks. It showcases the development of the HeaderMate extension, which automates server response header evaluation against OWASP recommendations and configurable rules, offering features like selective host checking, issue creation toggling, and CSV export. Burp Suite beginner Thu, 16 Apr 2026 21:03:17 +0000 https://www.blackhillsinfosec.com/creating-burp-extensions-wrapup/ https://www.blackhillsinfosec.com/creating-burp-extensions-wrapup/ Library for creating Burp Suite extensions. This resource guides beginners through developing custom functionalities for Burp Suite, a web application proxy essential for security testing. It explains what Burp extensions are, why they enhance testing capabilities, and covers the necessary tools and languages for development. The presentation introduces the Montoya API for integration and showcases a practical example of a JWT editor extension, illustrating how these additions expand Burp Suite's utility beyond its default features. Burp Suite beginner Thu, 16 Apr 2026 21:03:16 +0000 https://portswigger.net/research/top-10-web-hacking-techniques-of-2025 https://portswigger.net/research/top-10-web-hacking-techniques-of-2025 Reference listing the top 10 web hacking techniques of 2025, curated by an expert panel from community nominations. Techniques include Parser Differentials, Playing with HTTP/2 CONNECT, XSS-Leak, Next.js cache poisoning, Cross-Site ETag Length Leak, SOAPwn (RCE via HttpWebClientProtocol flaw), Unicode normalization attacks like "Lost in Translation," blind SSRF visibility techniques, ORM leaks, and "Successful Errors" for blind server-side template injection. The analysis highlights trends in side-channel attacks and new exploitation primitives. Burp Suite beginner Thu, 16 Apr 2026 21:03:15 +0000 https://x.com/Cyb3rX7u/status/2044000956468322409 https://x.com/Cyb3rX7u/status/2044000956468322409 Found SSRF vulnerability allowed to access admin panel and delete user account. StockAPI  Burp Intruder Admin URL Deleted user account (carlos) #SSRF #WebSecurityAcademy #Portswigger #Lab #Vulnerab... Burp Suite intermediate Tue, 14 Apr 2026 10:38:42 +0000 https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection Reference for testing Server-Side Template Injection (SSTI) vulnerabilities in web applications, a common flaw found when user input is unsafely embedded in templating engines like Jinja2 and Twig, potentially leading to remote code execution. The guide details methods for detecting injection points, identifying templating engines, and building exploits, referencing tools such as Tplmap and Burp Suite extensions. It also covers testing in both plaintext and code contexts. Burp Suite beginner Fri, 10 Apr 2026 21:21:52 +0000 https://portswigger.net/kb/issues/00101080_server-side-template-injection https://portswigger.net/kb/issues/00101080_server-side-template-injection Library detailing Server-side template injection, a vulnerability where user input is unsafely embedded into server-side templates, potentially allowing arbitrary code execution and server control. It covers identifying template engine types, mapping the attack surface, and auditing exposed objects, noting severity varies by engine. Remediation strategies include avoiding user-generated templates, using logic-less engines like Mustache, or sandboxing rendering environments. This vulnerability is classified under CWE-94, CWE-95, and CWE-116, often carrying a high severity. Burp Suite intermediate Fri, 10 Apr 2026 21:21:51 +0000 https://portswigger.net/research/template-injection https://portswigger.net/research/template-injection Library covering template injection, detailing both Client Side Template Injection (CSTI) and Server Side Template Injection (SSTI). Learn techniques to bypass Content Security Policy (CSP) and exploit client-side vulnerabilities similar to Cross-Site Scripting (XSS), including breaking the AngularJS sandbox as presented at BSides Manchester. Explore server-side exploitation, detecting templating engines, and achieving Remote Code Execution (RCE), including research presented at Black Hat USA on SSTI. Burp Suite advanced Fri, 10 Apr 2026 21:21:49 +0000 https://portswigger.net/research/server-side-template-injection https://portswigger.net/research/server-side-template-injection Reference for Server-Side Template Injection (SSTI) details a methodology for detecting and exploiting template engines like Twig and FreeMarker, which are commonly used to embed dynamic content. SSTI vulnerabilities arise when user input is unsafely embedded in templates, potentially leading to Remote Code Execution (RCE). The research outlines detection techniques for both "text" and "variable" contexts, emphasizing the importance of identifying the specific template engine and its documentation to craft effective exploits, including escaping sandbox modes. Burp Suite advanced Fri, 10 Apr 2026 21:21:48 +0000 https://portswigger.net/web-security/server-side-template-injection https://portswigger.net/web-security/server-side-template-injection Library explaining server-side template injection, a vulnerability where attackers inject malicious payloads into templates to achieve remote code execution or access sensitive data. It details how these vulnerabilities arise when user input is directly concatenated into templates instead of being passed as data, and outlines detection methods like fuzzing with special characters and testing mathematical operations in plaintext or code contexts, applicable to engines like Twig and Freemarker. Burp Suite beginner Fri, 10 Apr 2026 21:21:48 +0000 https://portswigger.net/kb/issues/00200901_jwt-none-algorithm-supported https://portswigger.net/kb/issues/00200901_jwt-none-algorithm-supported Library for detecting JWT "none" algorithm vulnerabilities. This flaw allows an attacker to tamper with the JWT's `alg` header to "none", remove the signature, and submit an unsigned token. If the server accepts this, attackers can escalate privileges or impersonate users by modifying arbitrary claims in the payload. Remediation involves configuring JWT libraries to reject unsecured tokens and only accept cryptographically strong algorithms. Burp Suite intermediate Fri, 10 Apr 2026 21:21:47 +0000 https://portswigger.net/burp/documentation/desktop/testing-workflow/vulnerabilities/session-management/jwts https://portswigger.net/burp/documentation/desktop/testing-workflow/vulnerabilities/session-management/jwts Library for testing JWT authentication bypass vulnerabilities in Burp Suite. It allows users to view and decode JWTs within Burp Inspector, and then utilize the JWT Editor extension to generate cryptographic signing keys, edit token headers and payloads, and resign the modified JWT with a valid signature. The extension automatically flags requests containing JWTs, streamlining the identification and manipulation process. Burp Suite intermediate Fri, 10 Apr 2026 21:21:32 +0000 https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61 https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61 Extension that assists in pentesting applications utilizing JavaScript Object Signing and Encryption (JOSE), specifically targeting JSON Web Tokens. This tool automates the discovery and testing of vulnerabilities within JOSE implementations, aiding security professionals in identifying potential weaknesses during application assessments. Burp Suite intermediate Fri, 10 Apr 2026 21:21:32 +0000 https://portswigger.net/bappstore/be6af6a556df4423846b25080dbde88c https://portswigger.net/bappstore/be6af6a556df4423846b25080dbde88c Extension for Burp Suite that scans for JWT vulnerabilities by highlighting tokens and initiating scans. It supports forging public keys when they are not exposed, allowing for further exploitation and vulnerability discovery by rerunning scans after successful forging. Burp Suite intermediate Fri, 10 Apr 2026 21:21:31 +0000 https://github.com/PortSwigger/jwt-editor https://github.com/PortSwigger/jwt-editor Library for manipulating JSON Web Tokens (JWTs) within Burp Suite, this tool detects and allows editing, signing, verifying, encrypting, and decrypting JWTs in HTTP and WebSocket messages. It offers detection of JWTs, highlighting, and an Intruder payload provider. Functionality includes importing/exporting cryptographic keys, editing JWS/JWE components with JSON and hex editors, and performing attacks such as "none" algorithm bypass, HMAC key confusion, embedded JWK, signing with an empty HMAC key, Psychic signatures (CVE-2022-21449), and collaborator integration. Burp Suite intermediate Fri, 10 Apr 2026 21:21:30 +0000 https://shivxtar.medium.com/blind-ssrf-with-burp-collaborator-7c2608fcfb73 https://shivxtar.medium.com/blind-ssrf-with-burp-collaborator-7c2608fcfb73 Blind SSRF with Burp Collaborator Burp Suite intermediate Fri, 10 Apr 2026 01:59:21 +0000 https://undercodetesting.com/mastering-blind-ssrf-detection-with-burp-suite-a-step-by-step-guide/ https://undercodetesting.com/mastering-blind-ssrf-detection-with-burp-suite-a-step-by-step-guide/ Analysis of Blind SSRF detection using Burp Suite, detailing techniques like header bruteforcing with Intruder, out-of-band detection via Collaborator, and real-time monitoring with the Taborator extension. It covers advanced payload strategies including numerical ranges and cloud metadata endpoint enumeration, alongside Python scripting for automation and integration with the Burp API, emphasizing the critical need for proactive SSRF testing against evolving cloud-focused exploits. Burp Suite intermediate Fri, 10 Apr 2026 01:59:19 +0000 https://portswigger.net/burp/documentation/desktop/testing-workflow/ssrf/testing-for-blind-ssrf https://portswigger.net/burp/documentation/desktop/testing-workflow/ssrf/testing-for-blind-ssrf Tutorial on detecting blind SSRF vulnerabilities using Burp Suite's Collaborator. This method involves injecting a Collaborator payload into an HTTP request, often within parameters like `productId` or headers like `Referer`, and then monitoring the Collaborator tab for out-of-band interactions from the target application. The presence of these interactions confirms the application's susceptibility to blind SSRF. Burp Suite intermediate Fri, 10 Apr 2026 01:59:19 +0000 https://medium.com/@patilvinay199/uncovering-for-blind-ssrf-using-burp-collaborator-5dd34342d62b https://medium.com/@patilvinay199/uncovering-for-blind-ssrf-using-burp-collaborator-5dd34342d62b Uncovering Blind SSRF Using Burp Collaborator Burp Suite intermediate Fri, 10 Apr 2026 01:59:16 +0000 https://flashgenius.net/blog-article/burp-suite-certified-practitioner-the-ultimate-guide-2026 https://flashgenius.net/blog-article/burp-suite-certified-practitioner-the-ultimate-guide-2026 Guide to the Burp Suite Certified Practitioner (BSCP) exam, PortSwigger’s hands-on web application security certification. This resource details the exam format, including its remote, proctored, timed structure with two live applications, and the three sequential stages required per application. It emphasizes demonstrating exploit impact, using Burp Suite Professional and allowed third-party tools like ysoserial, and mastering techniques such as XSS exploitation, SQL injection, and SSRF. The guide offers preparation strategies, including PortSwigger’s official prep path, practice exams, and sample 30, 60, and 90-day study plans, to help candidates achieve certification. Burp Suite beginner Fri, 10 Apr 2026 01:56:20 +0000