appsec.fyi · Sources

danaepp.com

9 curated AppSec resources from danaepp.com across 5 topics on appsec.fyi.

danaepp.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-11.

Burp 6 API Sec 4 AuthN 1 AuthZ 1 Python 1
Date Added Resource Excerpt
2026-04-11 2026Exploiting Server-Side Request Forgery in an APIAPI SecLibrary for identifying and exploiting Server-Side Request Forgery (SSRF) vulnerabilities in APIs. This resource details how SSRF, a dangerous OWASP API Security Top 10 vulnerability, allows attackers to trick servers into making unauthorized requests, potentially leading to data leaks or remote code execution. It covers techniques for identifying SSRF through common parameter names, webhooks, file imports, and PDF generators, and explores exploitation methods like local/remote port scanning and local file reads.
2025-08-14 2025Writing Burp Bambda Filters Like a BossBurpLibrary for creating custom Burp Suite Proxy HTTP history filters using Java snippets. This feature, named "Bambdas," allows for advanced filtering beyond standard options, such as identifying specific JWT algorithms like HS512 within Authorization headers. Users can write and save these filters via the UI, leveraging interfaces like `ProxyHttpRequestResponse` and `Utilities` for complex request analysis.
2025-08-14 2025Improve your API Security Testing with Burp BCheck ScriptsBurpLibrary for Burp Suite Professional that enables API security testing automation through BCheck scripts. These scripts, written in BSL, allow automated requests, response validation, Collaborator interaction, and programmatic payload injection. The library simplifies creating custom checks, like detecting missing Authorization headers (CWE-864), by integrating with Burp's scanner engine, thus accelerating manual testing workflows and improving efficiency.
2025-08-14 2025Writing API exploits in PythonPythonLibrary for generating Python API exploit proof-of-concepts, focusing on BOLA vulnerabilities within the crAPI project. It demonstrates converting requests captured in Burp Suite's Repeater or Intruder into executable Python code using the `curlconverter` tool. The process involves cleaning up `curl` commands, transpiling them to Python, and then refining the generated code for better usability, incorporating features like argument parsing for target URLs and report IDs.
2024-12-03 2024Hacking API discovery with a custom Burp extensionAPI SecBurpLibrary for enhancing API discovery within Burp Suite, this extension dynamically generates over 4,000 potential API documentation paths, including Swagger and OpenAPI formats, and recursively checks discovered directories. It employs an exponential backoff strategy for resilient requests and utilizes parallel processing to accelerate the discovery of API documentation artifacts.
2024-10-03 2024Automate your API hacking with AutorizeAPI SecAuthNAuthZLibrary for automating API security testing, Autorize is a Burp Suite extension that detects broken object level authorization (BOLA) by repeatedly sending requests with different user privileges. It analyzes response changes to identify authorization and authentication issues, supporting active scans and offering configuration for interception filters and enforcement detectors. Autorize can be integrated with Repeater and customized to filter results for potential bypasses and 401 status codes, aiding in the discovery of vulnerabilities like unauthorized access to administrative functions.
2024-09-21 2024Proving API exploitability with Burp CollaboratorAPI SecBurpLibrary for demonstrating API exploitability using Burp Collaborator. This technique leverages out-of-band application security testing (OAST) to prove vulnerabilities like insecure deserialization, SSRF, open redirects, and blind XXE without requiring reverse shells. It works by sending crafted payloads that interact with Burp Collaborator's mock network services, capturing DNS, HTTP/HTTPS, or SMTP interactions to confirm an attack's potential. The article details how to configure and use Burp Collaborator, referencing its application in testing CVE-2023-40044 and crAPI.
2024-07-30 2024Here's how I get the most out of Burp Suite reportingBurpLibrary for extracting detailed vulnerability data from Burp Suite Professional, enabling comprehensive reporting. It covers generating HTML reports from scanner findings, including full requests and responses, and exporting raw HTTP history from Proxy and Repeater tabs as XML. The library facilitates structured reporting for both technical and non-technical audiences by providing access to scan results, proxy logs, and repeater sessions, crucial for effective vulnerability communication.
2023-02-16 2023A Step-by-Step Guide to Writing Extensions for API Pentesting in BurpSuiteBurpLibrary for creating custom BurpSuite extensions in Python, focusing on API penetration testing. It guides users through setting up a development environment with Jython, writing a basic "Hello World" extension, and then constructing a more advanced "UUID Inspector" that identifies v1 UUIDs during passive scans, registering them as issues in BurpSuite's dashboard.