portswigger.net
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-23.
Burp 25
XSS 17
SSRF 11
JWT 8
API Sec 6
AuthN 5
SSTI 5
Bug Bounty 4
CSRF 4
AuthZ 3
Deser 3
XXE 3
Fuzzing 2
GraphQL 2
IDOR 2
Recon 2
SQLi 2
AI 1
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-23 2026 | AI-powered scanner vulnerabilitiesAI | Library detailing vulnerabilities in AI-powered web scanners that leverage Large Language Models. It outlines how attacker-controlled content can influence scanner reasoning, leading to indirect prompt injection attacks. These attacks can cause unintended state changes, data exfiltration, and exploitation of routing-based SSRF, often by manipulating Host headers to access internal services from within the scanner's privileged network position. |
| 2026-04-22 2026 | PortSwigger Lab: Exploiting a Mass Assignment VulnerabilityAPI Sec | Lab walkthrough demonstrating exploitation of a mass assignment vulnerability to purchase a product. The lab involves logging in with `wiener:peter`, adding an item to the basket, and then identifying and manipulating a `chosen_discount` parameter within the `/api/checkout` POST request. By adding this hidden parameter and altering its value, users can bypass credit limitations and solve the exercise. |
| 2026-04-22 2026 | Top 10 Web Hacking Techniques of 2025: Call for NominationsBurp | Survey of 2025 web hacking techniques, including nominations for novel practical research. Highlighted techniques involve JNDI Injection, Exploiting XXE with Local DTD Files, Eclipse on Next.js, Next.js cache poisoning, Go parser bypasses, HTTP/1.1 desync, Chromium DOM clobbering, cross-protocol desynchronization (Opossum Attack), SAML authentication bypasses, ambiguous chunk terminators for request smuggling, Cross-Site WebSocket Hijacking, SVG filter clickjacking, nonce CSP bypass, SSRF via redirect loops, Unicode normalization exploits, SOAP proxy RCE, PHP warnings for quirks mode, ORM field smuggling, parser differentials, and DOM-based extension clickjacking. |
| 2026-04-22 2026 | The Future of Security Testing: AI-Powered Extensibility in BurpBurp | Library for AI-powered extensibility in Burp Suite Professional, leveraging the Montoya API to integrate AI capabilities for enhanced security testing and automation. This allows for seamless integration of AI, exemplified by Gareth Heyes' enhanced Hackvertor extension, which enables custom transformations without coding. Users receive free AI credits to experiment and build their own AI-powered extensions, with options to submit them to the BApp store. |
| 2026-04-22 2026 | Filtering the WebSockets history with scriptsBurp | Library for filtering WebSockets history in Burp Suite, allowing users to create and load custom Java-based scripts. Users can write new scripts from templates, convert existing filter settings into scripts, or import scripts from their Bambda library. The library supports two key Montoya API objects, `ProxyWebSocketMessage` and `Utilities`, to facilitate script development for analyzing and filtering WebSocket traffic based on criteria like message direction and payload length. |
| 2026-04-22 2026 | Filtering the HTTP history with scripts (Bambdas)Burp | Library for creating custom Java-based scripts, known as Bambdas, to filter Burp Suite's HTTP history. Users can load pre-existing scripts from their library or create new ones using built-in templates or by converting existing filter settings. The library leverages the Montoya API and provides a GitHub repository for community contributions and examples, enabling advanced traffic analysis based on criteria like response status codes and cookie presence. |
| 2026-04-22 2026 | Developing AI features in Burp extensionsBurp | Library for integrating AI capabilities into Burp Suite extensions via the Montoya API. This resource details how extensions must declare AI feature support using `EnhancedCapability.AI_FEATURES` and verify availability with `Ai.isEnabled()`. It explains sending single-shot and multi-turn prompts using `Message` objects for system, user, and assistant roles, and handling responses through `PromptResponse`. |
| 2026-04-22 2026 | Burp AI - PortSwigger DocumentationBurp | Library integrating AI capabilities into Burp Suite for enhanced security testing. Features include AI in Repeater for custom prompts, Explore Issue for autonomous vulnerability investigation, and Explainer for understanding web technologies. It also offers AI-powered false positive reduction for Broken Access Control, automated recorded logins, and extensible AI features via the Montoya API, all while prioritizing user control, data privacy, and industry-standard security. |
| 2026-04-22 2026 | Bambdas - PortSwigger DocumentationBurp | Library for scripting Burp Suite's interface to personalize tasks. Bambdas allow for custom match-and-replace rules, table columns, filters, and scan checks. Scripts can be saved, imported from sources like the Bambdas GitHub repository, and reused across projects. PortSwigger warns that Bambda scripts can execute arbitrary code, advising caution with unverified sources. |
| 2026-04-22 2026 | Finding DOM Polyglot XSS in PayPal the Easy WayXSS | Library for discovering DOM-based polyglot XSS vulnerabilities. It details a process utilizing Burp Suite's embedded browser and DOM Invader to identify insecure sinks, specifically on PayPal. The library also demonstrates how to bypass Content Security Policy (CSP) by exploiting unintended script gadgets within the PayPal application, including leveraging older versions of Bootstrap and a custom `youtube.js` gadget to execute JavaScript. |
| 2026-04-19 2026 | Burp AI — PortSwiggerBurp | Burp AI — PortSwigger |
| 2026-04-19 2026 | Pentest Mapper — PortSwigger BApp StoreBurp | Library for mapping application flows during penetration testing. Pentest Mapper integrates Burp Suite request logging with a custom checklist, allowing testers to connect API calls to specific functions and map identified vulnerabilities. This Burp Suite extension facilitates a structured approach to application analysis and vulnerability assessment. |
| 2026-04-19 2026 | GraphQL API Vulnerabilities Learning Path — PortSwiggerGraphQL | GraphQL API Vulnerabilities Learning Path — PortSwigger |
| 2026-04-19 2026 | Bypassing Signature-Based XSS Filters: Modifying HTMLXSS | Technique for bypassing signature-based XSS filters by modifying HTML syntax, demonstrating methods to obfuscate payloads. It explores variations in tag casing, insertion of NULL bytes and superfluous characters, use of alternative attribute delimiters like backticks, and HTML encoding within attribute values to evade detection. Examples are provided using DVWA and OWASP's Broken Web Application Project. |
| 2026-04-17 2026 | Testing for IDORs (PortSwigger Burp docs)IDOR | Library for testing Insecure Direct Object References (IDORs), a common access control vulnerability where an application directly uses user-supplied input to access objects. This resource guides users through identifying potential IDORs in parameters, forwarding requests to Burp Intruder, configuring a Sniper attack with payload positions, and analyzing responses to confirm unauthorized access, using an example involving a user ID parameter. |
| 2026-04-17 2026 | Vulnerabilities in multi-factor authentication (PortSwigger)AuthN | Reference on multi-factor authentication vulnerabilities, detailing bypass techniques against two-factor authentication (2FA) and multi-factor authentication (MFA). It covers flaws such as skipping the second authentication step, insecure verification logic allowing cookie manipulation, and the risks associated with SMS-based verification codes and SIM swapping. The reference also discusses brute-forcing verification codes and highlights extensions like Burp's Turbo Intruder for exploitation. |
| 2026-04-16 2026 | Turbo Intruder: Embracing the Billion-Request AttackBurp | Library for high-speed, scalable web application attacks. Turbo Intruder is a Burp Suite extension built from scratch with a custom HTTP stack, outperforming many asynchronous scripts. It supports flexible Python-based attack configuration for complex needs like signed requests, handles malformed requests, and filters results with an advanced diffing algorithm. It can achieve millions of requests with flat memory usage, and offers command-line operation for optimized performance by co-locating with targets. |
| 2026-04-16 2026 | PortSwigger's Top 10 Web Hacking Techniques of 2025Bug Bounty | Reference listing the top 10 web hacking techniques of 2025, curated by an expert panel from community nominations. Techniques include Parser Differentials, Playing with HTTP/2 CONNECT, XSS-Leak, Next.js cache poisoning, Cross-Site ETag Length Leak, SOAPwn (RCE via HttpWebClientProtocol flaw), Unicode normalization attacks like "Lost in Translation," blind SSRF visibility techniques, ORM leaks, and "Successful Errors" for blind server-side template injection. The analysis highlights trends in side-channel attacks and new exploitation primitives. |
| 2026-04-11 2026 | Lab: JWT authentication bypass via weak signing keyJWT | Lab: JWT authentication bypass via weak signing key, detailing a process to exploit a weak signing key in JSON Web Tokens. This involves using Burp Suite's JWT Editor extension to brute-force the secret key with `hashcat`, generating a new symmetric key in JWK format, and then modifying the JWT's payload to gain administrative access. |
| 2026-04-11 2026 | Lab: JWT authentication bypass via jku header injectionJWT | Lab: JWT authentication bypass via jku header injection. This lab demonstrates an authentication bypass vulnerability in JSON Web Tokens by injecting a malicious JWK Set. Using the Burp Suite JWT Editor extension, attackers can upload a controlled JWK Set, modify the JWT header to reference it with a `jku` parameter, and then sign the token with their own key. This allows them to impersonate legitimate users and gain unauthorized access, as shown by escalating privileges to access an admin panel. |
| 2026-04-11 2026 | PortSwigger: Hidden OAuth attack vectorsAuthN | Research identifies three new OAuth2 and OpenID Connect vulnerabilities: "Dynamic Client Registration: SSRF by design," "redirect_uri Session Poisoning," and "WebFinger User Enumeration." The research details how parameters like `jwks_uri` and `request_uris` in dynamic client registration, and `logo_uri` in MITREid Connect, can be exploited for SSRF. It also touches upon the potential for XSS through the `logo_uri` parameter. |
| 2026-04-10 2026 | The Fragile Lock: Novel Bypasses for SAML Authentication | PortSwigger ResearchAuthN | Tool for bypassing SAML authentication, this library exploits parser-level inconsistencies in the Ruby and PHP SAML ecosystems. Novel techniques, including attribute pollution, namespace confusion, and Void Canonicalization attacks, enable attackers to bypass XML Signature validation while presenting valid SAML documents to applications. The toolkit aids in identifying discrepancies between XML parsers, facilitating the discovery of authentication bypasses with minimal requirements. |
| 2026-04-10 2026 | PortSwigger: OAuth 2.0 authentication vulnerabilitiesAuthN | Reference detailing OAuth 2.0 authentication vulnerabilities, explaining how this framework, commonly used for social media logins, is prone to implementation mistakes. The content covers how attackers can exploit these flaws to gain access to sensitive user data or bypass authentication, with a focus on the authorization code and implicit grant types. It also touches upon vulnerabilities within the OpenID Connect extension and provides guidance for mitigating these risks. |
| 2026-04-10 2026 | Server-side template injection PortSwigger KBSSTI | Library detailing Server-side template injection, a vulnerability where user input is unsafely embedded into server-side templates, potentially allowing arbitrary code execution and server control. It covers identifying template engine types, mapping the attack surface, and auditing exposed objects, noting severity varies by engine. Remediation strategies include avoiding user-generated templates, using logic-less engines like Mustache, or sandboxing rendering environments. This vulnerability is classified under CWE-94, CWE-95, and CWE-116, often carrying a high severity. |
| 2026-04-10 2026 | Exploiting server-side template injection vulnerabilitiesSSTI | Reference detailing the exploitation of server-side template injection vulnerabilities, covering techniques for discovering and leveraging template engine syntax and documentation, including examples with Mako, ERB, and Velocity. It emphasizes reading documentation, identifying syntax, exploring environment objects like "self," analyzing developer-supplied objects, and constructing custom exploits through object chaining to achieve outcomes ranging from remote code execution to file path traversal. |
| 2026-04-10 2026 | Template Injection Research | PortSwigger ResearchSSTI | Library covering template injection, detailing both Client Side Template Injection (CSTI) and Server Side Template Injection (SSTI). Learn techniques to bypass Content Security Policy (CSP) and exploit client-side vulnerabilities similar to Cross-Site Scripting (XSS), including breaking the AngularJS sandbox as presented at BSides Manchester. Explore server-side exploitation, detecting templating engines, and achieving Remote Code Execution (RCE), including research presented at Black Hat USA on SSTI. |
| 2026-04-10 2026 | Server-Side Template Injection | PortSwigger ResearchSSTI | Reference for Server-Side Template Injection (SSTI) details a methodology for detecting and exploiting template engines like Twig and FreeMarker, which are commonly used to embed dynamic content. SSTI vulnerabilities arise when user input is unsafely embedded in templates, potentially leading to Remote Code Execution (RCE). The research outlines detection techniques for both "text" and "variable" contexts, emphasizing the importance of identifying the specific template engine and its documentation to craft effective exploits, including escaping sandbox modes. |
| 2026-04-10 2026 | Server-side template injection | Web Security AcademySSTI | Library explaining server-side template injection, a vulnerability where attackers inject malicious payloads into templates to achieve remote code execution or access sensitive data. It details how these vulnerabilities arise when user input is directly concatenated into templates instead of being passed as data, and outlines detection methods like fuzzing with special characters and testing mathematical operations in plaintext or code contexts, applicable to engines like Twig and Freemarker. |
| 2026-04-10 2026 | PortSwigger KB: JWT none algorithm supportedJWT | Library for detecting JWT "none" algorithm vulnerabilities. This flaw allows an attacker to tamper with the JWT's `alg` header to "none", remove the signature, and submit an unsigned token. If the server accepts this, attackers can escalate privileges or impersonate users by modifying arbitrary claims in the payload. Remediation involves configuring JWT libraries to reject unsecured tokens and only accept cryptographically strong algorithms. |
| 2026-04-10 2026 | Working with JWTs in Burp SuiteJWT | Library for testing JWT authentication bypass vulnerabilities in Burp Suite. It allows users to view and decode JWTs within Burp Inspector, and then utilize the JWT Editor extension to generate cryptographic signing keys, edit token headers and payloads, and resign the modified JWT with a valid signature. The extension automatically flags requests containing JWTs, streamlining the identification and manipulation process. |
| 2026-04-10 2026 | JSON Web Token Attacker Burp extensionJWT | Extension that assists in pentesting applications utilizing JavaScript Object Signing and Encryption (JOSE), specifically targeting JSON Web Tokens. This tool automates the discovery and testing of vulnerabilities within JOSE implementations, aiding security professionals in identifying potential weaknesses during application assessments. |
| 2026-04-10 2026 | JWT Scanner Burp extensionJWT | Extension for Burp Suite that scans for JWT vulnerabilities by highlighting tokens and initiating scans. It supports forging public keys when they are not exposed, allowing for further exploitation and vulnerability discovery by rerunning scans after successful forging. |
| 2026-04-10 2026 | Algorithm confusion attacks | Web Security AcademyJWT | Reference detailing algorithm confusion attacks, also known as key confusion attacks, where an attacker manipulates JWT verification by forcing a server to use an unintended algorithm. This often exploits flawed JWT library implementations where a single verification method handles multiple algorithms, allowing an attacker to use a public key as a symmetric secret for HS256 verification when RS256 was intended. The entry outlines obtaining the server's public key, converting it to the correct format, and signing a forged JWT with HS256 using that public key. It also covers deriving public keys from existing tokens using tools like `jwt_forgery.py` or `portswigger/sig2n`. |
| 2026-04-10 2026 | JWT attacks | Web Security AcademyJWT | Library detailing JSON Web Token (JWT) vulnerabilities, covering design flaws and incorrect handling that lead to high-severity attacks such as privilege escalation and user impersonation. It explains JWT format, signature verification, and common exploitation techniques, including accepting arbitrary or no signatures, and provides practical labs for safe exploitation against realistic targets. Burp Suite Professional 2022.5.1 is mentioned for its automated detection capabilities. |
| 2026-04-10 2026 | Testing for Blind SSRF with Burp SuiteSSRF | Tutorial on detecting blind SSRF vulnerabilities using Burp Suite's Collaborator. This method involves injecting a Collaborator payload into an HTTP request, often within parameters like `productId` or headers like `Referer`, and then monitoring the Collaborator tab for out-of-band interactions from the target application. The presence of these interactions confirms the application's susceptibility to blind SSRF. |
| 2026-04-10 2026 | Blind SSRF Lab: Out-of-Band DetectionSSRF | Library for demonstrating blind SSRF, specifically focusing on out-of-band detection via DNS and HTTP interactions. It guides users to intercept requests in Burp Suite, insert a Collaborator Payload into the Referer header, and analyze the resulting interactions in the Collaborator tab to confirm server-side command execution initiated by the application. |
| 2026-04-10 2026 | Blind SSRF Vulnerabilities - PortSwiggerSSRF | Reference on blind SSRF vulnerabilities, detailing how these occur when applications make back-end HTTP requests to supplied URLs without returning responses. It explains that while less impactful than informed SSRF, blind SSRF can still lead to remote code execution. The document highlights out-of-band (OAST) techniques, particularly using Burp Collaborator, as the most reliable detection method, and discusses exploitation strategies like sweeping internal IP space or inducing malicious responses by controlling external systems. |
| 2026-04-10 2026 | Burp Suite Professional 2026.1 ReleaseBurp | Library update introducing the Discover tab for feature exploration, command palette for faster table navigation, improved time-based SQL injection detection filtering WAF delays, and SPNEGO support for NTLM authentication. This release also includes a Java update to 25.0.1 and a browser upgrade to Chromium 143. |
| 2026-04-10 2026 | Burp Suite Professional 2025.5 ReleaseBurp | Library release notes for Burp Suite Professional 2025.5 detailing new AI-powered custom actions in Repeater for context-aware HTTP message analysis, including a sample action to explain text and a template for testing race condition vulnerabilities. The release also incorporates Montoya API updates for direct extension settings integration, and quality-of-life improvements such as access to timing data for custom actions and faster body encoding switching. |
| 2026-04-10 2026 | How Burp Suite DAST Is Leveling Up Enterprise Security in 2025Burp | Tool updates to Burp Suite DAST in 2025 enhance enterprise security testing by automating scan scheduling for portfolios, organizing assets with custom tags, and improving API scanning with automatic token refreshes. It accelerates vulnerability detection by crawling and auditing SPAs in parallel and integrates seamlessly with Jira for streamlined remediation tracking, supporting parent-child issue hierarchies and automated ticket creation. New onboarding packages aim to shorten learning curves and ensure fast results. |
| 2026-04-10 2026 | Blind XXE Lab: Exfiltrate Data Using Malicious External DTDXXE | Lab demonstrating blind XXE with out-of-band exfiltration, using Burp Suite Professional and an exploit server. The technique involves creating a malicious external DTD file containing an entity to retrieve `/etc/hostname` and trigger an interaction with Burp Collaborator. This interaction then reveals the exfiltrated data via DNS and HTTP requests. |
| 2026-04-10 2026 | Insecure Direct Object References (IDOR) | PortSwiggerAuthZIDOR | Reference on Insecure Direct Object References (IDOR), an OWASP Top Ten vulnerability type where applications misuse user-supplied input to access objects directly. It details how attackers can exploit this, leading to horizontal or vertical privilege escalation by altering parameters to access other users' data, such as in database queries (e.g., `customer_account?customer_number=132355`) or static files (e.g., `/static/12144.txt`). |
| 2026-04-10 2026 | SQL Injection Tutorial & Examples - PortSwiggerSQLi | Tutorial on SQL injection covers its definition, methods for finding and exploiting vulnerabilities such as retrieving hidden data, subverting application logic with UNION attacks, and blind SQL injection. It details manual detection techniques like using single quotes, SQL syntax, boolean conditions, and time delays, and mentions Burp Scanner for automated detection. The resource also addresses injection in different parts of SQL queries, including WHERE, UPDATE, INSERT, SELECT, and ORDER BY clauses, and provides practical examples. |
| 2026-04-10 2026 | GraphQL API Vulnerabilities | Web Security AcademyAPI SecGraphQL | Reference detailing GraphQL API vulnerabilities, focusing on implementation and design flaws like exposed introspection. It covers finding GraphQL endpoints, identifying vulnerabilities through universal queries and unsanitized arguments (leading to issues like IDOR), and leveraging introspection queries to map schema information. The reference highlights how Burp Suite can assist in discovering endpoints and introspection, and discusses best practices for securing GraphQL APIs. |
| 2026-04-10 2026 | Bypassing DOMPurify Again with Mutation XSSXSS | Writeup detailing a bypass of DOMPurify using Mutation XSS (mXSS). The technique leverages HTML comments and specially crafted tags within a `<math>` element to achieve cross-site scripting. The bypass was initially found to work in Chrome by exploiting how DOMPurify handled mutations within text nodes, specifically by placing malicious code within an image's title attribute after an encoded comment. A subsequent bypass was discovered for Firefox, utilizing CDATA tags instead of HTML comments. The vectors are demonstrated using a custom mXSS tool and are relevant for bypassing HTML filters, with the Chrome vector patched in DOMPurify version 2.1. |
| 2026-04-03 2026 | Lab: SameSite Lax Bypass via Cookie Refresh | PortSwiggerCSRF | Lab demonstrating a CSRF attack to bypass SameSite cookie restrictions. This lab involves changing a victim's email address by exploiting a vulnerable account change function. The technique focuses on a SameSite Lax bypass via cookie refresh, requiring an attacker to circumvent browser popup blockers and induce user interaction to trigger the necessary OAuth flow and subsequent email modification. |
| 2026-04-03 2026 | Lab: SameSite Lax Bypass via Method Override | PortSwiggerCSRF | Lab: SameSite Lax bypass via method override details a Cross-Site Request Forgery (CSRF) vulnerability within the "change email" function. The lab demonstrates how to bypass SameSite cookie restrictions, specifically the Lax default, by crafting a GET request that overrides the intended POST method using the `_method` parameter. The solution involves using an exploit server to trigger a top-level navigation that sends the malicious request, ultimately changing the victim's email address. |
| 2026-04-03 2026 | Bypassing SameSite Cookie Restrictions - CSRF | PortSwiggerCSRF | Library for understanding and bypassing SameSite cookie restrictions. This resource details how SameSite's `Strict`, `Lax`, and `None` attributes function, including Chrome's default `Lax` behavior. It explains how to exploit misconfigurations and bypasses, particularly for CSRF attacks, by leveraging GET requests or scenarios where `SameSite=None` with the `Secure` attribute is used. |
| 2026-04-03 2026 | Installing Extensions from BApp Store | PortSwiggerBurp | Installing Extensions from BApp Store | PortSwigger |
| 2026-04-03 2026 | BApp Store | PortSwiggerBurp | Library of Burp Suite extensions featuring tools for identifying and bypassing common web application vulnerabilities. This collection includes extensions for automating 403 bypasses, detecting SQL injection and XSS through AI analysis, fuzzing LLM prompts, scanning for AWS and cloud storage misconfigurations, and finding DOM-based vulnerabilities. Specific extensions like "Anonymous Cloud, Configuration and Subdomain Takeover Scanner" and "AI HTTP Analyzer" are detailed, alongside capabilities for AES payload manipulation and CSP header analysis. |
| 2026-04-03 2026 | Top 10 Pentesting Tools and Extensions in Burp Suite | PortSwiggerBurp | Library of 10 Burp Suite extensions designed to enhance penetration testing workflows, including Logger++, Autorize, Turbo Intruder, J2EEScan, Backslash Powered Scanner, Upload Scanner, Retire.js, JSON Beautifier, AuthMatrix, and Param Miner. These tools automate tasks like access control testing, bruteforcing, vulnerability detection for J2EE applications, file upload analysis, identifying outdated JavaScript libraries, JSON formatting, privilege escalation testing, and discovering hidden parameters for cache poisoning attacks. |
| 2026-04-03 2026 | What is a Blind XXE Attack? | PortSwiggerXXE | Reference detailing techniques for finding and exploiting blind XXE vulnerabilities. It describes how these attacks, where the application doesn't return entity values directly, can be overcome using out-of-band (OAST) methods to detect them or by triggering XML parsing errors that exfiltrate sensitive data from files like `/etc/passwd` via HTTP requests or error messages. The guide also covers using XML parameter entities and repurposing local DTDs for exploitation. |
| 2026-04-03 2026 | Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | PortSwiggerXSS | Cheatsheet detailing Cross-Site Scripting (XSS) vectors, regularly updated and featuring bypass techniques for WAFs and filters. It categorizes vectors by event handlers, tags, and browser compatibility, including proof-of-concept code for numerous scenarios such as JavaScript hoisting, file upload restrictions, and bypassing specific browser limitations with techniques like exception handling and template strings. |
| 2026-04-03 2026 | Access Control Vulnerabilities and Privilege Escalation | PortSwiggerAuthZ | Reference detailing access control vulnerabilities and privilege escalation, explaining vertical and horizontal controls, context-dependent mechanisms, and common vulnerabilities such as unprotected functionality, parameter-based bypasses, and platform misconfigurations involving headers like `X-Original-URL` and `X-Rewrite-URL`. It also covers URL-matching discrepancies, including case insensitivity and the `useSuffixPatternMatch` option in Spring. |
| 2026-04-03 2026 | Lab: Exploiting Ruby Deserialization Using a Documented Gadget Chain | PortSwiggerDeser | Library for exploiting Ruby deserialization vulnerabilities, specifically in Ruby on Rails applications. This resource details a lab environment where a documented gadget chain can be adapted to achieve remote code execution. The objective involves creating a malicious serialized object containing an RCE payload to delete a target file, leveraging a serialization-based session mechanism. |
| 2026-04-03 2026 | Exploiting Insecure Deserialization Vulnerabilities | PortSwiggerDeser | Library for exploiting insecure deserialization vulnerabilities in PHP, Ruby, and Java. It covers identifying serialized data, modifying object attributes and data types for attacks, and chaining method invocations. The resource demonstrates how to exploit PHP's `serialize()`/`unserialize()` and Java's `java.io.Serializable` interface, including scenarios involving type juggling with PHP's loose comparison operator. |
| 2026-04-03 2026 | InQL - GraphQL Scanner | PortSwigger BApp StoreAPI Sec | Library for GraphQL security testing that simplifies vulnerability identification through schema analysis, query generation, and custom scanning. It auto-generates queries, mutations, and subscriptions, with features like circular reference detection and batch query support for rate limit bypasses and DoS vectors. Results integrate with Burp Repeater and Intruder, and schemas can be visualized with GraphiQL or GraphQL Voyager. |
| 2026-04-03 2026 | API Testing | Web Security AcademyAPI Sec | Library for testing RESTful and JSON APIs, covering techniques to identify endpoints, analyze API documentation, and interact with identified resources using tools like Burp Suite. It details how to discover hidden endpoints and parameters by manipulating HTTP methods and content types, and how to leverage machine-readable documentation such as OpenAPI specifications. This resource also maps common web vulnerabilities to their API equivalents, referencing the OWASP API Security Top 10. |
| 2026-02-06 2026 | DOM InvaderXSS | Tool for testing DOM XSS vulnerabilities, DOM Invader is an extension preinstalled in Burp's browser. It aids in identifying controllable sinks, logging and modifying `postMessage` calls for web message DOM XSS, and automatically detecting prototype pollution and DOM clobbering vulnerabilities. Its configurable nature allows for fine-tuning to suit various websites and use cases. |
| 2026-01-22 2026 | Testing for reflected XSS manually with Burp SuiteXSS | Library for testing reflected XSS with Burp Suite's Repeater. This method involves identifying HTTP requests that reflect user input and then manipulating those requests to inject proof-of-concept XSS payloads. The technique focuses on input validation and server-side sanitization, utilizing Burp Repeater to directly modify requests and observe the immediate response for successful payload execution within HTML contexts, such as the example `alert()` function. |
| 2026-01-21 2026 | Testing for stored XSS with Burp SuiteXSS | Library for manually testing stored XSS vulnerabilities using Burp Suite. It details identifying input and output points by submitting unique values and filtering HTTP history, then using Repeater to send proof-of-concept payloads like `<script>alert(1)</script>` to test for execution. |
| 2026-01-19 2026 | Bypassing XSS filters by enumerating permitted tags and attributesXSS | Tool for bypassing XSS filters by enumerating permitted HTML tags and attributes. Utilizing Burp Intruder, this method systematically tests potential tags and attributes that an application might allow, revealing which elements are not filtered. This technique is particularly useful when standard proof-of-concept XSS payloads fail, enabling the construction of effective XSS attacks against applications with input validation mechanisms. |
| 2026-01-19 2026 | Testing for SSRF with Burp SuiteSSRF | Walkthrough of testing for Server-Side Request Forgery (SSRF) using Burp Suite's Intruder. This method focuses on identifying attack vectors containing URLs, then leveraging Intruder to enumerate internal IP addresses, particularly within private ranges like `192.168.0.0/24`. The process involves modifying requests, setting up numerical payloads to probe different IP octets and ports, and analyzing response status codes and lengths to detect internal back-end systems. |
| 2026-01-18 2026 | Testing for blind SSRF with Burp SuiteSSRF | Library for detecting blind SSRF vulnerabilities using Burp Suite's Collaborator. It details a workflow for identifying these flaws by injecting a Collaborator payload into HTTP requests, typically within a parameter like `productId` or a header such as `Referer`. The library guides users to monitor Collaborator interactions for out-of-band requests, confirming the SSRF vulnerability. |
| 2026-01-17 2026 | Testing for DOM XSS with DOM InvaderXSS | Tool for testing DOM-based XSS vulnerabilities, DOM Invader injects unique strings into untrusted data sources and identifies controllable sinks where data is written unsafely to the DOM. It simplifies manual JavaScript analysis by visualizing data flow, enabling testers to efficiently locate and exploit DOM XSS flaws within applications, particularly by analyzing `document.write` sinks and `location.search` sources. |
| 2025-09-06 2025 | Cookie Chaos: How to bypass __Host and __Secure cookie prefixesAuthN | Library for testing __Host and __Secure cookie prefix bypasses. It details how discrepancies between browser and server cookie parsing logic, such as UTF-8 encoding of whitespace characters (U+2000) and legacy parsing behaviors triggered by $Version=1, can allow attackers to inject high-privilege cookies from untrusted origins. Frameworks like Django and ASP.NET, and servers like Apache Tomcat and Jetty, are noted as potentially vulnerable. A Burp Suite Custom Action is provided to detect these conditions. |
| 2025-08-14 2025 | Top 10 web hacking techniques of 2022 | PortSwigger ResearchBug Bounty | Survey of the top 10 web hacking techniques from 2022, highlighting vulnerabilities like request smuggling, client-side path traversal, and Psychic Signatures in Java. The research also covers exploiting Web3's hidden attack surface with XSS and SSRF, bypassing .NET Serialization Binders, and insecure SAML implementations leading to bytecode execution. Practical client-side path-traversal attacks are identified, alongside cache poisoning on Akamai Edge Nodes and Zimbra Email credential theft via Memcache injection. Browser-powered desync attacks and account hijacking through OAuth dirty dancing are also detailed. |
| 2025-08-14 2025 | https://portswigger.net/web-security/csrfCSRF | Reference on Cross-Site Request Forgery (CSRF) detailing what it is, common vulnerabilities, and how to prevent it. The resource explains how attackers exploit cookie-based session handling and lack of unpredictable request parameters to make users perform unintended actions like changing email addresses or transferring funds. It also covers constructing and delivering CSRF attacks using tools like Burp Suite Professional and discusses common defenses such as CSRF tokens, SameSite cookies, and Referer-based validation. |
| 2025-08-14 2025 | Vulnerabilities detected by Burp Scanner - PortSwiggerBurp | The content provided is a title mentioning vulnerabilities detected by Burp Scanner, a web vulnerability scanner developed by PortSwigger. It suggests that the focus is on identifying security weaknesses in web applications through the use of this tool. The summary lacks detailed information about specific vulnerabilities or how they are detected, but it highlights the importance of using tools like Burp Scanner to enhance the security of web applications. |
| 2025-08-14 2025 | https://portswigger.net/blog/some-of-the-best-burp-extensions-as-chosen-by-youBurp | Extensions from the Burp Suite BApp Store are highlighted, including Autorize for testing authentication vulnerabilities, Turbo Intruder for high-speed automated attacks, Hackvertor for tag-based encoding and escaping, Burp Bounty for custom scan checks, and Param Miner for identifying hidden parameters to hunt for web cache poisoning. |
| 2025-08-14 2025 | Great getting started resources for new users of Burp Suite Professional |Burp | Library of resources for new Burp Suite Professional users, including video tutorials on UI basics and Scanner setup, blog posts detailing exclusive features like Intruder and Collaborator client, and the free Web Security Academy with learning paths on SQL injection and other topics. Community content from creators like InsiderPhD, webpwnized, and STÖK showcases practical applications, alongside the BApp Store for extensions and Extender documentation for custom development. |
| 2025-08-14 2025 | Burp Share Requests - PortSwiggerBurp | Extension for Burp Suite that generates shareable links to specific HTTP requests. Users can right-click requests in various Burp tabs and select "create link" to add them to the "Burp Share Requests" tab. From there, HTML or direct browser links can be generated for easy sharing with other Burp Suite users, streamlining collaboration and analysis of captured traffic. |
| 2025-08-14 2025 | https://portswigger.net/web-security/sql-injection/cheat-sheetSQLi | Cheatsheet of SQL injection syntax for common attack tasks, including string concatenation, substring extraction, query truncation with comments, database version and content enumeration, conditional errors, batched queries, time delays, DNS lookups, and DNS lookup with data exfiltration, useful for formulating complex attacks and exfiltrating sensitive information. |
| 2025-08-14 2025 | https://portswigger.net/web-security/xxeXXE | Library detailing XML external entity (XXE) injection, a web security vulnerability allowing attackers to interfere with XML data processing. It covers exploiting XXE to retrieve files, perform server-side request forgery (SSRF), and exfiltrate data via blind XXE techniques. The library also discusses XInclude attacks and XXE vulnerabilities in file uploads, specifically mentioning SVG format. |
| 2025-08-14 2025 | https://portswigger.net/research/our-favourite-community-contributions-to-the-xss-cheat-sheetXSS | Reference highlights seven community contributions to the XSS cheat sheet, including @hahwul's missing pointer events, @p4fg's Vue `v-if` vector, @NotSoSecure's AngularJS restriction bypass, @kachakil's AngularJS fix, @davwwwx's attribute injection, @laytonctf's `onbeforeinput` event, and @ladecruze's top-ranked payload using `location`, `atob`, and tagged template strings, with variants utilizing `unescape` and `String.fromCodePoint`. |
| 2025-08-14 2025 | Lab: Reflected DOM XSS | Web Security AcademyXSS | Lab demonstrates Reflected DOM XSS by exploiting an `eval()` function call that processes an unescaped JSON response. By crafting a specific search term, `"-alert(1)}//`, and leveraging the lack of backslash escaping, the entry injects JavaScript code, causing an `alert(1)` to execute within the browser. The technique involves canceling out quotation mark escaping and commenting out the remainder of the JSON object. |
| 2025-08-14 2025 | Documenting the impossible: Unexploitable XSS labs | PortSwigger ResearchXSS | Labs detailing unexploitable XSS scenarios, including challenges like unclosed tag bypasses, JavaScript variable injections with escaped characters, query string processing with `innerHTML`, attribute length limitations, frameset injections, and minimal arbitrary code execution via `alert()`. These labs, presented as challenges on the PortSwigger XSS cheat sheet, aim to solidify understanding when exploitation proves difficult, offering confidence that a vulnerability may indeed be unexploitable if matching these specific, tricky conditions. |
| 2025-08-14 2025 | Cross-Site Scripting (XSS) Cheat Sheet - 2023 Edition | Web Security AcademXSS | Cheatsheet of Cross-Site Scripting (XSS) vectors, this resource details numerous techniques for bypassing Web Application Firewalls and filters. It categorizes vectors by event handlers like `onanimationcancel`, `onscrollend`, and `onwebkitanimationiteration`, or by consuming tags. Specific bypass methods are provided, including those avoiding parentheses, quotes, or spaces through exception handling and location hash evaluation, as well as hoisting techniques involving undefined variables, functions, and classes, and utilizing `window.name` or ES6 template strings. |
| 2025-04-03 2025 | Sticky Burp, Reusable and Replaceable Environment VariablesBurp | Library for managing reusable environment variables ("stickies") within Burp Suite. This tool allows users to capture selected text from request and response panes across various Burp tabs, such as Proxy and Repeater. Stickies are stored with names, values, source information, and notes, enabling quick replacement of payload content with these stored variables, useful for exploit server URLs, authentication tokens, or dynamic response data. Professional editions persist stickies across Burp projects. |
| 2024-09-06 2024 | Introducing the URL validation bypass cheat sheetSSRF | Cheatsheet consolidating known URL validation bypass techniques, addressing vulnerabilities like SSRF, CORS misconfigurations, and open redirection. It helps generate wordlists by leveraging ambiguous URLs to exploit parsing discrepancies and bypass validation, supporting various string encodings and IP address formats including octal, hexadecimal, and binary. The resource also includes payloads that exploit Unicode string normalization and multiline string bypasses against regular expressions, with payloads available on GitHub for community contributions. |
| 2024-09-05 2024 | URL validation bypass cheat sheet - 2024 Edition | Web Security AcademySSRF | This cheat sheet contains payloads for bypassing URL validation. These wordlists are useful for attacks such as server-side request forgery, CORS ... |
| 2024-07-22 2024 | What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security AcademyXSS | Tutorial on DOM-based XSS vulnerabilities, detailing how JavaScript sources like `window.location` can pass attacker-controllable data to sinks such as `eval()` or `innerHTML`, enabling malicious JavaScript execution. It covers manual testing techniques using browser developer tools to inspect HTML and JavaScript execution sinks, and introduces Burp Suite's DOM Invader extension for automated detection. The tutorial also explores exploiting DOM XSS through various sinks like `document.write()` and `innerHTML`, including examples with third-party dependencies like jQuery's `attr()` and `$()` functions. |
| 2023-12-12 2023 | Finding that one weird endpoint with BambdasRecon | Library of Burp Suite Bambdas designed to discover unusual HTTP endpoints and potential vulnerabilities. These mini-extensions, coded directly within the proxy, facilitate rapid experimentation for security researchers. Examples include detecting oversized redirect responses, identifying HTML content-type responses with multiple closing tags, flagging discrepancies between declared and real `Content-Length` headers, and finding servers using unexpected ports. The library also includes Bambdas for locating JSON responses with incorrect `text/html` content types, discovering non-standard GraphQL endpoints, and identifying JSONP endpoints exploitable via CSP bypass. |
| 2023-11-07 2023 | Example Collaborator-based checkBurp | BCheck for detecting SSRF vulnerabilities using Burp Collaborator. This check inserts a Burp Collaborator interaction ID into the Referer header of requests. If Burp Collaborator receives any interactions in response, an SSRF issue is reported with high severity and firm confidence, indicating the target fetches arbitrary URLs from the Referer header. |
| 2023-11-01 2023 | Latest server-side request forgery (SSRF) newsSSRF | The content is about the latest news related to server-side request forgery (SSRF). It appears to be a link to more detailed information on this topic, possibly discussing recent developments, trends, or incidents related to SSRF. The content seems to provide updates or insights on SSRF issues, but without further details, it is unclear what specific information is being shared. |
| 2023-10-05 2023 | How to build custom scanners for web security research automationBurpFuzzingRecon | Library for building custom web security scanners, exemplified by an approach to detect race conditions. It details automating the "probe" phase of manual testing, leveraging concurrent requests and techniques like the single-packet attack, and discusses the use of "gadgets" such as embedded user data to identify race-infoleak vulnerabilities. The library, released as the Backslash Powered Scanner and installable via the Burp Suite BApp store, aims to assist researchers in automating the discovery of under-appreciated attack classes. |
| 2023-01-23 2023 | What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security AcademySSRF | Tutorial on Server-Side Request Forgery (SSRF) detailing how attackers can manipulate server applications to make unintended requests. This vulnerability allows access to internal services, sensitive data like authorization credentials, or even arbitrary command execution. The tutorial covers common SSRF attacks targeting the server's loopback interface (e.g., using `127.0.0.1` or `localhost`) and other back-end systems with non-routable IP addresses. It also demonstrates techniques for circumventing blacklist and whitelist-based SSRF defenses, including alternative IP representations, domain registration, URL encoding, and exploiting URL parsing features like credentials, fragments, and DNS hierarchy. |
| 2022-09-14 2022 | DOM-based vulnerabilities | Web Security AcademyXSS | Reference for DOM-based vulnerabilities detailing taint flow from attacker-controllable sources like `location.search` and `document.referrer` to dangerous sinks such as `eval()` and `document.body.innerHTML`. It covers preventing these vulnerabilities through input validation, sanitization, and encoding, and mentions advanced techniques like DOM clobbering. Labs are available for practical exploitation. |
| 2021-11-26 2021 | New differential fuzzing tool reveals novel HTTP request smuggling techniquesFuzzingSSRF | New differential fuzzing tool reveals novel HTTP request smuggling techniques |
| 2021-11-12 2021 | Advanced request smugglingAPI SecSSRF | Library detailing advanced request smuggling techniques, including HTTP/2-based vectors enabled by H2.CL and H2.TE vulnerabilities. It covers how HTTP/2 downgrading can lead to desynchronization, response queue poisoning, and persistent site takeover, leveraging Burp's HTTP/2 testing capabilities and highlighting common misconfigurations that create exploitable attack surfaces. |
| 2021-10-29 2021 | Improvements to Burp Suite authenticated scanningAuthZBurp | Library improvements to Burp Suite's authenticated scanning in version 2021.9.1 enhance testing of complex web applications by enabling recording and replay within iframes. The update addresses issues with animated elements, SVG icons within buttons, and JavaScript-driven redirections, improving accuracy and efficiency. It also adds support for multi-select elements, further streamlining the process of scanning privileged areas of modern web applications. |
| 2021-08-12 2021 | HTTP/2: The Sequel is Always WorseAPI Sec | Analysis of HTTP/2 vulnerabilities, including H2.CL and H2.TE request desynchronization attacks that target front-end servers downgrading HTTP/2 to HTTP/1.1. Case studies demonstrate exploitation against Amazon's Application Load Balancer and Netty, with one vulnerability leading to CVE-2021-2195 and maximum bug bounties by compromising Netflix accounts through JavaScript hijacking. Novel techniques and tooling for identifying and exploiting these widespread, overlooked request smuggling variants are also presented. |
| 2021-06-30 2021 | Introducing DOM Invader: DOM XSS just got a whole lot easier to findBurpXSS | Tool for finding DOM-based XSS vulnerabilities, DOM Invader integrates with Burp Suite Professional and Community Edition. It features an "Augmented DOM" to visualize sources and sinks, simplifying the discovery of XSS flaws as if they were reflected. DOM Invader also aids in testing web-message vulnerabilities by intercepting and allowing manipulation of postMessage data, even spoofing origins and generating proof-of-concept code. |
| 2021-05-10 2021 | nOtWASP bottom 10: vulnerabilities that make you cryBug Bounty | Reference to the nOtWASP Bottom 10 highlights vulnerabilities often found in security reports that are impractical, misunderstood, or outdated. This list includes issues like overly strict session timeouts that annoy users, trivial information disclosures such as "Server: Apache" banners, and CSV injection vectors that require multiple user interactions. It also covers obsolete XSS techniques, unnecessary security headers like CSP on simple pages, tabnabbing, the overzealous application of httponly cookie flags, and vulnerable software version reporting without exploit validation. |
| 2021-02-24 2021 | Top 10 web hacking techniques of 2020Bug Bounty | Survey of top 10 web hacking techniques from 2020, highlighting advancements in WAF evasion with malformed chunk techniques, deep attacks on MS Exchange Web Interfaces, RCE via ImageMagick, unauthenticated RCE on MobileIron MDM, SSL client authentication bypass via header underscores, IP fragmentation for NAT slipstreaming, SNI injection for internal service exploitation, exploiting secondary contexts in web applications, PDF parser manipulation for data exfiltration, and H2C smuggling for request tunneling. |
| 2020-06-29 2020 | Insecure deserialization | Web Security AcademyDeser | Reference on insecure deserialization detailing its nature, common scenarios, and exploitation techniques across PHP, Ruby, and Java. It covers how user-controllable data manipulation during deserialization can lead to severe attacks, including object injection, privilege escalation, and remote code execution, while emphasizing the difficulty of secure deserialization and advocating for avoidance or strict pre-deserialization integrity checks. |
| 2019-10-07 2019 | What is cross-site scripting (XSS) and how to prevent it?XSS | Guide to cross-site scripting (XSS) vulnerabilities, detailing how attackers can compromise user interactions by injecting malicious JavaScript. It explains the mechanisms and impact of Reflected XSS, Stored XSS, and DOM-based XSS, and outlines methods for detection and prevention, including the use of Burp Suite and specific proof-of-concept payloads like `alert()` and `print()`. |