appsec.fyi · Sources

portswigger.net

95 curated AppSec resources from portswigger.net across 18 topics on appsec.fyi.

portswigger.net

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-23.

Burp 24 XSS 16 SSRF 11 JWT 8 API Sec 6 AuthN 5 SSTI 5 CSRF 4 AuthZ 3 Bug Bounty 3 Deser 3 XXE 3 Fuzzing 2 GraphQL 2 IDOR 2 Recon 2 SQLi 2 AI 1
Date Added Resource Excerpt
2026-04-23 2026AI-powered scanner vulnerabilitiesAIAI-powered scanner vulnerabilities https://ift.tt/re6cDjZ
2026-04-22 2026PortSwigger Lab: Exploiting a Mass Assignment VulnerabilityAPI SecPortSwigger Lab: Exploiting a Mass Assignment Vulnerability
2026-04-22 2026Top 10 Web Hacking Techniques of 2025: Call for NominationsBurpTop 10 Web Hacking Techniques of 2025: Call for Nominations
2026-04-22 2026The Future of Security Testing: AI-Powered Extensibility in BurpBurpThe Future of Security Testing: AI-Powered Extensibility in Burp
2026-04-22 2026Filtering the WebSockets history with scriptsBurpFiltering the WebSockets history with scripts
2026-04-22 2026Filtering the HTTP history with scripts (Bambdas)BurpFiltering the HTTP history with scripts (Bambdas)
2026-04-22 2026Developing AI features in Burp extensionsBurpDeveloping AI features in Burp extensions
2026-04-22 2026Burp AI - PortSwigger DocumentationBurpBurp AI - PortSwigger Documentation
2026-04-22 2026Bambdas - PortSwigger DocumentationBurpBambdas - PortSwigger Documentation
2026-04-22 2026Finding DOM Polyglot XSS in PayPal the Easy WayXSSFinding DOM Polyglot XSS in PayPal the Easy Way
2026-04-19 2026Burp AI — PortSwiggerBurpBurp AI — PortSwigger
2026-04-19 2026Pentest Mapper — PortSwigger BApp StoreBurpPentest Mapper — PortSwigger BApp Store
2026-04-19 2026GraphQL API Vulnerabilities Learning Path — PortSwiggerGraphQLGraphQL API Vulnerabilities Learning Path — PortSwigger
2026-04-19 2026Bypassing Signature-Based XSS Filters: Modifying HTMLXSSBypassing Signature-Based XSS Filters: Modifying HTML
2026-04-17 2026Testing for IDORs (PortSwigger Burp docs)IDORTesting for IDORs (PortSwigger Burp docs)
2026-04-17 2026Vulnerabilities in multi-factor authentication (PortSwigger)AuthNVulnerabilities in multi-factor authentication (PortSwigger)
2026-04-16 2026Turbo Intruder: Embracing the Billion-Request AttackBurpTurbo Intruder: Embracing the Billion-Request Attack
2026-04-16 2026PortSwigger's Top 10 Web Hacking Techniques of 2025Bug BountyPortSwigger's Top 10 Web Hacking Techniques of 2025
2026-04-11 2026Lab: JWT authentication bypass via weak signing keyJWTLab: JWT authentication bypass via weak signing key
2026-04-11 2026Lab: JWT authentication bypass via jku header injectionJWTLab: JWT authentication bypass via jku header injection
2026-04-11 2026PortSwigger: Hidden OAuth attack vectorsAuthNPortSwigger: Hidden OAuth attack vectors
2026-04-10 2026The Fragile Lock: Novel Bypasses for SAML Authentication | PortSwigger ResearchAuthNThe Fragile Lock: Novel Bypasses for SAML Authentication | PortSwigger Research
2026-04-10 2026PortSwigger: OAuth 2.0 authentication vulnerabilitiesAuthNPortSwigger: OAuth 2.0 authentication vulnerabilities
2026-04-10 2026Server-side template injection PortSwigger KBSSTIServer-side template injection PortSwigger KB
2026-04-10 2026Exploiting server-side template injection vulnerabilitiesSSTIExploiting server-side template injection vulnerabilities
2026-04-10 2026Template Injection Research | PortSwigger ResearchSSTITemplate Injection Research | PortSwigger Research
2026-04-10 2026Server-Side Template Injection | PortSwigger ResearchSSTIServer-Side Template Injection | PortSwigger Research
2026-04-10 2026Server-side template injection | Web Security AcademySSTIServer-side template injection | Web Security Academy
2026-04-10 2026PortSwigger KB: JWT none algorithm supportedJWTPortSwigger KB: JWT none algorithm supported
2026-04-10 2026Working with JWTs in Burp SuiteJWTWorking with JWTs in Burp Suite
2026-04-10 2026JSON Web Token Attacker Burp extensionJWTJSON Web Token Attacker Burp extension
2026-04-10 2026JWT Scanner Burp extensionJWTJWT Scanner Burp extension
2026-04-10 2026Algorithm confusion attacks | Web Security AcademyJWTAlgorithm confusion attacks | Web Security Academy
2026-04-10 2026JWT attacks | Web Security AcademyJWTJWT attacks | Web Security Academy
2026-04-10 2026Testing for Blind SSRF with Burp SuiteSSRFTesting for Blind SSRF with Burp Suite
2026-04-10 2026Blind SSRF Lab: Out-of-Band DetectionSSRFBlind SSRF Lab: Out-of-Band Detection
2026-04-10 2026Blind SSRF Vulnerabilities - PortSwiggerSSRFBlind SSRF Vulnerabilities - PortSwigger
2026-04-10 2026Burp Suite Professional 2026.1 ReleaseBurpBurp Suite Professional 2026.1 Release
2026-04-10 2026Burp Suite Professional 2025.5 ReleaseBurpBurp Suite Professional 2025.5 Release
2026-04-10 2026How Burp Suite DAST Is Leveling Up Enterprise Security in 2025BurpHow Burp Suite DAST Is Leveling Up Enterprise Security in 2025
2026-04-10 2026Blind XXE Lab: Exfiltrate Data Using Malicious External DTDXXEBlind XXE Lab: Exfiltrate Data Using Malicious External DTD
2026-04-10 2026Insecure Direct Object References (IDOR) | PortSwiggerAuthZIDORInsecure Direct Object References (IDOR) | PortSwigger
2026-04-10 2026SQL Injection Tutorial & Examples - PortSwiggerSQLiSQL Injection Tutorial & Examples - PortSwigger
2026-04-10 2026GraphQL API Vulnerabilities | Web Security AcademyAPI SecGraphQLGraphQL API Vulnerabilities | Web Security Academy
2026-04-10 2026Bypassing DOMPurify Again with Mutation XSSXSSBypassing DOMPurify Again with Mutation XSS
2026-04-03 2026Lab: SameSite Lax Bypass via Cookie Refresh | PortSwiggerCSRFLab: SameSite Lax Bypass via Cookie Refresh | PortSwigger
2026-04-03 2026Lab: SameSite Lax Bypass via Method Override | PortSwiggerCSRFLab: SameSite Lax Bypass via Method Override | PortSwigger
2026-04-03 2026Bypassing SameSite Cookie Restrictions - CSRF | PortSwiggerCSRFBypassing SameSite Cookie Restrictions - CSRF | PortSwigger
2026-04-03 2026Installing Extensions from BApp Store | PortSwiggerBurpInstalling Extensions from BApp Store | PortSwigger
2026-04-03 2026BApp Store | PortSwiggerBurpBApp Store | PortSwigger
2026-04-03 2026Top 10 Pentesting Tools and Extensions in Burp Suite | PortSwiggerBurpTop 10 Pentesting Tools and Extensions in Burp Suite | PortSwigger
2026-04-03 2026What is a Blind XXE Attack? | PortSwiggerXXEWhat is a Blind XXE Attack? | PortSwigger
2026-04-03 2026Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | PortSwiggerXSSCross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | PortSwigger
2026-04-03 2026Access Control Vulnerabilities and Privilege Escalation | PortSwiggerAuthZAccess Control Vulnerabilities and Privilege Escalation | PortSwigger
2026-04-03 2026Lab: Exploiting Ruby Deserialization Using a Documented Gadget Chain | PortSwiggerDeserLab: Exploiting Ruby Deserialization Using a Documented Gadget Chain | PortSwigger
2026-04-03 2026Exploiting Insecure Deserialization Vulnerabilities | PortSwiggerDeserExploiting Insecure Deserialization Vulnerabilities | PortSwigger
2026-04-03 2026InQL - GraphQL Scanner | PortSwigger BApp StoreAPI SecInQL - GraphQL Scanner | PortSwigger BApp Store
2026-04-03 2026API Testing | Web Security AcademyAPI SecAPI Testing | Web Security Academy
2026-02-06 2026DOM InvaderXSSThe content provided is a link to a webpage or resource related to "DOM Invader." No further details or information are given in the content.
2026-01-22 2026Testing for reflected XSS manually with Burp SuiteXSSThe content discusses how to manually test for reflected cross-site scripting (XSS) vulnerabilities using Burp Suite, a popular web application security testing tool. By utilizing Burp Suite, security professionals can identify and exploit XSS vulnerabilities in web applications to enhance their security posture. Manual testing allows for a more thorough examination of potential vulnerabilities compared to automated tools. This process involves sending crafted payloads to the application and analyzing the responses to detect any XSS vulnerabilities. By following these steps, security testers can effectively identify and mitigate XSS risks in web applications.
2026-01-21 2026Testing for stored XSS with Burp SuiteXSSThe content discusses using Burp Suite to test for stored Cross-Site Scripting (XSS) vulnerabilities. Burp Suite is a popular web application security testing tool that helps identify and exploit security issues. Stored XSS occurs when malicious scripts are stored on a website and executed when viewed by other users. By using Burp Suite, security professionals can scan web applications for stored XSS vulnerabilities, helping to identify and mitigate potential security risks. Testing for stored XSS is crucial to prevent attackers from injecting harmful scripts into websites and compromising user data.
2026-01-19 2026Bypassing XSS filters by enumerating permitted tags and attributesXSSThe content discusses bypassing XSS filters by identifying allowed HTML tags and attributes. By understanding the restrictions imposed by filters, attackers can craft malicious payloads that exploit vulnerabilities in the filtering mechanism. This technique involves enumerating the permitted tags and attributes to evade detection and execute cross-site scripting attacks. Understanding the limitations of the filter helps attackers manipulate the input to inject malicious scripts. By exploiting these vulnerabilities, attackers can circumvent security measures and compromise the target system.
2026-01-19 2026Testing for SSRF with Burp SuiteSSRFThe content discusses using Burp Suite, a popular web application security testing tool, to test for Server-Side Request Forgery (SSRF) vulnerabilities. SSRF allows attackers to send crafted requests from the server to other internal systems, potentially leading to data leaks or unauthorized access. Burp Suite can help identify and mitigate SSRF vulnerabilities by intercepting and modifying requests, analyzing responses, and identifying potential SSRF points of entry. By utilizing Burp Suite's features effectively, security professionals can enhance their SSRF testing capabilities and strengthen the security posture of web applications.
2026-01-18 2026Testing for blind SSRF with Burp SuiteSSRFThe content discusses using Burp Suite to test for blind Server-Side Request Forgery (SSRF). SSRF vulnerabilities allow attackers to make unauthorized requests from a server. Burp Suite, a popular web vulnerability scanner, can help identify blind SSRF by analyzing responses for indicators of SSRF attacks. Testing for blind SSRF with Burp Suite involves sending crafted requests to the target server and analyzing the responses for potential SSRF behavior. This method can help security professionals identify and mitigate SSRF vulnerabilities in web applications.
2026-01-17 2026Testing for DOM XSS with DOM InvaderXSSThe content discusses using a tool called DOM Invader to test for DOM-based Cross-Site Scripting (XSS) vulnerabilities. DOM XSS is a type of security issue where client-side scripts manipulate the Document Object Model (DOM) in a way that can be exploited by attackers. DOM Invader is a tool that helps in identifying and testing for such vulnerabilities. By using DOM Invader, security professionals and developers can detect and address potential DOM XSS vulnerabilities in web applications, ensuring better security measures are in place to protect against malicious attacks.
2025-09-06 2025Cookie Chaos: How to bypass __Host and __Secure cookie prefixesAuthNBrowsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve
2025-08-14 2025Top 10 web hacking techniques of 2022 | PortSwigger ResearchBug BountyThe content is about the top 10 web hacking techniques of 2022 as researched by PortSwigger. It likely delves into the latest methods and strategies used by hackers to exploit vulnerabilities in web systems. This information can be valuable for cybersecurity professionals, developers, and organizations to understand current threats and enhance their defenses against cyber attacks.
2025-08-14 2025https://portswigger.net/web-security/csrfCSRFThe provided link discusses Cross-Site Request Forgery (CSRF) attacks, a type of web security vulnerability where an attacker tricks a user into unknowingly executing actions on a website they are authenticated with. The article likely covers how CSRF attacks work, their impact on web security, and methods to prevent them, such as using anti-CSRF tokens. It is important for web developers and users to understand CSRF risks and implement protective measures to safeguard against such attacks.
2025-08-14 2025Vulnerabilities detected by Burp Scanner - PortSwiggerBurpThe content provided is a title mentioning vulnerabilities detected by Burp Scanner, a web vulnerability scanner developed by PortSwigger. It suggests that the focus is on identifying security weaknesses in web applications through the use of this tool. The summary lacks detailed information about specific vulnerabilities or how they are detected, but it highlights the importance of using tools like Burp Scanner to enhance the security of web applications.
2025-08-14 2025https://portswigger.net/blog/some-of-the-best-burp-extensions-as-chosen-by-youBurpThe blog discusses some of the best Burp Suite extensions chosen by users. It highlights popular extensions like Autorize, Collaborator Everywhere, and Backslash Powered Scanner. These extensions enhance Burp Suite's functionality by adding features such as automated authorization testing, improved collaboration capabilities, and advanced scanning functionalities. Users appreciate these extensions for their effectiveness in improving security testing workflows and identifying vulnerabilities. The blog aims to showcase the diverse range of extensions available for Burp Suite users to enhance their experience and maximize the tool's capabilities for web security testing.
2025-08-14 2025Great getting started resources for new users of Burp Suite Professional |BurpThe content mentions that there are excellent resources available for new users of Burp Suite Professional. It suggests that these resources are helpful for beginners looking to get started with using the software effectively. The content seems to emphasize the availability of resources to assist new users in learning how to use Burp Suite Professional.
2025-08-14 2025Burp Share Requests - PortSwiggerBurpThe content is concise and mentions "Burp Share Requests" by PortSwigger. This likely refers to a feature or tool related to sharing HTTP requests in Burp Suite, a popular web application security testing tool. The feature may allow users to easily share and collaborate on HTTP requests within the Burp Suite platform.
2025-08-14 2025https://portswigger.net/web-security/sql-injection/cheat-sheetSQLiThe provided link leads to a cheat sheet on SQL injection from PortSwigger, a web security resource. The cheat sheet likely contains valuable information on SQL injection techniques, syntax, and examples to help individuals understand and prevent SQL injection attacks. It serves as a quick reference guide for developers and security professionals to enhance their knowledge and protect web applications from this common vulnerability.
2025-08-14 2025https://portswigger.net/web-security/xxeXXEThe link provided leads to a webpage discussing XML External Entity (XXE) attacks in web security. XXE attacks exploit vulnerabilities in XML parsers to access sensitive data or execute remote code. The article likely covers how XXE attacks work, their impact on web applications, and strategies to prevent them, such as disabling external entity processing or using secure XML parsers. It's important for web developers and security professionals to be aware of XXE vulnerabilities and take necessary precautions to protect their systems from potential exploitation.
2025-08-14 2025https://portswigger.net/research/our-favourite-community-contributions-to-the-xss-cheat-sheetXSSThe content discusses the XSS Cheat Sheet, highlighting community contributions that enhance the resource. The XSS Cheat Sheet is a valuable reference for understanding cross-site scripting vulnerabilities. The article showcases various user-generated additions to the cheat sheet, such as new payloads, evasion techniques, and attack vectors. These contributions help improve the cheat sheet's comprehensiveness and usefulness for security professionals and developers. The article emphasizes the collaborative nature of the cybersecurity community in sharing knowledge and best practices to combat XSS vulnerabilities effectively.
2025-08-14 2025Lab: Reflected DOM XSS | Web Security AcademyXSSThe content is about a lab exercise on Reflected DOM XSS in the Web Security Academy. This lab likely involves practicing identifying and exploiting reflected DOM-based cross-site scripting vulnerabilities. It provides hands-on experience for learners to understand how these vulnerabilities can be used by attackers to manipulate the Document Object Model (DOM) of a web page. The focus is on enhancing web security skills by learning how to prevent and mitigate such vulnerabilities.
2025-08-14 2025Documenting the impossible: Unexploitable XSS labs | PortSwigger ResearchXSSThe content is about "Unexploitable XSS labs" by PortSwigger Research. It likely discusses the challenges of documenting and dealing with XSS vulnerabilities that are deemed unexploitable. The article may explore the complexities of identifying and mitigating XSS flaws that are difficult to exploit, highlighting the importance of thorough documentation and research in cybersecurity practices.
2025-08-14 2025Cross-Site Scripting (XSS) Cheat Sheet - 2023 Edition | Web Security AcademXSSThe content is a Cross-Site Scripting (XSS) Cheat Sheet for 2023 from Web Security Academy. It likely provides valuable information and resources related to XSS vulnerabilities, prevention techniques, and best practices for web security. The cheat sheet is likely designed to assist developers and security professionals in understanding and mitigating XSS risks in web applications.
2025-04-03 2025Sticky Burp, Reusable and Replaceable Environment VariablesBurpEnables persistent sticky session handling in web application testing.
2024-09-06 2024Introducing the URL validation bypass cheat sheetSSRFA new resource called the URL validation bypass cheat sheet has been introduced. It aims to provide information on bypassing URL validation. The cheat sheet can be accessed at the provided link.
2024-09-05 2024URL validation bypass cheat sheet - 2024 Edition | Web Security AcademySSRFThis cheat sheet contains payloads for bypassing URL validation. These wordlists are useful for attacks such as server-side request forgery, CORS ...
2024-07-22 2024What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security AcademyXSSIn this section, we'll describe DOM-based cross-site scripting (DOM XSS), explain how to find DOM XSS vulnerabilities, and talk about how to exploit DOM XSS ...
2023-12-12 2023Finding that one weird endpoint with BambdasReconFinding that one weird endpoint, with Bambdas https://ift.tt/7p3iS9g
2023-11-07 2023Example Collaborator-based checkBurpExample Collaborator-based check https://ift.tt/mLriR63
2023-11-01 2023Latest server-side request forgery (SSRF) newsSSRFThe content is about the latest news related to server-side request forgery (SSRF). It appears to be a link to more detailed information on this topic, possibly discussing recent developments, trends, or incidents related to SSRF. The content seems to provide updates or insights on SSRF issues, but without further details, it is unclear what specific information is being shared.
2023-10-05 2023How to build custom scanners for web security research automationBurpFuzzingReconHow to build custom scanners for web security research automation https://ift.tt/fug4LHK
2023-01-23 2023What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security AcademySSRFThe content discusses SSRF (Server-side request forgery), explaining its definition, common examples, and methods to identify and exploit different types of SSRF vulnerabilities. It aims to provide a tutorial on understanding and addressing SSRF risks in web security.
2022-09-14 2022DOM-based vulnerabilities | Web Security AcademyXSSIn this section, we will describe what the DOM is, explain how insecure processing of DOM data can introduce vulnerabilities, and suggest how you can ...
2021-11-26 2021New differential fuzzing tool reveals novel HTTP request smuggling techniquesFuzzingSSRFNew differential fuzzing tool reveals novel HTTP request smuggling techniques
2021-11-12 2021Advanced request smugglingAPI SecSSRFAdvanced request smuggling
2021-10-29 2021Improvements to Burp Suite authenticated scanningAuthZBurpImprovements to Burp Suite authenticated scanning
2021-08-12 2021HTTP/2: The Sequel is Always WorseAPI SecHTTP/2: The Sequel is Always Worse
2021-02-24 2021Top 10 web hacking techniques of 2020Bug BountyThe content discusses the top 10 web hacking techniques of 2020, highlighting community-powered efforts to identify essential web security research from the previous year. The list compiles innovative methods and strategies used for hacking websites.
2020-06-29 2020Insecure deserialization | Web Security AcademyDeserIn this section, we'll cover what insecure deserialization is and describe how it can potentially expose websites to high-severity attacks. We'll highlight ...
2019-10-07 2019What is cross-site scripting (XSS) and how to prevent it?XSSThe content discusses cross-site scripting (XSS), explaining its definition, various vulnerabilities, and prevention methods. It aims to educate readers on understanding XSS, its risks, and steps to prevent it.