Mastering Burp Suite
@mastering-burp.agarri.fr
Tips and tricks for Burp Suite Pro 🛠️
Not affiliated with @portswigger.net ©️
Managed by @agarri.fr 🇫🇷
Additional free resources 🎁
http://hackademy.agarri.fr/freebies
Not affiliated with @portswigger.net ©️
Managed by @agarri.fr 🇫🇷
Additional free resources 🎁
http://hackademy.agarri.fr/freebies
Reposted by Mastering Burp Suite
November 14, 2025 at 1:07 PM
Reposted by Mastering Burp Suite
Coming to Hackvertor soon...
Big thanks to CoreyD97 for the suggestion!
Big thanks to CoreyD97 for the suggestion!
November 14, 2025 at 10:45 PM
Coming to Hackvertor soon...
Big thanks to CoreyD97 for the suggestion!
Big thanks to CoreyD97 for the suggestion!
November 14, 2025 at 1:07 PM
Reposted by Mastering Burp Suite
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
HTTP Anomaly Rank - a new Turbo Intruder feature
YouTube video by PortSwigger
youtu.be
November 11, 2025 at 2:49 PM
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
Reposted by Mastering Burp Suite
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Release Initial Release! · CoreyD97/InsiKt
Logger++ is dead, long live InsiKt!
It has been a long time since I first adopted Logger++ from @irsdl back in 2017. Since then I have left NCC Group and no longer have access to the repository, so...
github.com
November 8, 2025 at 7:44 PM
Long overdue, but I rewrote Logger++ to be more memory efficient and fix all the bugs!
github.com/CoreyD97/Ins...
github.com/CoreyD97/Ins...
Portswigger changed the way the Scanner configuration looks like (at least in Early Adopter releases) and I really like the new layout 👏
November 7, 2025 at 8:52 AM
Portswigger changed the way the Scanner configuration looks like (at least in Early Adopter releases) and I really like the new layout 👏
Reposted by Mastering Burp Suite
If you're looking for a quick tool to copy regex matches from requests AND responses, have a look at github.com/honoki/burp-...
GitHub - honoki/burp-copy-regex-matches: Burp Suite plugin to copy regex matches from selected requests and/or responses to the clipboard.
Burp Suite plugin to copy regex matches from selected requests and/or responses to the clipboard. - honoki/burp-copy-regex-matches
github.com
October 20, 2025 at 1:26 PM
If you're looking for a quick tool to copy regex matches from requests AND responses, have a look at github.com/honoki/burp-...
Reposted by Mastering Burp Suite
I wrote a small utility to copy unique domains, URLs, paths, filenames or directories from a selection on the Target Map in Burp Suite.
The directories is especially useful in combination with something like ffuf, e.g. for /path/to/folder/file.txt will return the list
/path
/path/to
/path/to/folder
The directories is especially useful in combination with something like ffuf, e.g. for /path/to/folder/file.txt will return the list
/path
/path/to
/path/to/folder
GitHub - honoki/burp-copy-unique-domains
Contribute to honoki/burp-copy-unique-domains development by creating an account on GitHub.
github.com
October 20, 2025 at 1:21 PM
I wrote a small utility to copy unique domains, URLs, paths, filenames or directories from a selection on the Target Map in Burp Suite.
The directories is especially useful in combination with something like ffuf, e.g. for /path/to/folder/file.txt will return the list
/path
/path/to
/path/to/folder
The directories is especially useful in combination with something like ffuf, e.g. for /path/to/folder/file.txt will return the list
/path
/path/to
/path/to/folder
Great news! When creating a scan configuration, all non-default settings are now saved 💾
The ugly UX where only opened panes were saved is gone (since at least EA 2025.9.1) 🗑️
The ugly UX where only opened panes were saved is gone (since at least EA 2025.9.1) 🗑️
October 25, 2025 at 12:17 PM
Great news! When creating a scan configuration, all non-default settings are now saved 💾
The ugly UX where only opened panes were saved is gone (since at least EA 2025.9.1) 🗑️
The ugly UX where only opened panes were saved is gone (since at least EA 2025.9.1) 🗑️
A few days ago, @tib3rius.bsky.social published a video where he uses Burp AI features to hack on a vibe-coded web app 🪄
www.youtube.com/watch?v=lHby...
www.youtube.com/watch?v=lHby...
Hacking a Vibe Coded App with Burp AI!
YouTube video by Tib3rius
www.youtube.com
October 20, 2025 at 11:08 AM
A few days ago, @tib3rius.bsky.social published a video where he uses Burp AI features to hack on a vibe-coded web app 🪄
www.youtube.com/watch?v=lHby...
www.youtube.com/watch?v=lHby...
Reposted by Mastering Burp Suite
New video, Decrypting TLS traffic in Wireshark. How to extract TLS keys from Burp, ZAP, and curl and then import them into Wireshark to see the raw traffic.
youtu.be/bSt6E48mGuc
youtu.be/bSt6E48mGuc
October 8, 2025 at 10:05 AM
New video, Decrypting TLS traffic in Wireshark. How to extract TLS keys from Burp, ZAP, and curl and then import them into Wireshark to see the raw traffic.
youtu.be/bSt6E48mGuc
youtu.be/bSt6E48mGuc
Reposted by Mastering Burp Suite
If you're confused by the amount of resources stored in the JAR, here's a hint 🔎
Check out "resources/Scanner/jwt_secrets.txt". It contains over 100k passwords used by the passive scanner to decrypt JWT tokens 🗝️
And it works: that's how @evilpacket.net scored a $1500 bug affecting Cursor 💰
Check out "resources/Scanner/jwt_secrets.txt". It contains over 100k passwords used by the passive scanner to decrypt JWT tokens 🗝️
And it works: that's how @evilpacket.net scored a $1500 bug affecting Cursor 💰
The finding was for "JWT weak HMAC secret" and it said the secret was literal "secret"
A range of emotions pushed me in various directions at once. What? no.!? yes!!!!!!! let's verify...
A range of emotions pushed me in various directions at once. What? no.!? yes!!!!!!! let's verify...
June 23, 2025 at 8:35 AM
If you're confused by the amount of resources stored in the JAR, here's a hint 🔎
Check out "resources/Scanner/jwt_secrets.txt". It contains over 100k passwords used by the passive scanner to decrypt JWT tokens 🗝️
And it works: that's how @evilpacket.net scored a $1500 bug affecting Cursor 💰
Check out "resources/Scanner/jwt_secrets.txt". It contains over 100k passwords used by the passive scanner to decrypt JWT tokens 🗝️
And it works: that's how @evilpacket.net scored a $1500 bug affecting Cursor 💰
In case you missed it, AWS updated its policy about pentesting, and "Amazon API Gateway" (used by the extension "IP Rotate") isn't allowed anymore
aws.amazon.com/fr/security/...
aws.amazon.com/fr/security/...
Penetration Testing
Request a penetration test for your AWS cloud infrastructure here.
aws.amazon.com
October 1, 2025 at 9:21 AM
In case you missed it, AWS updated its policy about pentesting, and "Amazon API Gateway" (used by the extension "IP Rotate") isn't allowed anymore
aws.amazon.com/fr/security/...
aws.amazon.com/fr/security/...
Reposted by Mastering Burp Suite
Hackvertor v2.1.25 has been released and fixes the content-length problem!
September 25, 2025 at 9:32 AM
Hackvertor v2.1.25 has been released and fixes the content-length problem!
Reposted by Mastering Burp Suite
Hackvertor v2.1.24 has a major bug where it doesn't update the content-length. Sorry about that. I've fixed it in v2.1.25. I'll try and get it updated on the BApp store ASAP. Gutted I missed this, sorry I'll try to do better in future.
September 25, 2025 at 7:56 AM
Hackvertor v2.1.24 has a major bug where it doesn't update the content-length. Sorry about that. I've fixed it in v2.1.25. I'll try and get it updated on the BApp store ASAP. Gutted I missed this, sorry I'll try to do better in future.
This one-liner shows the details of the most recent EA release of Burp Suite Pro 🔬
curl -s portswigger.net/burp/release... | jq -r '[.ResultSet.Results[] | select(.releaseChannels[0] == "Early Adopter")][:2] | .[] | "=== Version EA v\(.version), \(.releaseDate) ===", "\(.content)"' | html2text
curl -s portswigger.net/burp/release... | jq -r '[.ResultSet.Results[] | select(.releaseChannels[0] == "Early Adopter")][:2] | .[] | "=== Version EA v\(.version), \(.releaseDate) ===", "\(.content)"' | html2text
September 18, 2025 at 8:45 AM
This one-liner shows the details of the most recent EA release of Burp Suite Pro 🔬
curl -s portswigger.net/burp/release... | jq -r '[.ResultSet.Results[] | select(.releaseChannels[0] == "Early Adopter")][:2] | .[] | "=== Version EA v\(.version), \(.releaseDate) ===", "\(.content)"' | html2text
curl -s portswigger.net/burp/release... | jq -r '[.ResultSet.Results[] | select(.releaseChannels[0] == "Early Adopter")][:2] | .[] | "=== Version EA v\(.version), \(.releaseDate) ===", "\(.content)"' | html2text
Reposted by Mastering Burp Suite
Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...
The blog post is live! Read it here:
portswigger.net/research/web...
WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine
Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi
portswigger.net
September 17, 2025 at 12:44 PM
Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...
The blog post is live! Read it here:
portswigger.net/research/web...
TIL Peter Weiner is on Linkedin 👀
www.linkedin.com/in/peter-wei...
Did I send him an invitation? OF COURSE!!
Has he accepted it? Not yet, but fingers crossed.
www.linkedin.com/in/peter-wei...
Did I send him an invitation? OF COURSE!!
Has he accepted it? Not yet, but fingers crossed.
www.linkedin.com
September 12, 2025 at 10:45 AM
TIL Peter Weiner is on Linkedin 👀
www.linkedin.com/in/peter-wei...
Did I send him an invitation? OF COURSE!!
Has he accepted it? Not yet, but fingers crossed.
www.linkedin.com/in/peter-wei...
Did I send him an invitation? OF COURSE!!
Has he accepted it? Not yet, but fingers crossed.
You never know when an obscure piece of trivia about Java regular expressions may be useful IRL 🤓
Today, I used the embedded flag "(?-s)" to disable the DOTALL mode and be able to work one a single line 🔬
The goal was to append a string to the User-Agent header, and it now works perfectly 🎉
Today, I used the embedded flag "(?-s)" to disable the DOTALL mode and be able to work one a single line 🔬
The goal was to append a string to the User-Agent header, and it now works perfectly 🎉
September 10, 2025 at 1:23 PM
You never know when an obscure piece of trivia about Java regular expressions may be useful IRL 🤓
Today, I used the embedded flag "(?-s)" to disable the DOTALL mode and be able to work one a single line 🔬
The goal was to append a string to the User-Agent header, and it now works perfectly 🎉
Today, I used the embedded flag "(?-s)" to disable the DOTALL mode and be able to work one a single line 🔬
The goal was to append a string to the User-Agent header, and it now works perfectly 🎉
Reposted by Mastering Burp Suite
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
September 9, 2025 at 11:54 AM
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Reposted by Mastering Burp Suite
It feels good to open Burp Suite after some month-long holidays
All the bugs I reported have been patched, including the one where Repeater for Websocket wasn't showing the correspoding "response" in the bottom-right corner
All the bugs I reported have been patched, including the one where Repeater for Websocket wasn't showing the correspoding "response" in the bottom-right corner
a cartoon character from south park is sitting at a desk and says wow neato
Alt: A cartoon character from south park is sitting at a desk and says "wow! neato!"
media.tenor.com
September 9, 2025 at 3:34 PM
It feels good to open Burp Suite after some month-long holidays
All the bugs I reported have been patched, including the one where Repeater for Websocket wasn't showing the correspoding "response" in the bottom-right corner
All the bugs I reported have been patched, including the one where Repeater for Websocket wasn't showing the correspoding "response" in the bottom-right corner
It feels good to open Burp Suite after some month-long holidays
All the bugs I reported have been patched, including the one where Repeater for Websocket wasn't showing the correspoding "response" in the bottom-right corner
All the bugs I reported have been patched, including the one where Repeater for Websocket wasn't showing the correspoding "response" in the bottom-right corner
a cartoon character from south park is sitting at a desk and says wow neato
Alt: A cartoon character from south park is sitting at a desk and says "wow! neato!"
media.tenor.com
September 9, 2025 at 3:34 PM
It feels good to open Burp Suite after some month-long holidays
All the bugs I reported have been patched, including the one where Repeater for Websocket wasn't showing the correspoding "response" in the bottom-right corner
All the bugs I reported have been patched, including the one where Repeater for Websocket wasn't showing the correspoding "response" in the bottom-right corner
Reposted by Mastering Burp Suite
Reposted by Mastering Burp Suite
I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.
August 20, 2025 at 3:02 PM
I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.
Reposted by Mastering Burp Suite
