Thread Related to BurpSuite
#bugbountytip #BugBounty
CORS Findings: Another Way to Comprehend
https://t.co/bSVyyw5gHg
*
A REST/JSON API to the Burp Suite security tool https://t.co/FfP8o9Q7OW
*
BRIDA – When Burp Suite meets Frida
https://www.trustedsec.com/2018/04/cors-findings/
https://github.com/vmware/burp-rest-api
https://conference.hitb.org/hitbsecconf2018ams/materials/D1T1%20-%20Federico%20Dotta%20and%20Piergiovanni%20Cipolloni%20-%20Brida%20When%20Burp%20Suite%20Meets%20Frida.pdf
*
Burp Suite extension to discover apikeys/tokens from HTTP response.
https://t.co/80Ylwz9EGn
*
Subdomain Extractor
A very simple, straightforward extension to export sub domains from Burp using a context menu option.
https://github.com/m4ll0k/BurpSuite-Secret_Finder
https://portswigger.net/bappstore/eedcf9d22392458fa62f956f35bbcf49
*
Weaponizing BURP to work as an evil SSRF Confluence Server.
https://t.co/DZPEiIeBlA
*
Weaponizing BURP to work as an evil SSRF Confluence Server.
*
Burp Beautifier – Beautifying JSON/JS/HTML/XML In Burp Suite
https://t.co/noOdQS0Yhh
*
The top 10 best pentesting tools and extensions in Burp Suite
https://www.hahwul.com/2019/12/burp-beautifier.html
https://portswigger.net/testers/penetration-testing-tools
*
Run other application on Burp suite
https://t.co/IM0TlkQ2vV
*
RCE with Burp Suite intruder + Regex
https://www.hahwul.com/2019/12/run-other-application-on-burp-suiteburp.html
https://www.youtube.com/watch?v=Xm77r80NxZo
*
Using Burp to Test for Open Redirections
https://t.co/fFSnkekeD6
*
Beginners Guide to Burpsuite Payloads (Part 1)
https://t.co/fwRTq6iesZ
*
How to Rotate IP ADDRESS in Brute Force Attack
https://support.portswigger.net/customer/portal/articles/1965733-using-burp-to-test-for-open-redirections
https://www.hackingarticles.in/beginners-guide-burpsuite-payloads-part-1/
https://medium.com/@lokeshdlk77/how-to-rotate-ip-address-in-brute-force-attack-e66407259212
*
Bug Bytes #53 – Exploiting a SSRF in WeasyPrint, The Bug That Exposed Your PayPal Password and 12 tricks for Burp Repeater
https://t.co/xwqPJWoipd
*
Burp Suite Logger++: Log activities of all the tools in Burp Suite
https://blog.intigriti.com/2020/01/14/bug-bytes-53-exploiting-a-ssrf-in-weasyprint-the-bug-that-exposed-your-paypal-password-and-12-tricks-for-burp-repeater/
https://github.com/nccgroup/BurpSuiteLoggerPlusPlus
*
A Burp Suite Extender that try to find sub-domain, similar-domain and related-domain of an organization, not only a domain!
https://github.com/bit4woo/domain_hunter
*
Rescope is a tool geared towards pentesters and bugbounty researchers, that aims to make life easier when defining scopes for Burp Suite and OWASP ZAP.
https://github.com/root4loot/rescope
*
Turning Blind RCE into Good RCE via DNS Exfiltration using Collabfiltrator
https://t.co/t2DqS8JXLq
*
Automating Pentests for Applications with Integrity Checks using Burp Suite Custom Extension
https://www.adamlogue.com/turning-blind-rce-into-good-rce-via-dns-exfiltration-using-collabfiltrator-burp-plugin/
https://www.notsosecure.com/automating-pentests-for-applications-with-integrity-checks-using-burpsuite/
*
Hunt for the IDOR |automation using burp suit
https://t.co/YidkctWhZ5
*
Talks About Pentesting, Escalating Bugs, OSCP, Working at Bugcrowd, Burp Suite and More!
https://t.co/SsXnoNrGG8
*
Writing a scanner to find reflected XSS vulnerabilities — Part 1
https://medium.com/@xploitprotocol/hunt-for-the-idor-automation-using-burp-suit-a09f004a9d9d
https://www.youtube.com/watch?v=3rToX5RUWRg
https://medium.com/@hungry.soul/writing-a-scanner-to-find-reflected-xss-vulnerabilities-part-1-5dd6de7d1a35
*
Trishul is an automated vulnerability finding Burp Extension.
https://t.co/XWzmRpQutX
*
Authentication Token Obtain and Replace (ATOR) Burp Plugin: Fast and Reliable plugin to handle Complex Login Sequences
https://github.com/gauravnarwani97/Trishul
https://medium.com/@kashwathkumar/authentication-token-obtain-and-replace-ator-burp-plugin-fast-and-reliable-plugin-to-handle-b19e3621c6a7
*
InQL – Introspection GraphQL Scanner https://t.co/rJuKlLBH2B
*
Bug Bytes #74 – Testing for SSTI in Go, SSRF in Facebook and Kubernetes & PwnFox for a better Burp/Firefox experience
https://portswigger.net/bappstore/296e9a0730384be4b2fffef7b4e19b1f
https://blog.intigriti.com/2020/06/10/bug-bytes-74-testing-for-ssti-in-go-ssrf-in-facebook-and-kubernetes-pwnfox-for-a-better-burp-firefox-experience/
*
Bug Bytes #76 – How to learn anything, Fantastic writeups & A tool to play with Burp’s REST API
https://t.co/dYbbAWmgBO
*
Using XAMPP and Burp Intruder when scanning for subdomains to look for interesting behaviour & code
https://blog.intigriti.com/2020/06/24/bug-bytes-76-how-to-learn-anything-fantastic-writeups-a-tool-to-play-with-burps-rest-api/
https://medium.com/@zseano/using-xampp-and-burp-intruder-when-scanning-for-subdomains-to-look-for-interesting-behaviour-code-f24c511d15ed
*
A Burp Suite extension to parse Content-Transfer-Encoding: quoted-printable emails received in Burpcollaborator’s SMTP
https://t.co/5cETFQVXgZ
*
Finding your first bug: bounty hunting tips from the Burp Suite community
https://github.com/Hxzeroone/quoted-printable-Parser
https://portswigger.net/blog/finding-your-first-bug-bounty-hunting-tips-from-the-burp-suite-community
*
A Quick Guide to Using ffuf with Burp Suite
https://t.co/Sq7UN51ems
*
OTP bypass using Burp Suite
https://t.co/2w6KWN4ETh
*
Stepper – Burp Suite Extension
https://medium.com/@santosomar/a-quick-guide-to-using-ffuf-with-burp-suite-713492f62242
https://medium.com/@aamiropti/otp-bypass-using-burp-suite-a6e415112adc
https://coreyarthur.com/stepper/
*
Burp head-up display – toggle Burp proxy from anywhere and get its status
https://github.com/romainricard/burp-headup
*
Burp Suite tips from power user and “hackfluencer” Stök https://t.co/R5s0mkGfvw
*
Bug Bytes #90 – The impossible XSS, Burp Pro tips & A millionaire on bug bounty and meditation https://t.co/ufe2NKFkwh
*
Burp Extension for easily creating Wordlists
https://portswigger.net/blog/burp-suite-tips-from-power-user-and-hackfluencer-stok
https://blog.intigriti.com/2020/09/30/bug-bytes-90-the-impossible-xss-burp-pro-tips-a-millionaire-on-bug-bounty-and-meditation/
https://github.com/GainSec/GoldenNuggets-1
*
Android Security Testing: Setting up burp suite with Android VM/physical device.
https://t.co/Y5YOSBTZFk
*
Golden Nuggets. Burp Suite Extension to easily create Wordlists based off URI, URI Parameters and Single Words (Minus the Domain)
https://medium.com/@hacker7744/android-security-testing-setting-up-burp-suite-with-android-vm-physical-device-e8f713968eef
https://github.com/GainSec/GoldenNuggets-1
*
Burp Multiplayer
A Multiplayer Plugin for Burp https://t.co/Ly9TaepvGM
*
Developing Burp Suite Extensions
This repository contains the slides and code for the training Developing Burp Suite Extensions – From Manual Testing to Security Automation
https://github.com/moloch–/burp-multiplayer
https://github.com/doyensec/burpdeveltraining
*
rexsser
This is a burp plugin (python) that extracts keywords from response using regexes and test for reflected XSS on the target scope.
https://github.com/profmoriarity/rexsser
*
Burp Suite vs OWASP ZAP – a Comparison series https://t.co/TsBj31nZQn
*
Bug Bytes #99 – Bypassing bots and WAFs, JQ in Burp & Smarter JSON fuzzing and subdomain takeovers
https://t.co/ThMzleIpdJ
*
Burp Customizer! Change your burpsuite theme
https://jaw33sh.wordpress.com/2020/11/22/burp-suite-vs-owasp-zap-a-comparison-series/
https://blog.intigriti.com/2020/12/02/bug-bytes-99-bypassing-bots-and-wafs-jq-in-burp-smarter-json-fuzzing-and-subdomain-takeovers/
https://www.hahwul.com/2021/01/05/burp-customizer-change-your-burpsuite-theme/
*
Bug Bytes #104 – Cache poisoning DoS, Burp themes & A couple of Facebook account takeovers
https://t.co/s7GFi2rEsy
*
Bug Bytes #104 – Cache poisoning DoS, Burp themes & A couple of Facebook account takeovers
*
BOUNTY THURSDAYS – 2021 + new tools + new stuff = COOL BUGS! https://t.co/ujaDVM5q4M
*
Authorization Checks Made Easy
Burp Suite, extension and containers
https://www.youtube.com/watch?v=AxVBBpBGTVA
https://blog.rootrwx.com/post/2021-01-11-auth-checks-made-easy/
*
Running Your Instance of Burp Collaborator Server
https://t.co/WlHNA411UC
*
BugCrowd HUNT – 버그 바운티를 위한 Burp Extension https://t.co/nj8xmphg3k
*
Pro Tip: The Right Way to Test JSON Parameters with Burp
https://blog.fabiopires.pt/running-your-instance-of-burp-collaborator-server/
https://www.hahwul.com/2018/04/bugcrowd-hunt-burp-extension.html
https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/may-2018/the-right-way-to-test-json-parameters-with-burp
*
Bypassing IP Based Blocking with AWS API Gateway
https://t.co/HXbma0IR1M
*
LinkDumper Burp Plugin
https://t.co/zd5hHX4su8
*
2019-07-23 | HOW TO USE BURP REPEATER WITH WEBSOCKETS, ASSETNOTE’S ZOOM RCE WRITEUP, AND WHAT’S YOUR DEF CON THREAT MODEL?
https://rhinosecuritylabs.com/aws/bypassing-ip-based-blocking-aws/
https://medium.com/@arbazhussain/linkdumper-burp-plugin-6bde89937646
https://www.hackerone.com/zerodaily/2019-07-23
*
jsonp is a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
https://github.com/kapytein/jsonp
*
Android Pentesting/Bug Hunting 101
-set-up Burp
-bruteforce OTP
-ADB leaks
-IDOR vulnerability
-list of static & dynamic vulnerabilities you should always check
https://link.medium.com/Ohrs3M1eFY
*
Burp Sub Domains extension
A very simple, straightforward extension to export sub domains from Burp using a context menu option.
https://t.co/VlsfsBp0Az
*
Burp Suite extension to discover assets from HTTP response.
https://github.com/Regala/burp-subdomains
https://github.com/redhuntlabs/BurpSuite-Asset_Discover
*
Using Burp Suite match and replace settings to escalate your user privileges and find hidden features
https://t.co/VF3yvv73Bh
*
Bug Bytes #23 – 20K IDOR Trick, Bug Bounty Vloggers everywhere & Persistent Burp Collaborator
https://www.jonbottarini.com/2019/06/17/using-burp-suite-match-and-replace-settings-to-escalate-your-user-privileges-and-find-hidden-features/
https://blog.intigriti.com/2019/06/18/bug-bytes-23-20k-idor-trick-bug-bounty-vloggers-everywhere-persistent-burp-collaborator/
*
Digging into Android Applications — Part 1 — Drozer + Burp
https://t.co/bvCO5LrHSX
*
Achieving Persistent Access to Burp Collaborator Sessions https://t.co/QrRrz5PoiI
*
New YesWeHack Api Extension for Burp
https://medium.com/bugbountywriteup/digging-android-applications-part-1-drozer-burp-4fd4730d1cf2
https://0x00sec.org/t/achieving-persistent-access-to-burp-collaborator-sessions/14311
https://blog.yeswehack.com/2019/05/24/new-burpsuite-extension/
*
BurpJSLinkFinder. Burp Extension for a passive scanning JS files for endpoint links https://t.co/23HnbzCwkH
*
Self-hosted Burp collaborator for fun and profit https://t.co/qf1vVykszs
*
Argument Injection Hammer Burp Suite Extension
https://github.com/BurpJSLinkFinder
https://teamrot.fi/2019/05/23/self-hosted-burp-collaborator-with-custom-domain/
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/may/argument-injection-hammer/
*
Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
https://t.co/a2XHMGRlzN
*
Fun with Burp Suite Session Handling, Extensions, and SQLMap
https://github.com/portswigger/turbo-intruder
https://www.ryanwendel.com/2019/04/30/fun-with-burp-suite-session-handling-extensions-and-sqlmap/
*
Jspathextractor is an Burp Suite extension that extract hidden paths from js files and beatify it for futher reading.
https://t.co/OriRjutEmd
*
Extending fuzzing with Burp by FAST
https://github.com/Lopseg/Jspathextractor
https://lab.wallarm.com/extending-fuzzing-with-burp-by-fast-f67d8b5d63e7
*
virtualhost-payload-generator
BURP extension providing a set of values for the HTTP request “Host” header for the “BURP Intruder” in order to abuse virtual host resolution.
https://github.com/righettod/virtualhost-payload-generator
*
JSON Web Token (JWT) support for Burp Intruder. This extension adds a payload processor for fuzzing JWT claims.
https://t.co/A2zo0QVoYj
*
A curated list of amazingly awesome Burp Extensions
https://github.com/pinnace/burp-jwt-fuzzhelper-extension
https://github.com/snoopysecurity/awesome-burp-extensions
*
Burp extension to detect alias traversal via NGINX misconfiguration at scale.
https://t.co/l4R3bs1muW
*
Using Linode to proxy Burp Suite traffic
https://github.com/bayotop/off-by-slash
https://ihackthings.online/using-linode-to-proxy-burp-suite-traffic/
*
Burp Suite: Webpage Enumeration and Vulnerability Testing
https://t.co/f2u50guhh5
*
Burp’s new REST API
https://medium.com/cyberdefenders/burp-suite-webpage-enumeration-and-vulnerability-testing-cfd0b140570d
https://portswigger.net/blog/burps-new-rest-api
*
How to brute force efficiently without Burp Pro
Wfuzz and SecLists a match made in heaven.
https://t.co/XNIRU8Lpgw
*
A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
https://medium.com/bugbountywriteup/how-to-brute-force-efficiently-without-burp-pro-1bb2a414a09f
https://github.com/nccgroup/BurpSuiteHTTPSmuggler
*
Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap. https://t.co/BP3Mzc8Uiy
*
Pro Tips: Testing Applications Using Burp, and More
https://t.co/wO9tWVI6VX
*
HTTP file upload scanner for Burp
https://github.com/RhinoSecurityLabs/SleuthQL
https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/june-2018/protips-testing-applications-using-burp-and-more
https://github.com/modzero/mod0BurpUploadScanner
*
Automating BURP to find IDORs
https://t.co/LcTWTPxtdy
*
Burp-Automator: A Burp Suite Automation Tool with Slack Integration
https://medium.com/cyberverse/automating-burp-to-find-idors-2b3dbe9fa0b8
https://github.com/0x4D31/burpa
*
Blackbox protobuf is a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.
https://github.com/nccgroup/blackboxprotobuf
*
Burp Suite extension to discover apikeys/accesstokens and sensitive data from HTTP response.
https://github.com/m4ll0k/BurpSuite-Secret_Finder
*
A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
https://github.com/PortSwigger/collaborator-everywhere
*
Turning Blind RCE into Good RCE via DNS Exfiltration using Collabfiltrator [Burp Plugin] https://t.co/t2DqS8JXLq
*
A Burp Suite Extender that try to find sub-domain, similar-domain and related-domain of an organization, not only a domain!
https://www.adamlogue.com/turning-blind-rce-into-good-rce-via-dns-exfiltration-using-collabfiltrator-burp-plugin/
https://github.com/bit4woo/domain_hunter
*
Manual JavaScript Linting is a Bug
ESLinter is a Burp extension that extracts JavaScript from responses and lints them with ESLint while you do your manual testing.
https://t.co/3GBeDNYWcw
*
Testing WebApp Access Control with Autorize
https://github.com/parsiya/eslinter
https://vj0shii.github.io/Testing-WebApp-Access-Control-with-Autorize/
*
Hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community.
https://github.com/dstotijn/hetty