#burpsuite — Public Fediverse posts

🎙️ Join Federico’s Discord talk later today!

As part of #BurpExtensibilityMonth initiatives, our Research Lead and #BurpAmbassador @apps3c is joining #PortSwigger on Discord for “Restoring testability: Handling complex scenarios in Burp Suite with a custom extension”.

Most web and mobile backends and APIs can be assessed effectively with #BurpSuite out of the box. But testers sometimes hit scenarios where standard workflows become impractical, such as encryption, request signing, custom data formats, WAF controls, token handling, and other protections.

In this talk, Federico will explore how custom Burp Suite extensions can integrate those mechanisms directly into your testing workflow, so you can keep using tools like Repeater, Intruder, Scanner, and more as if the underlying complexity was not there.

Expect a real-world inspired scenario, practical design guidance, and plenty of extension-building inspiration.

👉 Register your interest here!
https://discord.com/events/1159124119074381945/1499761261750128670

🎙️ Join Federico’s Discord talk later today!

As part of #BurpExtensibilityMonth initiatives, our Research Lead and #BurpAmbassador @apps3c is joining #PortSwigger on Discord for “Restoring testability: Handling complex scenarios in Burp Suite with a custom extension”.

Most web and mobile backends and APIs can be assessed effectively with #BurpSuite out of the box. But testers sometimes hit scenarios where standard workflows become impractical, such as encryption, request signing, custom data formats, WAF controls, token handling, and other protections.

In this talk, Federico will explore how custom Burp Suite extensions can integrate those mechanisms directly into your testing workflow, so you can keep using tools like Repeater, Intruder, Scanner, and more as if the underlying complexity was not there.

Expect a real-world inspired scenario, practical design guidance, and plenty of extension-building inspiration.

👉 Register your interest here!
https://discord.com/events/1159124119074381945/1499761261750128670

🎙️ Join Federico’s Discord talk later today!

As part of #BurpExtensibilityMonth initiatives, our Research Lead and #BurpAmbassador @apps3c is joining #PortSwigger on Discord for “Restoring testability: Handling complex scenarios in Burp Suite with a custom extension”.

Most web and mobile backends and APIs can be assessed effectively with #BurpSuite out of the box. But testers sometimes hit scenarios where standard workflows become impractical, such as encryption, request signing, custom data formats, WAF controls, token handling, and other protections.

In this talk, Federico will explore how custom Burp Suite extensions can integrate those mechanisms directly into your testing workflow, so you can keep using tools like Repeater, Intruder, Scanner, and more as if the underlying complexity was not there.

Expect a real-world inspired scenario, practical design guidance, and plenty of extension-building inspiration.

👉 Register your interest here!
https://discord.com/events/1159124119074381945/1499761261750128670

🎙️ Join Federico’s Discord talk later today!

As part of #BurpExtensibilityMonth initiatives, our Research Lead and #BurpAmbassador @apps3c is joining #PortSwigger on Discord for “Restoring testability: Handling complex scenarios in Burp Suite with a custom extension”.

Most web and mobile backends and APIs can be assessed effectively with #BurpSuite out of the box. But testers sometimes hit scenarios where standard workflows become impractical, such as encryption, request signing, custom data formats, WAF controls, token handling, and other protections.

In this talk, Federico will explore how custom Burp Suite extensions can integrate those mechanisms directly into your testing workflow, so you can keep using tools like Repeater, Intruder, Scanner, and more as if the underlying complexity was not there.

Expect a real-world inspired scenario, practical design guidance, and plenty of extension-building inspiration.

👉 Register your interest here!
https://discord.com/events/1159124119074381945/1499761261750128670

🎙️ Join Federico’s Discord talk later today!

As part of #BurpExtensibilityMonth initiatives, our Research Lead and #BurpAmbassador @apps3c is joining #PortSwigger on Discord for “Restoring testability: Handling complex scenarios in Burp Suite with a custom extension”.

Most web and mobile backends and APIs can be assessed effectively with #BurpSuite out of the box. But testers sometimes hit scenarios where standard workflows become impractical, such as encryption, request signing, custom data formats, WAF controls, token handling, and other protections.

In this talk, Federico will explore how custom Burp Suite extensions can integrate those mechanisms directly into your testing workflow, so you can keep using tools like Repeater, Intruder, Scanner, and more as if the underlying complexity was not there.

Expect a real-world inspired scenario, practical design guidance, and plenty of extension-building inspiration.

👉 Register your interest here!
https://discord.com/events/1159124119074381945/1499761261750128670

Day 9 pentesting challenge: Burp Suite beyond the Proxy tab.

Real workflow chain: Proxy -> spot param -> Repeater to confirm reflection -> Intruder with payload list -> Comparer to diff results.

Quick IDOR test setup:
```http
GET /api/users/$$ID$$/profile HTTP/1.1
Authorization: Bearer <low_priv_token>
```
Payload: numbers 1-5000. Sort by response length. 403s cluster at ~90 bytes. Leaked profiles show up at 1200+. The outliers are your findings.

Community Edition caveat: Intruder is throttled to ~1 req/sec. Keep wordlists under 200 entries or grab coffee.

#Infosec #Pentesting #Burpsuite #Appsec #Hacking

Day 8/60 #Pentesting challenge: Burp Suite fundamentals

Key workflow that catches real bugs:

1. Proxy browser through 127.0.0.1:8080
2. Browse the app normally, let HTTP History fill up
3. Find interesting requests (auth endpoints, data access)
4. Send to Repeater
5. Modify and resend

Example: change user_id in /api/users/42/profile to /api/users/1/profile. If you get someone else's data, that's broken access control -- a top-10 OWASP finding.

Gotcha: Burp's embedded browser has a different fingerprint than Chrome/Firefox. Some WAFs block it. Use a real browser with FoxyProxy for reliable testing.

#Infosec #Burpsuite #Cybersecurity #Appsec

To kick off his collaboration with @portswigger as a Burp Suite Ambassador, our Research Lead @apps3c just published the 10th article on the creation of extensions for #BurpSuite. Topic: #Burp #AI!

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-10/

To kick off his collaboration with @portswigger as a Burp Suite Ambassador, our Research Lead @apps3c just published the 10th article on the creation of extensions for #BurpSuite. Topic: #Burp #AI!

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-10/

To kick off his collaboration with @portswigger as a Burp Suite Ambassador, our Research Lead @apps3c just published the 10th article on the creation of extensions for #BurpSuite. Topic: #Burp #AI!

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-10/

To kick off his collaboration with @portswigger as a Burp Suite Ambassador, our Research Lead @apps3c just published the 10th article on the creation of extensions for #BurpSuite. Topic: #Burp #AI!

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-10/

To kick off his collaboration with @portswigger as a Burp Suite Ambassador, our Research Lead @apps3c just published the 10th article on the creation of extensions for #BurpSuite. Topic: #Burp #AI!

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-10/

📢 I have just released #BurpAnonymizer, a Burp Suite extension that redacts PII, credentials, tokens and other sensitive data from HTTP requests/responses.

With one click, safely share requests and responses in reports, presentations, team reviews, or AI workflows, without exposing secrets and minimizing manual redactions.

🔗 Explore it here: https://github.com/sv1sjp/BurpAnonymizer

#CyberSecurity #BurpSuite #AppSec #Privacy #SecurityTools #web PortSwigger

📢 I have just released #BurpAnonymizer, a Burp Suite extension that redacts PII, credentials, tokens and other sensitive data from HTTP requests/responses.

With one click, safely share requests and responses in reports, presentations, team reviews, or AI workflows, without exposing secrets and minimizing manual redactions.

🔗 Explore it here: https://github.com/sv1sjp/BurpAnonymizer

#CyberSecurity #BurpSuite #AppSec #Privacy #SecurityTools #web PortSwigger

📢 I have just released #BurpAnonymizer, a Burp Suite extension that redacts PII, credentials, tokens and other sensitive data from HTTP requests/responses.

With one click, safely share requests and responses in reports, presentations, team reviews, or AI workflows, without exposing secrets and minimizing manual redactions.

🔗 Explore it here: https://github.com/sv1sjp/BurpAnonymizer

#CyberSecurity #BurpSuite #AppSec #Privacy #SecurityTools #web PortSwigger

📢 I have just released #BurpAnonymizer, a Burp Suite extension that redacts PII, credentials, tokens and other sensitive data from HTTP requests/responses.

With one click, safely share requests and responses in reports, presentations, team reviews, or AI workflows, without exposing secrets and minimizing manual redactions.

🔗 Explore it here: https://github.com/sv1sjp/BurpAnonymizer

#CyberSecurity #BurpSuite #AppSec #Privacy #SecurityTools #web PortSwigger

----------------

🔎 AI: Integrating LLMs into Offensive Security Workflows

Summary

This blog outlines practical integration of large language models into offensive security engagements. Authors describe improving public proof‑of‑concept Model Context Protocol (MCP) servers for BloodHound and Burp Suite to support real‑world testing, and present LLM CLI usage patterns that enable agentic execution across reconnaissance, data enrichment, attack chaining, and reporting.

Technical specifics
• MCP servers: Existing MCP server projects for BloodHound and Burp Suite were adapted to work in offensive engagements, enabling LLMs to fetch, query, and reason over structured data such as Active Directory graphs and proxied web traffic.
• LLM CLI agents: Modern CLIs (examples cited include Gemini CLI, Claude Code, and OpenAI’s Codex) shift models from single‑shot responders to autonomous operators capable of chaining actions: run a tool, parse output, decide next steps, and continue until objectives are met.
• Example capabilities: An LLM connected to an AD graph via a MCP server can rapidly enumerate privilege escalation paths that would otherwise require hours of manual review. When paired with Burp Suite MCP, LLMs can correlate requests/responses across sessions to accelerate vulnerability triage. The authors also describe an NTLM relaying Gemini extension that demonstrates chaining of attack steps.

Operational characteristics
• Scope of access: An LLM CLI can operate on any tool or artifact the host environment exposes—OS utilities, custom scripts, open‑source offensive tooling, and locally hosted services—then interpret outputs to guide successive actions.
• Agentic execution model: Gemini’s agentic design emphasizes iterative, feedback‑driven workflows where the model determines subsequent commands based on intermediate results rather than relying on a single prompt.

What was demonstrated
• Improved MCP integrations for BloodHound and Burp Suite adapted from public proof‑of‑concept servers.
• A proof‑of‑concept Gemini extension automating NTLM relay orchestration.
• Use cases spanning AD privilege path identification, web traffic correlation, automated triage, and multi‑step attack choreography.

Limitations & considerations (as presented)
• The writeup focuses on capabilities and demonstrated integrations; implementation specifics and environmental constraints are described at a conceptual level. The examples show how LLMs can reduce manual effort and expand coverage when granted appropriate tool access.

🔹 llm #mcp #bloodhound #burpsuite #ntlm

🔗 Source: https://www.armadin.com/blog-posts/automating-the-operator-integrating-llms-into-offensive-security-workflows

Sequence [TryHackMe] [Writeup]

https://aredopseagle.wordpress.com/2026/03/15/sequence-tryhackme-writeup/

web crawlers really need an option to just consider all "?something" urls as the same as the base URL and skip over them...

Anyone know if you can use #Burpsuite or similar to force a HTTP-301/302 redirect of them back to the base URL?

web crawlers really need an option to just consider all "?something" urls as the same as the base URL and skip over them...

Anyone know if you can use #Burpsuite or similar to force a HTTP-301/302 redirect of them back to the base URL?

web crawlers really need an option to just consider all "?something" urls as the same as the base URL and skip over them...

Anyone know if you can use #Burpsuite or similar to force a HTTP-301/302 redirect of them back to the base URL?

web crawlers really need an option to just consider all "?something" urls as the same as the base URL and skip over them...

Anyone know if you can use #Burpsuite or similar to force a HTTP-301/302 redirect of them back to the base URL?

Me, pretty much every week using Burp Suite for years: It would be great to have a Burp internal task manager to figure out what is burning a full CPU while no requests are going through it.
Meanwhile Burp devs: AI! AI! AI! AI!

#burp #burpsuite

Me, pretty much every week using Burp Suite for years: It would be great to have a Burp internal task manager to figure out what is burning a full CPU while no requests are going through it.
Meanwhile Burp devs: AI! AI! AI! AI!

#burp #burpsuite

Me, pretty much every week using Burp Suite for years: It would be great to have a Burp internal task manager to figure out what is burning a full CPU while no requests are going through it.
Meanwhile Burp devs: AI! AI! AI! AI!

#burp #burpsuite

Me, pretty much every week using Burp Suite for years: It would be great to have a Burp internal task manager to figure out what is burning a full CPU while no requests are going through it.
Meanwhile Burp devs: AI! AI! AI! AI!

#burp #burpsuite

There's a few good things, I appreciate the consistency of right arrow always taking you to message actions or embedded items now, being able to drop into browse mode to look at messages is helpful sometimes, having access to communities is a nice extra.
But some of the previous concerns at times make the UI practically unusable and I'll probably just switch to using the thing in a tab in my browser, given the thing's a web app now anyway.
This is not an old man shaking fists at the cloud post either, heck I use #Burpsuite for fun, I know how to rangle bad or even terrible UIs, and web UIs can be absolutely fantastic and a game changer for productivity with a screen reader. This one, just isn't, and it's not even primarily because of the UI itself, but almost entirely because of the way that UI is being rendered. I will be providing this feedback to the official channels as well of course, and the UI absolutely CAN be used, when it behaves. It's just that for me it often doesn't

There's a few good things, I appreciate the consistency of right arrow always taking you to message actions or embedded items now, being able to drop into browse mode to look at messages is helpful sometimes, having access to communities is a nice extra.
But some of the previous concerns at times make the UI practically unusable and I'll probably just switch to using the thing in a tab in my browser, given the thing's a web app now anyway.
This is not an old man shaking fists at the cloud post either, heck I use #Burpsuite for fun, I know how to rangle bad or even terrible UIs, and web UIs can be absolutely fantastic and a game changer for productivity with a screen reader. This one, just isn't, and it's not even primarily because of the UI itself, but almost entirely because of the way that UI is being rendered. I will be providing this feedback to the official channels as well of course, and the UI absolutely CAN be used, when it behaves. It's just that for me it often doesn't

There's a few good things, I appreciate the consistency of right arrow always taking you to message actions or embedded items now, being able to drop into browse mode to look at messages is helpful sometimes, having access to communities is a nice extra.
But some of the previous concerns at times make the UI practically unusable and I'll probably just switch to using the thing in a tab in my browser, given the thing's a web app now anyway.
This is not an old man shaking fists at the cloud post either, heck I use #Burpsuite for fun, I know how to rangle bad or even terrible UIs, and web UIs can be absolutely fantastic and a game changer for productivity with a screen reader. This one, just isn't, and it's not even primarily because of the UI itself, but almost entirely because of the way that UI is being rendered. I will be providing this feedback to the official channels as well of course, and the UI absolutely CAN be used, when it behaves. It's just that for me it often doesn't

There's a few good things, I appreciate the consistency of right arrow always taking you to message actions or embedded items now, being able to drop into browse mode to look at messages is helpful sometimes, having access to communities is a nice extra.
But some of the previous concerns at times make the UI practically unusable and I'll probably just switch to using the thing in a tab in my browser, given the thing's a web app now anyway.
This is not an old man shaking fists at the cloud post either, heck I use #Burpsuite for fun, I know how to rangle bad or even terrible UIs, and web UIs can be absolutely fantastic and a game changer for productivity with a screen reader. This one, just isn't, and it's not even primarily because of the UI itself, but almost entirely because of the way that UI is being rendered. I will be providing this feedback to the official channels as well of course, and the UI absolutely CAN be used, when it behaves. It's just that for me it often doesn't

There's a few good things, I appreciate the consistency of right arrow always taking you to message actions or embedded items now, being able to drop into browse mode to look at messages is helpful sometimes, having access to communities is a nice extra.
But some of the previous concerns at times make the UI practically unusable and I'll probably just switch to using the thing in a tab in my browser, given the thing's a web app now anyway.
This is not an old man shaking fists at the cloud post either, heck I use #Burpsuite for fun, I know how to rangle bad or even terrible UIs, and web UIs can be absolutely fantastic and a game changer for productivity with a screen reader. This one, just isn't, and it's not even primarily because of the UI itself, but almost entirely because of the way that UI is being rendered. I will be providing this feedback to the official channels as well of course, and the UI absolutely CAN be used, when it behaves. It's just that for me it often doesn't

In this latest article in our long-running series on #BurpSuite #Extension #Development, @apps3c illustrates how to extend the Active and Passive Scanner in your favorite #WebApplication #PenetrationTesting tool with Custom Scan Checks:

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-9/

Check it out!

In this latest article in our long-running series on #BurpSuite #Extension #Development, @apps3c illustrates how to extend the Active and Passive Scanner in your favorite #WebApplication #PenetrationTesting tool with Custom Scan Checks:

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-9/

Check it out!

In this latest article in our long-running series on #BurpSuite #Extension #Development, @apps3c illustrates how to extend the Active and Passive Scanner in your favorite #WebApplication #PenetrationTesting tool with Custom Scan Checks:

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-9/

Check it out!

In this latest article in our long-running series on #BurpSuite #Extension #Development, @apps3c illustrates how to extend the Active and Passive Scanner in your favorite #WebApplication #PenetrationTesting tool with Custom Scan Checks:

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-9/

Check it out!

In this latest article in our long-running series on #BurpSuite #Extension #Development, Federico Dotta illustrates how to extend the Active and Passive Scanner in your favorite #WebApplication #PenetrationTesting tool with Custom Scan Checks:

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-9/

Check it out!

Having had a cursory glance at Burp AI, there is just an instant dealbreaker: you have no control which requests it sends to your target.
Let's say you tell it "find a RCE in this parameter", nothing stops it from injecting "rm -rf /*" or exfiltrating all ssh keys to pastebin because it learned that from some weird medium blog post or CTF write up.
Not being able to review the requests before they are fired is insane.

You might say, an active scan also does that. Sure, but they are curated and static. The payloads won't just change every minute.

#BurpAI #BurpSuite

Having had a cursory glance at Burp AI, there is just an instant dealbreaker: you have no control which requests it sends to your target.
Let's say you tell it "find a RCE in this parameter", nothing stops it from injecting "rm -rf /*" or exfiltrating all ssh keys to pastebin because it learned that from some weird medium blog post or CTF write up.
Not being able to review the requests before they are fired is insane.

You might say, an active scan also does that. Sure, but they are curated and static. The payloads won't just change every minute.

#BurpAI #BurpSuite

Having had a cursory glance at Burp AI, there is just an instant dealbreaker: you have no control which requests it sends to your target.
Let's say you tell it "find a RCE in this parameter", nothing stops it from injecting "rm -rf /*" or exfiltrating all ssh keys to pastebin because it learned that from some weird medium blog post or CTF write up.
Not being able to review the requests before they are fired is insane.

You might say, an active scan also does that. Sure, but they are curated and static. The payloads won't just change every minute.

#BurpAI #BurpSuite

Having had a cursory glance at Burp AI, there is just an instant dealbreaker: you have no control which requests it sends to your target.
Let's say you tell it "find a RCE in this parameter", nothing stops it from injecting "rm -rf /*" or exfiltrating all ssh keys to pastebin because it learned that from some weird medium blog post or CTF write up.
Not being able to review the requests before they are fired is insane.

You might say, an active scan also does that. Sure, but they are curated and static. The payloads won't just change every minute.

#BurpAI #BurpSuite

Having had a cursory glance at Burp AI, there is just an instant dealbreaker: you have no control which requests it sends to your target.
Let's say you tell it "find a RCE in this parameter", nothing stops it from injecting "rm -rf /*" or exfiltrating all ssh keys to pastebin because it learned that from some weird medium blog post or CTF write up.
Not being able to review the requests before they are fired is insane.

You might say, an active scan also does that. Sure, but they are curated and static. The payloads won't just change every minute.

#BurpAI #BurpSuite

If anybody is using https://github.com/pentagridsec/PentagridResponseOverview I just pushed an update that removes request parameter names and values in responses so we don't detect reflected parameters as distinct responses #burpsuite #kotlin

If anybody is using https://github.com/pentagridsec/PentagridResponseOverview I just pushed an update that removes request parameter names and values in responses so we don't detect reflected parameters as distinct responses #burpsuite #kotlin

If anybody is using https://github.com/pentagridsec/PentagridResponseOverview I just pushed an update that removes request parameter names and values in responses so we don't detect reflected parameters as distinct responses #burpsuite #kotlin

If anybody is using https://github.com/pentagridsec/PentagridResponseOverview I just pushed an update that removes request parameter names and values in responses so we don't detect reflected parameters as distinct responses #burpsuite #kotlin

Burp Suite can be overwhelming for beginners. Caido isn't.

Modern interface, straightforward setup, and built for manual web app testing.
https://hackers-arise.com/web-app-hacking-getting-started-with-caido/

#web #pentesting #infosec #cybersecurity #burpsuite #caido #technology

#Brida 0.6 is here! The bridge between #BurpSuite and #Frida is now fully compatible with Frida 17+.

As of this release, Brida 0.6 supports only Frida 17 and later. For users who still rely on older Frida versions, Brida 0.6pre remains available on GitHub.

Get the latest release here:
https://hnsecurity.it/blog/brida-0-6-released/

Coming soon to the PortSwigger BApp Store (pending approval).

Kudos to our @apps3c for keeping this essential integration tool up to date with Frida's fast-evolving ecosystem!

#Brida 0.6 is here! The bridge between #BurpSuite and #Frida is now fully compatible with Frida 17+.

As of this release, Brida 0.6 supports only Frida 17 and later. For users who still rely on older Frida versions, Brida 0.6pre remains available on GitHub.

Get the latest release here:
https://hnsecurity.it/blog/brida-0-6-released/

Coming soon to the PortSwigger BApp Store (pending approval).

Kudos to our @apps3c for keeping this essential integration tool up to date with Frida's fast-evolving ecosystem!

#Brida 0.6 is here! The bridge between #BurpSuite and #Frida is now fully compatible with Frida 17+.

As of this release, Brida 0.6 supports only Frida 17 and later. For users who still rely on older Frida versions, Brida 0.6pre remains available on GitHub.

Get the latest release here:
https://hnsecurity.it/blog/brida-0-6-released/

Coming soon to the PortSwigger BApp Store (pending approval).

Kudos to our @apps3c for keeping this essential integration tool up to date with Frida's fast-evolving ecosystem!

#Brida 0.6 is here! The bridge between #BurpSuite and #Frida is now fully compatible with Frida 17+.

As of this release, Brida 0.6 supports only Frida 17 and later. For users who still rely on older Frida versions, Brida 0.6pre remains available on GitHub.

Get the latest release here:
https://hnsecurity.it/blog/brida-0-6-released/

Coming soon to the PortSwigger BApp Store (pending approval).

Kudos to our @apps3c for keeping this essential integration tool up to date with Frida's fast-evolving ecosystem!