DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval ...

In this tutorial, you'll use Burp Sequencer to analyze the quality of randomness in an application's session tokens. Burp Sequencer may have unexpected results in some applications. Until you are ...

This release introduces the Burp Intruder capture filter, automatic decoding of SMTP messages in Burp Collaborator, improved accuracy of recorded logins and a number of other improvements.

In this example, a shopping application lets the user view whether an item is in stock in a particular store. This information is accessed via a URL: https://insecure ...

Blind SQL injection occurs when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. Many ...

HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known ...

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive ...

Andres Rauschecker, 26 years old, and Munich-based, is a cybersecurity enthusiast to his very core. He got into the field at a young age, pursuing what was initially just an interest and turning it ...

This extension can be used to generate multiple scan reports by host with just a few clicks. If the option is selected, one report will be generated for the host that includes findings for HTTP:80 and ...

"I do have to say, if you're not in the @PortSwigger discord you're missing out."@t0xodile, Burp Suite Professional user The PortSwigger Discord is a great way to see what Burp developers are working ...

Increasingly complex web applications. Across numerous domains. Integrated via a range of APIs. These are the challenges faced by modern pentesters - all with the added pressure of delivering accurate ...

This release enables you to generate scan reports in PDF format, and generate compliance reports that are compatible with PCI DSS v4.0.1. We also added support for SOAP API scans. We made a number of ...