Questions tagged [burp-suite]
Burp Suite is a popular platform for performing security testing of web applications. It can also be used by a malicious party to analyze and attack web applications. Implemented in Java.
282 questions
0votes
0answers
52views
In Burp Suite, how can I filter traffic by a specific domain and also filter requests initiated by that specific domain?
In Burp Suite, how can I filter traffic by a specific domain, and also include requests initiated by that specific domain? For example, I want to filter: www.example.com But www.example.com initiated ...
1vote
1answer
88views
Running zap scan on a web application is not detecting all endpoints
I want to run ZAP automated scan to a web application. I have the url which is example.com/myapp. When I browse the application in burpsuite, I can see some rest endpoints being called like example....
- 465
3votes
1answer
3kviews
Is this database exploitable?
I'm starting out as a bug bounty hunter and found a website that might have a problem yet I'm unsure if its exploitable or not. When sending any payload that contains % I get an error: Invalid query ...
0votes
0answers
69views
To fetch dynamic id from the past request response and use it in the next request
I have a website that needs a 6 digit code to log in. A dynamic ID is sent with the OTP submission request as "recoveryCode":"xxx" in the body. The dynamic ID for the next request ...
1vote
0answers
97views
How to brute force security code or One Time Password
As part of my project, I am trying to brute force a security code for an app using "Forgot my password" option. I understand that I can brute force username and password using Hydra. However,...
1vote
1answer
133views
Redirect all outgoing http and https requests to Burp using nftables
I'm working on a very limited client (based on Poky from the Yocto Project), on which I want to redirect all http/https requests to my other machine on the same network. I have nftables available on ...
1vote
0answers
47views
How to transfer session between Burp browsers on different computers via IM?
Is there an extension for Burp Pro that will allow you to do something like the following? Alice launches Burp Suite Pro & launches its browser. Bob does the same. Alice logs in to a website ...
- 341
0votes
0answers
179views
cant set cookie from request to another domain, chrome third party cookies phaseout
I am doing the PortSwigger CSRF lab, where the token is tied to a non-session cookie, the solution to this is that we set a cookie to the users' browser through the search field which sets the search ...
2votes
2answers
133views
Burp's collaborator v. private collaborator for bug bounty hunting
A question for bug bounty hunters - what is the current stance on using Burp's collaborator v. your own private one? Is there any benefit to having your own collaborator server compared to the time/...
1vote
1answer
250views
Edge browser + Docker: proxy settings for Burp Suite
This is my case: I'm trying DVWA in a Docker container localhost:4280. I want to test this webapp with Burp Suite (which listen to port 8080) and Microsoft Edge browser. I'm on Windows 11 The way to ...
0votes
1answer
431views
export burp certificate to wireshark for inspection
I am trying to figure out if i can take the burpsuite certificate and export it to wireshark to be able to inspect the traffic going through it. My main goal here is to test a website i own to see ...
0votes
2answers
292views
Which tool to use to automate REST API pentest
I want to run an automated REST API pentest, and I want to integrate my test into CI/CD pipeline. Note: I have the openapi specification of the APIs that I want to test. My automated test will be ...
- 465
0votes
1answer
78views
Portswigger SSRF basic lab question
I am working on some portswigger labs to get good at web security. I was doing this lab at the following link: https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost Spoiler, you ...
- 111
0votes
2answers
241views
How to Capture Mobile API Requests in burp when Server side pinning is implemented
I recently encountered a scenario where Mobile Application is generating CSR request, call a POST API request and in response, Ask Server for certificate. Server will respond with the temporary ...
- 153
3votes
1answer
1kviews
Unknown host on Burp Suite when trying to access *.localhost
I am trying to analyze HTTP traffic of our application. Application has two accessible portals, one accessible by admin.localhost:3002 and the other accessible by localhost:3002 I have Burp Suite ...
