What's happening in the Burp-verse - Issue #11 📰

Hi 👋,

I hope this newsletter increases your productivity and helps you find more bugs. 😊

We will walk through the latest blog posts, extensions, and many tips & tricks using Burp Suite in this newsletter issue.

If you got this newsletter for the first time, welcome onboard!!! Signing up for the newsletter was your first step in becoming the up-to-date hero of Burp Suite.

Follow Burp Suite Guide on Twitter or LinkedIn to get instant updates on Burp Suite. 

Now let’s continue.

All the features from previous early adopter versions are added to this stable release. The features include a new collaborator domain “oastify.com,” the ability to add new tabs in Message Editor, etc. Check out the previous newsletter issue to find out all the features.

This article is the second part of the blog post on Hackvertor. While the first part introduced Hackvertor extension and an example to bypass replay protection, this second part is icing on the ice. This article gives many tips for using the extension and code examples.

If you have never heard of Hackvertor, both the first and second parts of this blog should be sufficient to get you started.

This blog post describes four extensions that can make the Community edition as good as the Pro edition.

The four extensions are 🥁 🥁: Turbo Intruder, Logger++, Interactsh Collaborator, and LazyCSRF.

Check out the blog post to learn about their usage.

This article is a beginner-friendly article that gives a great introduction to Repeater. Even if you have used Repeater for some time now, there’s a high chance that you would learn (or relearn) something new.

Check out this article.

A Burp Suite extension for dynamic payload generation to detect injection flaws (RCE, LFI, SQLi), create access-matrix-based user sessions to spot authentication/authorization issues, and convert HTTP requests to Javascript for further XSS exploitation and more.

This extension now makes authorization checks a little bit easier. The new version adds a feature to enable colorization on requests sent from different PwnFox containers (based on the X-Pwnfox-Color request header).

This GitHub repository curates practical match and replace rules for Burp Suite. The rules include finding hidden buttons and forms, bypassing WAF, etc. Check it out.

Our favorite researcher is back with a fantastic talk. This time it’s not a new technique or methodology; it’s about the bugs that usually stay under the pentester’s radar. 

Based on his decade-long experience in web security research, he gives examples of such “evasive vulnerabilities” and broad principles that one can apply to find such vulnerabilities.

An article from the PortSwigger Research team on how you could use SVG’s “use” element to execute JS automatically.

Did you learn something new from this newsletter? 🥺

Please share this newsletter with your friends, hackers & pentesters. Tweet about it, post it on social media or forward this newsletter email to others.

If you liked the newsletter, click the 👍 button below. If you have any specific feedback, shoot an email to [email protected].

Many thanks for considering my request.

Until next time 👋