How do I? - Page 241 - Burp Suite User Forum

Intruder - Attack Types - How can I use dynamic numbers for only a param While attac okther params

I have a request that need to different attack type for example; register_user.php?name=[payload1]&address=[payload2]&mail=[payload3] And a Payload list with 100 line. Iwant to test results following: Payload1 =...

Migrating from Burp Suite professional v1.7.37 to 2.1.x

Our teams are currently using Burp Suite professional v1.7.37. As part of nightly automation workflow, we starts up Burp from commadline and pass pre-configured settings (user settings and project settings) e.g. using...

Lab: CORS vulnerability with internal network pivot attack - step 1 not working

Hi there, While attempting to follow the instructions for step 1 it does not appear that after "store" the exploit and then "deliver exploit to victim" that the victim is actually visiting the exploit link. There is...

Scan POST Parameter with REST API

Hi, I am currently testing the REST API of the Burpsuite Pro and trying to scan POST parameters. The scan starts but only the GET requests to the URL I entered in the scope are scanned. The POST request with...

No licenses or order update.

Hi, I purchase a professional license and I haven't recieved anything yet. I already sent an email to office@portswigger.net. But no answer, I expect to get the license fast or something. Hope to get an answer soon.

[Information Required] Number of follow-up passes performed on completion of each audit phase

Hi, I was wondering if anyone could help me with the "number of follow-up passes that are performed on completion of each audit phase" option configured in the Built-in Scan configuration (e.g. Audit Coverage-thorough,...

Burp 2 - v2.1.06 - Scan / Crawl sends four times the same HTTP request for each entry

Hello, While doing a scan / crawl of a website, I noticed that Burp 2 makes 4x time the same HTTP requests for each crawl action. for instance it will query /robots.txt four times, this happens also when setting the...

More info on "Identify Backend Parameters"

During a scan I have found an endpoint with the issue "Interesting input handling: Backend Parameter Injection". In the advisory there is the suggestion to click on the "Identify Backend Parameters" entry of the context...

Monitoring Traffic for Android Device Not Connected to same WIFI as my Laptop

Hi, I want to intercept traffic for an Android device to test security variabilities in different Android Apps. I am planning to use a Genymotion emulator which will be hosted on Amazon Web Service E2C...

Can we use Burp Tool for testing "netty socket server"

We have an application which is send request and give response if it's valid which use netty socket server to do this. My organization is doing R&D weather we can use 'BURP Tool' for atchiving this can you please provide...

Scan Status

What are the different status of scan in burp ? Out of my 100 urls, to some of the urls i get the status as DONE and for others i get as request timed out. Should i expect the status as DONE for all the URl i produce to burp...

How to configure Burp Suite for traffic to/from Docker container?

As titled really. I have it setup correctly to monitor all browser traffic, however when I'm hitting a local container web app at localhost, it isn't intercepting. Can you offer any guidance?

How do i get CWE references from /scan response

I have noticed that Burp Suite Enterprise Edition web app has CWE references included under ‘Vulnerability classifications’ in every scan result. however, API json scan output doesn’t contain it. I would like to have these...

how do i convert multipart gzip to original file

during my research i'm intercepting some packages like this: Content-Type: multipart/form-data; boundary=cLXA2xHy63hD9QS92t_yJwlwnL8vVb Accept-Encoding: gzip, deflate X-FB-HTTP-Engine: Liger Connection:...

Crawling and Auditing a Shibboleth Protected website

We are trying to crawl and audit a shibboleth protected site and am only seeing the public facing pages being crawled and audited.We can see the sitemaps and items when manually traversing the site via the proxy and browser....

http://burp/ not reachable

hi folks I am trying to install the CA for firefox and the suggestion to download from http://burp/ results in the site not being reachable. Is the site down? I have tried this from multiple computers and networks and...

IPV6 scanning through Burp 2.1.5 tool

Hi Team, I need to do IPV6 scanning using latest Burp 2.1.5 tool on windows. steps 1: https://[IPV6]/ entered in the browser. step2 . At Burp side Intercept is On on windows Machine. Step3: Burp cannot able to get...

Pass the Build in Jenkins even Burp_scan shows vulnerabilities for Burp Enterprise

Team, Could you please let me know how to pass the build in Jenkins despite vulnerabilities being identified using the burp enterprise edition? The BURP_SCAN_STATUS is succeeded in Jenkins but Build is marked as Failure...

How to run active scan from burp command line for burp 2.1

I am taking help of headless burp extension and running the below command java -jar -Xmx1g -Djava.awt.headless=true "C:\Program Files\BurpSuitePro\burpsuite_pro.jar" --project-file=project.burp -c config.xml but this will...

Not able to intercept specific HTTPS traffic

Hello, I am not able to intercept the HTTPS traffic using burp. I have installed certificate. I able to intercept the https://www.google.com but not able to intercept one specific URL. When i set the proxy, URL main page...