Burp Suite

Burp Extensions - Setting up XSS Validator

Hunting for XSS XSS / Cross-site scripting (which is just another form of Code Injection) can be a severe vulnerability. It’s also very common. That potent combination - profitability and ubiquity - marks it as a worthy target for penetration testers interested in public bounties.But because of a high rate of false-positives (and inevitably imperfect detection logic) the process of ferreting out XSS comes with a lot of noise. The XSS Validator from Nvisium is designed to solve this problem.
Read more

Bug Hunting for Penetration Testers Available Now

Hands-On Bug Hunting for Penetration Testers is now available. The book covers how to detect, validate, and write submission reports for XSS, SQLi and NoSQLi, XXE, CSRF, and more vulnerabilities, including sections on detecting hidden content, crowdsourcing code injection snippets and other malicious inputs, writing quality submission reports, and more. It uses Burp Suite as a principal tool and proxy, with Python (3.6.5) and Bash scripts thrown in to augment, extend, and automate different testing functions.
Read more

Pre-order Hands-On Bug Hunting for Penetration Testers

Update: The book has since been released. See how to purchase it at handsonbughunting.com or use the Amazon link included in the article below. This October I’ll be releasing my first book with Packt publishing, Hands-On Bug Hunting for Penetration Testers. The book covers: Preparing for pentesting engagements Building an automated pentesting workflow Detecting and reporting OWASP’s Top 10 most common bugs Finding the best bug bounty programs Focusing on testing the right parts of a web application Formatting vulnerability reports to maximize your payouts Going further If you have some experience with penetration testing, it’ll be a good introduction to public bug bounty programs, and if you’re just getting into security, it’s a great series of walkthroughs for getting up to speed - even if you have to search for the meaning of a term or two (or three).
Read more

The Top 5 Burp Suite Extensions

If you’re a freelance security researcher, chances are you’ve heard of — or use — Burp Suite, a program commonly considered the gold standard for penetration testing software. But if you’re only using the stock version, as great as it is, you’re missing out! Both the free and paid versions of Burp support helpful extensions that add extra functionality to the main client — whether it’s a separate (and free) scanner, an IP randomizer, or a plugin for validating XSS vulnerabilities.
Read more