Robuta

Clickjacking is a web security vulnerability that allows an attacker to trick users into clicking on hidden web page elements. It's done by overlaying a ...

Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later?...

PortSwigger offers tools for web application security, testing & scanning. Choose from a wide range of security tools & identify the very latest...

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting attacks by disabling dangerous behaviours such as untrusted...

Cross-site scripting (XSS) is a web security vulnerability that enables an attacker to manipulate a vulnerable web site so that it returns malicious ...

Burp Scanner is the industry's gold standard dynamic web vulnerability scanner. Start vulnerability scanning today with a free trial of Burp Suite.

Thank you to those who attended our recent PortSwigginar on Burp Suite Enterprise Edition. Below is the video of the session, which included; A recap on...

Cloud Self-hosted Adding authentication credentials for web app sites enables Burp Scanner to discover and audit content that is only accessible to ...

The results are in! After 51 nominations whittled down to 15 finalists by a community vote, an expert panel consisting of Nicolas Grégoire, Soroush...

Using Burp to find Clickjacking Vulnerabilities Clickjacking is a technique in which an attacker uses multiple transparent or opaque layers to trick a user ...

Generates sophisticated malicious GraphQL test queries for authorized security testing. using Burp AI, featuring schema introspection, AI monitoring, and...

How many people have used a commercial scanner to look for vulnerabilities in web applications? Lots of you, right. And who thinks that the scanner they use is...

In this research paper James Kettle introduces multiple new classes of HTTP/2-exclusive attacks, demonstrated on popular websites and servers.

Stored DOM-based vulnerabilities arise when user input is stored and later embedded into a response within a part of the DOM that is then processed in an...

A beta version of the new release of Burp is now available for Professional users. The free edition will be available in two or three weeks time. If you don't...

PortSwigger offers tools for web application security, testing & scanning. Choose from a wide range of security tools & identify the very latest...

Today's release of Burp Suite Professional updates the Scanner to find blind XML external entity (XXE) injection vulnerabilities. Burp has previously checked...

BChecks are custom scan checks that you can create and import. Burp Scanner runs these checks in addition to its built-in scanning routine, helping you to ...

In this paper I'll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems

SafeBase monitors your security practices to enable you to win enterprise deals.

We're delighted to announce three major research releases from PortSwigger Research will be published at both Black Hat USA and DEF CON 32. In this post,...

Early last year Gareth Heyes unveiled a fascinating new technique for attacking web applications by exploiting path-relative stylesheet imports, and dubbed it...

Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web...

Through the years, we have seen many attacks exploiting web caches to hijack sensitive information or store malicious payloads. However, as CDNs became more...

Adds a custom Scanner check to identify Flex applications vulnerable to CVE-2011-2461 (APSB11-25).

It’s well known that some websites are vulnerable to IP address spoofing because they trust a user-supplied HTTP header like X-Forwarded-For to...

Modern websites are browsed through a lens of transparent systems built to enhance performance, extract analytics and supply numerous additional services. This...

Burp's AI features only run if you explicitly activate them. The AI settings page provides an additional safeguard to prevent you from accidentally using ...

You can use the view filter to control which captured items Burp Logger displays. For more information on which items Logger captures, see Configuring the ...

In his own words, Stök is "that hacker that your friends told you about". In other words, he's a content creator with over 25 years of...

When crawling a target application, Burp Scanner attempts to cover as much of the application's attack surface as possible. Authenticated scanning enables ...

Interested in pushing hacking techniques beyond the current state of the art? Read James Kettle's guide on how to become a web security researcher.

At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it's behaving...

Recorded login sequences enable Burp Scanner to audit content that only authenticated users can usually see, even on sites that use complex login mechanisms ...

We've just mailed out prizes to the winners of our T-shirt competition. Below are the 40 entries that won a Burp Suite T-shirt: @0xdeadb - [...]...

How many times have you seen this? As we have already described, Burp's current Scanner processes each item in the scan queue in isolation. If it runs into...

For a long time, we've released updates to Burp Suite Free Edition every year or so, when Burp gets a new major version number. The Professional Edition is...

Performs custom scanning for vulnerabilities in web applications.

Abstract Naive use of the extremely popular JavaScript framework AngularJS is exposing numerous websites to Angular Template Injection. This relatively low...

The settings menu contains shortcuts to several of the configuration menus used in Burp Suite DAST. To access the settings menu, click the symbol in the ...

Credential stuffing is a form of brute-force attack in which you attempt to log into a website using known username and password combinations from other ...

I was recently asked whether it was safe to store session tokens using Web Storage (sessionStorage/localStorage) instead of cookies. Upon googling this I found...

(or CORS misconfiguration misconceptions) In this post, I'll show how to identify and exploit misconfigured CORS. This is a greatly condensed version of...

Abstract Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and...

Adds a context menu item to quickly add hosts to TLS pass through.

You might not be aware of the Hackvertor extension I've been working on lately. It features tag based conversion that is far more powerful than the inbuilt...

This extension finds server side prototype pollution vulnerabilities.

Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on...

Integrates Crawljax, Selenium and JUnit into Burp.

Configuring a Burp scan in TeamCity involves largely the same process as in previous versions of Burp Suite DAST. In this section, we'll provide ...

In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the...

The Hackability inspector enables you to quickly enumerate objects and discover interesting functions to exploit.

Burp Suite Professional comes with an extensive feature set that we are constantly expanding. View the product roadmap, and find out more.

Customizable payload generator to detect and exploit command injection flaws during blind testing.

Burp Suite DAST provides two APIs that you can use to interact with the system from other third-party software. The GraphQL API offers the broadest range of ...

PortSwigger offers tools for web application security, testing & scanning. Choose from a wide range of security tools & identify the very latest...

The world’s most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a...

Find out why joining PortSwigger, a cybersecurity firm in the North West of England and creators of Burp Suite, could be the best career choice for you

Caches are woven into websites throughout the net, discreetly juggling data between users, and yet they are rarely scrutinized in any depth. In this paper,...

Identifies previously submitted inputs appearing in hashed form.

When a user logs in to an application, they usually only have access to their own functions and resources. If access controls are incorrectly set, a user ...

Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many...

Every once a while, you'll find what looks like a healthy XSS vulnerability, only to bash your head against a limited charset that prevents exploitation....

What is DOM Invader? DOM Invader is a browser extension that makes it easy to find DOM based XSS by instrumenting various JavaScript functions. You can find...

Articles and product insights from the PortSwigger team. Keep up to date with Burp Suite and the world of web security by visiting our blog.

Copies selected request(s) as Python-Requests invocations.