How Do I?

Make a new post

  • How to pentest a web site that behind reverse proxy?

    Is it possible to pentest a web site that behind reverse proxy? If yes, how to?

    1 Agent Answer    0 Community Answer
    Oct 04, 2015 11:49AM UTC
  • Probable bug in session handling macro

    Hi I am using latest version of Burp and created a Macro to login to complex website. It requires at least four request to complete the login sequence. Below are the first three requests (sanitised) First Request GET /AppsLogin HTTP/1.1 Host: example.com Response HTTP/1.1 302 Moved Temporarily Location: https://example.com/AppsLocalLogin.jsp Set-Cookie: BIGipServe...

    1 Agent Answer    1 Community Answer
    Oct 03, 2015 03:55AM UTC
  • Intercept not working

    when proxying through burp, intercept is on but , its not intercepting the traffic(for me to drop or forward), but see traffic in http history

    3 Agent Answers    4 Community Answers
    Oct 02, 2015 06:17PM UTC
  • Multiple usernames as Prefixes when Base64 encoding authentication

    Hi, Is there a way to supply a list of usernames to be used as a prefix when payload processing prior to base64 encoding? I have an application which has a pop up authentication window to log in. The authentication mechanism Base64 encodes the username & password in a username:password format before forwarding it to the server, so i can only highlight the one position once it's sen...

    1 Agent Answer    0 Community Answer
    Oct 02, 2015 08:17AM UTC
  • Burp session handling in multiple scanner threads

    Hi all, I just wanted to know how burp handles in-session detection and subsequent macro execution while scanning using multiple threads. Suppose the following scenario. I log in the application and get a valid session token I browse the app and record several urls I want to scan. I set in session detection and application relogin in case I detect a logout. I choose them and start sca...

    6 Agent Answers    5 Community Answers
    Sep 30, 2015 03:15PM UTC
  • Session validataion and Loop issue

    I am active scanning a website which involves sessions. Number of threads for scanning is 5 - this means 5 requests will be sent at one time I am using a session handling rules to check if session is valid or not. Since I am using 5 threads, Lets say Thread 1 is sent and session handling rules finds it invalid session. So the macro will run, login process will happen(according to macro) a...

    1 Agent Answer    0 Community Answer
    Sep 30, 2015 01:09PM UTC
  • fatal alert: unknown_ca in Burp's "Alerts" tab

    Problem: When intercepting, the site I'm visiting doesn't render properly in my browser. Some resources do not load. Related: in BurpSuite's "Alerts" tab, I have dozens of lines like this one: "The client failed to negotiate an SSL connection to s3.amazonws.com:443: Received fatal alert: unknown_ca" Also for seal.verisign.com and www.google-analytics.com and...

    1 Agent Answer    1 Community Answer
    Sep 29, 2015 06:17PM UTC
  • How do i add al subdomains to scope?

    I have the domain test.com How can i add all the subdomains to the scope? *.test.com

    1 Agent Answer    1 Community Answer
    Sep 28, 2015 09:53PM UTC
  • Security Headers for POST response

    Hello, I noticed a few POST response (whether 200 or 302) is not having a XSS protection/ Content sniffing / Click Jacking prevention header set and burp suite detected that as a vulnerability. Is there a specific reason why a few POST responses are not having these headers set ? Is this not required ? This is not directly related to Burp Suite functioning, but just wanted to check here....

    3 Agent Answers    3 Community Answers
    Sep 28, 2015 01:54PM UTC
  • Scanner - POST request results on a Different Page

    I have a webapp where, when saving edits to a particular page, a POST request is made to a simple 'FormSave' page. The server response is a simple 200, json response {"Success":"true"} (or failure if the request fails). This POST request is called via a particular script file that has been loaded as part of the page that is being edited. The script is also respon...

    1 Agent Answer    1 Community Answer
    Sep 25, 2015 08:01PM UTC