How Do I?
i was hoping that you all had an all-encompassing user guide with all content in one doc. i found the following, which shows all help pages, but i'd really like to get all of that content in one file that i can review offline. here's the page containing linked content: https://portswigger.net/burp/help/contents.html thanks, -Donovan1 Agent Answer 0 Community AnswerOct 05, 2015 09:10PM UTC
How to pentest a web site that behind reverse proxy?
Is it possible to pentest a web site that behind reverse proxy? If yes, how to?1 Agent Answer 0 Community AnswerOct 04, 2015 11:49AM UTC
Probable bug in session handling macro
Hi I am using latest version of Burp and created a Macro to login to complex website. It requires at least four request to complete the login sequence. Below are the first three requests (sanitised) First Request GET /AppsLogin HTTP/1.1 Host: example.com Response HTTP/1.1 302 Moved Temporarily Location: https://example.com/AppsLocalLogin.jsp Set-Cookie: BIGipServe...1 Agent Answer 1 Community AnswerOct 03, 2015 03:55AM UTC
Intercept not working
when proxying through burp, intercept is on but , its not intercepting the traffic(for me to drop or forward), but see traffic in http history3 Agent Answers 4 Community AnswersOct 02, 2015 06:17PM UTC
Multiple usernames as Prefixes when Base64 encoding authentication
Hi, Is there a way to supply a list of usernames to be used as a prefix when payload processing prior to base64 encoding? I have an application which has a pop up authentication window to log in. The authentication mechanism Base64 encodes the username & password in a username:password format before forwarding it to the server, so i can only highlight the one position once it's sen...1 Agent Answer 0 Community AnswerOct 02, 2015 08:17AM UTC
Burp session handling in multiple scanner threads
Hi all, I just wanted to know how burp handles in-session detection and subsequent macro execution while scanning using multiple threads. Suppose the following scenario. I log in the application and get a valid session token I browse the app and record several urls I want to scan. I set in session detection and application relogin in case I detect a logout. I choose them and start sca...6 Agent Answers 5 Community AnswersSep 30, 2015 03:15PM UTC
Session validataion and Loop issue
I am active scanning a website which involves sessions. Number of threads for scanning is 5 - this means 5 requests will be sent at one time I am using a session handling rules to check if session is valid or not. Since I am using 5 threads, Lets say Thread 1 is sent and session handling rules finds it invalid session. So the macro will run, login process will happen(according to macro) a...1 Agent Answer 0 Community AnswerSep 30, 2015 01:09PM UTC
fatal alert: unknown_ca in Burp's "Alerts" tab
Problem: When intercepting, the site I'm visiting doesn't render properly in my browser. Some resources do not load. Related: in BurpSuite's "Alerts" tab, I have dozens of lines like this one: "The client failed to negotiate an SSL connection to s3.amazonws.com:443: Received fatal alert: unknown_ca" Also for seal.verisign.com and www.google-analytics.com and...1 Agent Answer 1 Community AnswerSep 29, 2015 06:17PM UTC
How do i add al subdomains to scope?
I have the domain test.com How can i add all the subdomains to the scope? *.test.com1 Agent Answer 1 Community AnswerSep 28, 2015 09:53PM UTC
Security Headers for POST response
Hello, I noticed a few POST response (whether 200 or 302) is not having a XSS protection/ Content sniffing / Click Jacking prevention header set and burp suite detected that as a vulnerability. Is there a specific reason why a few POST responses are not having these headers set ? Is this not required ? This is not directly related to Burp Suite functioning, but just wanted to check here....3 Agent Answers 3 Community AnswersSep 28, 2015 01:54PM UTC