How Do I?

Make a new post

  • How to create a tab like the proxy tab

    Hello, i would like to create a tab similar to the "Proxy" one where I can have "intercept on/off" and to forward or drop a package but to only capture communication between specific domains. How would i start something like this? Is there already something similar? Thank you for your time

    2 Agent Answers    1 Community Answer
    Jun 17, 2019 09:17AM UTC
  • Lab: Exploiting XXE using external entities to retrieve files

    Relevant Links: https://portswigger.net/web-security/xxe https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files I am trying to complete this lab and I an unsure what I am doing wrong. Any help would be greatly appreciated. I have tried may variants of the syntax, but basically, the HTTP request is below: ------------------------------------------- POST /product/stoc...

    1 Agent Answer    2 Community Answers
    Jun 15, 2019 03:19PM UTC
  • unable to get a request from webgoat to burp suite

    i have installed weboat which is running on port 8080. i have installed burp suite . changes proxy settings 127.0.0. 1: 8089 i have changed the proxy settings in chrome to 127.0.0. 1: 8089. I am able to get other requests in burp except webgoat. Please do help and please do screenshots for reference

    1 Agent Answer    0 Community Answer
    Jun 14, 2019 09:13AM UTC
  • Is it possible to have different severities in issues with the same name / type ?

    Hi team. I was working on the Dradis burp add-on, I wanted to know if when parsing a burp xml file, is it possible for 2 <issue> elements with the same <name> and <type> to have a different <severity> value. Like this: <issue> <type>3145984</type> <name>Cleartext submission of password</name> <severity>High</severity>...

    1 Agent Answer    0 Community Answer
    Jun 13, 2019 01:54PM UTC
  • Session Handling with 2 CSRF Tokens

    Hi I am trying to create a session handling rule for the request having 2 CSRF Tokens. My GET Request has 2 parameters of CSRF Tokens in the response. I am extracting those while creating my macro. but it is still now working as only one CSRF token gets updated in POST request. I have seen below post but it is of no help https://support.portswigger.net/customer/portal/articles/2906338-using-...

    2 Agent Answers    1 Community Answer
    Jun 13, 2019 10:51AM UTC
  • See the crawled URLs in Burp enterprise

    Hi, we just set up a scan for one of our projects which was running for about 6 hours. But we did not find any output or finding which seems a bit unlikely due ot the number of requests issued (several thousand) To verify what went potentially wrong I would like to analyze the requests and responses and to see which URLs had been crawled. Is it possible to find that out with Burp Enterprise ...

    3 Agent Answers    2 Community Answers
    Jun 11, 2019 08:41AM UTC
  • scanner active testing url path

    hello, how can I use burp suite to perform the following check: I have a list of URLs: 1 http://www.dominio.com/public1/public2/index.html 2 http://www.dominio.com/otro1/sid2/pagina.html 3 http://www.dominio.com/varios1/page2/otros.html 4 http://www.dominio.com/private1/files2/users.html 5 http://www.dominio.com/conosca/portal/info 6 http://www.dominio.com/desarrollo/web/account extr...

    1 Agent Answer    0 Community Answer
    Jun 11, 2019 12:01AM UTC
  • SSO with microsoftonline.com

    I see an SSO mechanism relying on enterprise Office.com integration. A GET with (expired or logged out) Office and local app cookies to a local app's __LOCAL_SITE__/__LOCAL_PATH__ gets a 302 redirect to Microsoft, https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/authorize?client_id=YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY&redirect_uri=https%3A%2F%2F__LOCAL_S...

    1 Agent Answer    1 Community Answer
    Jun 10, 2019 10:58PM UTC
  • Dom Based XSS

    I got a notification from burp scanner as The application may be vulnerable to DOM-based cross-site scripting. Data is read from document.URL and passed to the 'prepend()' function of JQuery via the following statement: $("body:not(..." ) .prepend('<div clas...' + document.URL.substr(0 , document.URL.indexOf("?" ) ) + '> ...' ) but I do...

    1 Agent Answer    0 Community Answer
    Jun 10, 2019 07:04AM UTC
  • Scan Configurations JSON : Enterprise

    I am trying to figure out the API for CI/CD of automating Burp. We have Enterprise Edition, and I can not find the "Configuration Library" or any other place to create a custom configfuration (so that I can see the JSON for CI/CD w/Azure DevOps). Seems like the EE is lacking features that other editions have?

    1 Agent Answer    0 Community Answer
    Jun 07, 2019 06:27PM UTC