How Do I?

Make a new post

  • Cycle one payload in sync with another

    Using Intruder, within a string, I need to cycle between two values in one payload, in sync with brute forcing another payload. I have an ID of pattern XXXXXX-[(3|4)][0-9A-Z]{3}. For each 3 character value in the second payload, I need to try both 3 and 4 in the first payload.

    1 Agent Answer    0 Community Answer
    Aug 02, 2019 08:45PM UTC
  • Lab: Stored XSS into onclick event with angle brackets and double HTML

    Hi! I've done the exercise https://portswigger.net/web-security/cross-site-scripting/contexts/lab-onclick-event-angle-brackets-double-quotes-html-encoded-single-quotes-backslash-escaped but it was not marked as resolved... Also, I've made all the steps described in the "Solution" tab and it follow shown as not solved ... Can you help me? P.S: Sorry for my english

    1 Agent Answer    1 Community Answer
    Aug 02, 2019 06:44PM UTC
  • Macro with Dynamic URL

    Hello Team, I need help. I have couple of login requests and only when the last request is fired, the server sends the cookie. But the problem here is my 3rd request out of 5 requests, contains a dynamic URL part which is obtained from 2nd response location header. Now I have tried with Custom Parameter Handler plugin, but could not succeed. If it is a two requests, I could tried to get it ...

    1 Agent Answer    0 Community Answer
    Aug 02, 2019 05:57PM UTC
  • Burp Suite Scanner - SSRF detection

    Hi, With the recent Capital One breach, the SSRF vulnerability has been highlighted as a potential cause/method of the breach. My question is, does either the Burp Suite Pro or Enterprise version automatically detect SSRF while scanning? From what i can find in my research, it appears that you can only detect this with Burp Suite manually

    1 Agent Answer    0 Community Answer
    Aug 02, 2019 04:43PM UTC
  • How do i generate the HTML REPORT for Burp suite Intruder

    I am not able to generate the HTML report for Burp suite Intruder

    2 Agent Answers    2 Community Answers
    Aug 02, 2019 07:14AM UTC
  • Burpsuite Pro v2.1 to intercept WebGoat via Proxy

    I've been trying to intercept HTTP requests from WebGoat in both IE and Chrome via Burpsuite's proxy function the past few days. WebGoat is functioning as expected as I can see the site which is running on my host computer as per Burpsuite. Would greatly appreciate any assistance in getting the intercept to work. Below is my configuration. - Burpsuite Pro v2.1 All settings are defau...

    4 Agent Answers    3 Community Answers
    Aug 02, 2019 02:20AM UTC
  • CSRF exercise

    I am trying to solve the CSRF exercise/tutorial. I'm new to burp/port swigger. Here is a link to the exercise: https://portswigger.net/web-security/csrf/lab-no-defenses The solution I came up with is this: <form method="$POST" action="https://acfd1fc01ec27f6f80b26b810015001d.web-security-academy.net/email"> <input type="hidden" name="$email...

    2 Agent Answers    1 Community Answer
    Aug 02, 2019 12:27AM UTC
  • Burpsuite unkown host errors

    I'm sorry if this has been answered already but I have looked everywhere for answers and nothing has solved my issue. I have configured burp to fire fox but when I fire up a web page I get an error message that reads ERROR unknown host: www.google.com (or any other URL) looking up on line people have suggested to others that you need to configure the "upsteam proxy" but fol...

    1 Agent Answer    0 Community Answer
    Aug 01, 2019 02:13AM UTC
  • Chaining regexes

    Does regex engine in Burp support look-forward regex syntax? I can't get it to work. Suppose I have a text Cookie: xb=451079; localization=en-us%3Bcz%3Bcz; liqpw=1280; liqph=1173; Now I want to match "localization" string only if it's followed by "liqpw" on the same line. The regex for this should be localization(?=.*)(?=liqpw) But I'm getting 0 searc...

    1 Agent Answer    0 Community Answer
    Jul 31, 2019 05:03PM UTC
  • How to limit duration of the scan and check it's effectiveness?

    Hi, is it possible to limit the duration of a scan and to check of the scan was able to connect to the right system? Right now some of our scans were running for weeks, the longest for 82 days. It was not obvious if the scan was really able to connect successfully as there was no reported output which is already a bit strange. So we had to cancel it at a certain point. Is there any configura...

    1 Agent Answer    1 Community Answer
    Jul 31, 2019 09:11AM UTC