How Do I?
How to save predefined payload list custom directory to JSON config file?
Hi, when I go to Intruder - Configure predefined payload lists -> can I create a JSON project/user config file with pre-selected directory of my choice for loading custom lists? I tried exporting User and Project settings, but didn't find anything of use. Thanks, Andrej1 Agent Answer 0 Community AnswerMay 29, 2018 07:20AM UTC
Second Order Testing | Burp Scanner
I'm trying to setup a session rule for Burp Scanner, is it possible to create a session/macro for the following scenario? Scenario: Webpage #1: POST Request http://example.com filename=payload Webpage #2:GET Request http://example.com?view=payload Basically how to I take the payload from #1 and insert it into #2 view parameter and analyse that response?1 Agent Answer 0 Community AnswerMay 28, 2018 12:01PM UTC
smart card client certificate Error signing certificate verify
Hello! I want to test a a web page which uses client certificate for authentication (smart card -pkcs11). If I connect to the page without Burp proxy I can log in. If I set the client certificate in Burp's User Options/SSL then I get an error signing certificate verify message. The same certificate imported to Burp in p12 format works as well. (no error message). Any suggestions? ...1 Agent Answer 0 Community AnswerMay 24, 2018 12:02PM UTC
Burp Spider deleted controls in a SalesForce application
Hi - We recently spidered a Salesforce application and this resulted to changes in the application such as: Deleted custom field Changed the UI Skin Changed Enable Drag-and-Drop Editing on Calendar Views from on to off Changed formula of Month custom field etc The Automatically Submit forms was enabled. Why would burp spider be able to do these things. What default values does...1 Agent Answer 0 Community AnswerMay 18, 2018 02:27AM UTC
Automate Burp License Activation
We are working on a project, where we wanted to deploy Burp on a container in a ci/cd. Is there a way to automate the Burp License Activation process programmatically eitherway in a headless mode ? Has anyone given it a try earlier? Pranav1 Agent Answer 0 Community AnswerMay 14, 2018 10:19PM UTC
I have an iOS app I'm testing on an iPhone 5c running iOS 10.3.3. The Burp certificate is correctly installed on the device as I'm able to see https web requests and https app requests from other applications within Burp without issue. When I launch the target app I receive "The client failed to negotiate an SSL connection to <client>.com:443: Received fatal alert: certi...1 Agent Answer 0 Community AnswerMay 11, 2018 03:39PM UTC
How do i prevent cookie ID injections in the request parameter?
I have a case where we recorded a bunch of URL's and re-scanning them. During the re-scan the session expired. So to create an active session i have created a session handling rule to trigger login and create a new Session ID which is updated in the cookie jar. I also used the 'use Cookie jar from Burp's cookie jar' to ensure the rest of the requests are using the valid Sessi...1 Agent Answer 0 Community AnswerMay 11, 2018 04:48AM UTC
I would like to know how to run analytics1 Agent Answer 0 Community AnswerMay 10, 2018 08:46PM UTC
Missing identification of SQL injection
test0 Community AnswerMay 10, 2018 01:17PM UTC
Fuzz APIs ?
Do burp is having any extension which can help in Pen test of APIs ? Like another tool API fuzzer ? along with Intruder what else can be used to do API pen test automatically ?1 Agent Answer 0 Community AnswerMay 10, 2018 12:04PM UTC