Village:Cyber Saiyan - WHY2025 wiki
On Day 3 of @why2025.bsky.social (aka Sunday) at 5:00 PM, I'll give a 15-minute talk titled "Python3-based editors in Burp Suite" at the Cyber_Saiyan village.
wiki.why2025.org/Village:Cybe...
And if you're not interested in Burp Suite, we could nonetheless meet at the arcade room ๐ฎ๐น๏ธ๐
31.07.2025 14:01 โ ๐ 7 ๐ 2 ๐ฌ 1 ๐ 0
Freebies - Mastering Burp Suite Pro
Freebies - Mastering Burp Suite Pro
I just added the 15-minute talk I gave at Tumpicon to the "Freebies" section.
This talk covers the extensions Piper and Scalpel, and allows users to easily manipulate encrypted data by shuffling blocks around
hackademy.agarri.fr/freebies
25.07.2025 16:38 โ ๐ 7 ๐ 6 ๐ฌ 0 ๐ 0
Freebies - Mastering Burp Suite Pro
Freebies - Mastering Burp Suite Pro
I just added the 15-minute talk I gave at Tumpicon to the "Freebies" section.
This talk covers the extensions Piper and Scalpel, and allows users to easily manipulate encrypted data by shuffling blocks around
hackademy.agarri.fr/freebies
25.07.2025 16:38 โ ๐ 7 ๐ 6 ๐ฌ 0 ๐ 0
You're not ready for how powerful Custom Actions are.
You can now build your own AI hacking sidekicks that rewrite requests for you.
Forget typing payloads - just let your assistant do it.
๐ฅ Welcome to the future of offensive automation.
Get the source code:
github.com/PortSwigger/...
17.07.2025 13:44 โ ๐ 5 ๐ 3 ๐ฌ 1 ๐ 0
A meme based on the "Change my mind" template (not the Steven Crowder's one, but one from the Calvin & Hobbes comics)
The text says "Chaining two instances of Burp Suite is such an underrated technique"
02.06.2025 17:16 โ ๐ 1 ๐ 1 ๐ฌ 3 ๐ 0
We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:
14.07.2025 14:51 โ ๐ 19 ๐ 7 ๐ฌ 1 ๐ 1
Concerned about LLM-powered pentesters stealing your job? We've made improving your workflow with AI easier than ever - you can now build your own AI features directly inside Repeater with Custom Actions. Here's one I built for myself:
26.06.2025 13:21 โ ๐ 6 ๐ 1 ๐ฌ 2 ๐ 0
Piper is an excellent swiss knife ๐ ๏ธ
bsky.app/profile/agar...
25.06.2025 11:35 โ ๐ 6 ๐ 0 ๐ฌ 0 ๐ 0
If you're confused by the amount of resources stored in the JAR, here's a hint ๐
Check out "resources/Scanner/jwt_secrets.txt". It contains over 100k passwords used by the passive scanner to decrypt JWT tokens ๐๏ธ
And it works: that's how @evilpacket.net scored a $1500 bug affecting Cursor ๐ฐ
23.06.2025 08:35 โ ๐ 1 ๐ 2 ๐ฌ 1 ๐ 0
I can't think of any good resources discussing the JAR file itself. But everything interesting is stored in the "resources" top directory.
For example, the sub-directory "PayloadStrings" contains the built-in wordlists which are available from Intruder.
23.06.2025 13:57 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0
If you're confused by the amount of resources stored in the JAR, here's a hint ๐
Check out "resources/Scanner/jwt_secrets.txt". It contains over 100k passwords used by the passive scanner to decrypt JWT tokens ๐๏ธ
And it works: that's how @evilpacket.net scored a $1500 bug affecting Cursor ๐ฐ
23.06.2025 08:35 โ ๐ 1 ๐ 2 ๐ฌ 1 ๐ 0
a cartoon character is riding a pile of gold coins .
ALT: a cartoon character is riding a pile of gold coins .
Never opened the Burp Pro JAR file as a ZIP archive?
You should give it a try...
16.06.2025 16:13 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0
A basic example where chaining two instances is useful: the lower one runs a scan, and the upper one modifies (some of) the payloads via Match & Replace
16.06.2025 14:46 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0
It really depends on the contextโฆ.
A generic example is that you can apply Match & Replace rules upstream and have the downstream Scanner/Repeater traffic impacted.
06.06.2025 12:17 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0
Screenshot of the Scalpel script editor using the local `vim` binary
The Scalpel extension is magic ๐ช Especially if you're a big fan of executing both python3 and vim within Burp Suite ๐ ๏ธ
blog.lexfo.fr/scalpel.html
05.06.2025 11:07 โ ๐ 7 ๐ 4 ๐ฌ 1 ๐ 0
Screenshot of the Scalpel script editor using the local `vim` binary
The Scalpel extension is magic ๐ช Especially if you're a big fan of executing both python3 and vim within Burp Suite ๐ ๏ธ
blog.lexfo.fr/scalpel.html
05.06.2025 11:07 โ ๐ 7 ๐ 4 ๐ฌ 1 ๐ 0
A meme based on the "Change my mind" template (not the Steven Crowder's one, but one from the Calvin & Hobbes comics)
The text says "Chaining two instances of Burp Suite is such an underrated technique"
02.06.2025 17:16 โ ๐ 1 ๐ 1 ๐ฌ 3 ๐ 0
Opened 7 tickets with Portswigger support in one week.
Sometimes I wonder if they hate me... ๐ค
02.06.2025 16:12 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
Based on my in-depth knowledge of both Burp Suite and its extensions, this talk aims to provide bug hunters and pentesters with a set of useful strategies. T...
NSEC2023 - Burp Suite Pro tips and tricks, the sequel
If you never used the Piper extension, I recommend to watch the 4-minute demo I gave last year during my talk at
NorthSec ๐ ๏ธ
10.04.2024 07:18 โ ๐ 1 ๐ 2 ๐ฌ 1 ๐ 0
Active Scan++ just got sharper - weโve added new checks for OS command injection, powered by our latest ASCII Control Characters research. Install via Extensions -> BApp Store
28.05.2025 14:56 โ ๐ 11 ๐ 6 ๐ฌ 1 ๐ 0
A small win: since EA 2025.5, Repeater's "Change body encoding" feature also supports JSON ๐ฅณ
26.05.2025 14:01 โ ๐ 8 ๐ 0 ๐ฌ 0 ๐ 0
TIL in the latest Early Adopter version (aka 2025.5), extensions don't need to manage their own settings panel anymore, as they can simply add entries to "Settings > Tools > Extensions" ๐คฏ
And to be honest, I find that awesome! ๐
16.05.2025 16:41 โ ๐ 5 ๐ 3 ๐ฌ 0 ๐ 0
In case you've a hard time intercepting Firefox traffic to the loopback interface, open the about:config page and set "network.proxy.allow_hijacking_localhost" to True ๐
Thanks @onemask.bsky.social for the tip ๐
16.05.2025 16:35 โ ๐ 14 ๐ 6 ๐ฌ 0 ๐ 0
TIL in the latest Early Adopter version (aka 2025.5), extensions don't need to manage their own settings panel anymore, as they can simply add entries to "Settings > Tools > Extensions" ๐คฏ
And to be honest, I find that awesome! ๐
16.05.2025 16:41 โ ๐ 5 ๐ 3 ๐ฌ 0 ๐ 0
In case you've a hard time intercepting Firefox traffic to the loopback interface, open the about:config page and set "network.proxy.allow_hijacking_localhost" to True ๐
Thanks @onemask.bsky.social for the tip ๐
16.05.2025 16:35 โ ๐ 14 ๐ 6 ๐ฌ 0 ๐ 0
A nice bug affecting Cursor and identified by @burpsuite.bsky.social passive scanner ๐
10.05.2025 21:05 โ ๐ 7 ๐ 1 ๐ฌ 0 ๐ 0
A nice bug affecting Cursor and identified by @burpsuite.bsky.social passive scanner ๐
10.05.2025 21:05 โ ๐ 7 ๐ 1 ๐ฌ 0 ๐ 0
When the same HTTP request gets you 3 different response code, you known something is weird...
And thanks @jameskettle.com for the race condition custom action, it's really convenient to have it directly in Repeater.
02.05.2025 14:49 โ ๐ 8 ๐ 2 ๐ฌ 1 ๐ 0
