HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known ...

Blind SQL injection occurs when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. Many ...

In this example, a shopping application lets the user view whether an item is in stock in a particular store. This information is accessed via a URL: https://insecure ...

Increasingly complex web applications. Across numerous domains. Integrated via a range of APIs. These are the challenges faced by modern pentesters - all with the added pressure of delivering accurate ...

"I do have to say, if you're not in the @PortSwigger discord you're missing out."@t0xodile, Burp Suite Professional user The PortSwigger Discord is a great way to see what Burp developers are working ...

It's well known that WAFs only scan up to a certain amount of data per request. This extension allows a tester to manually insert junk data and adds junk data to Active Scans by duplicating each scan ...

This release introduces site map filter Bambdas, match and replace Bambdas, dynamic authentication tokens for API scanning, and Enhanced payload management for Intruder attacks. We’ve also made ...

As pentesters we all had at least one test where we all needed to use Base64 Image converters online which took an extra efort of copying things and sometimes we were running out of time. Captcha ...

This lab uses web messaging and parses the message as JSON. To solve the lab, construct an HTML page on the exploit server that exploits this vulnerability and calls the print() function. Go to the ...

In this section, we'll describe various ways in which HTTP request smuggling vulnerabilities can be exploited, depending on the intended functionality and other behavior of the application. In some ...

In this section, we'll teach you how to exploit some common scenarios using examples from PHP, Ruby, and Java deserialization. We hope to demonstrate how exploiting insecure deserialization is ...

Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects. Although ...