Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

Burp Suite Tips and Tricks

PreviousBugBounty Short Write-upsNextHackerOne Reports

Last updated 3 years ago

Was this helpful?

  • - Match and Replace

    • - Additonal

    • How was i able to access a disabled/hidden feature with the help of burpsuite match and replace feature

  • - Find Refernces

  • Favourite Plugins -

  • Burp Hacks -

  • -If you see piece of junk information in the Request/Response body, don't forget gonna Proxy > Options tab and "Unpack gzip/deflate in Resp/Req" (by default they aren't marked).

  • Favourite plugins -

  • - Burp Collaborator

  • - Favourite Extensions

  • - Extension

  • Burp Extensions -

Just released my first plugin. If you use multiple browsers through burp, check this out:

Automating Web Apps Input fuzzing via Macros

Blog post: Turbo Intruder: Embracing the billion-request attack

Need to import multiple URL;s in to burp suite -

cat yahoourls.txt| parallel -j 10 curl --proxy -sk > /dev/null

·One liner to import whole list of subdomains into Burp suite for automated scanning! cat <file-name> | parallel -j 200 curl -L -o /dev/null {} -x 127.0.0.1:8080 -k -s

@Burp_Suite
aurainfosec/burp-multi-browser-highlightingHighlight Burp proxy requests made by different browsers - aurainfosec/burp-multi-browser-highlightinggithub.com
#Burp
http://blog.securelayer7.net/automating-web-apps-input-fuzzing-via-burp-macros/
https://twitter.com/search?q=parallell%20bugbountytip&src=typed_query
http://127.0.0.1:8080
https://github.com/thegsoinfosec/BurpSuite_payloads
urlgrab --url SITE_HERE.com --ignore-ssl --proxy socks5://127.0.0.1:8080
https://github.com/allyomalley/BurpParamFlagger/
https://github.com/JGillam/burp-paramalyzer
https://github.com/Hxzeroone/quoted-printable-Parser
https://twitter.com/jon_bottarini/status/1140700782343278592
https://twitter.com/intigriti/status/1192103070072741894
#bugbountytip
#bugbounty
Getting access to disabled/hidden features with the help of Burp Match and ReplaceA few months ago, During my bug bounty hunting, I came across a Company that lets other developers create API documentation similar to…medium.com
https://twitter.com/Regala_/status/1032563800405360640
https://twitter.com/intigriti/status/1093128957921251328
https://twitter.com/trimstray/status/1088019484118528000
https://www.youtube.com/watch?v=boHIjDHGmIo
https://twitter.com/trimstray/status/1068095885026955264
https://portswigger.net/research/adapting-burp-extensions-for-tailored-pentesting
https://twitter.com/Gamliel_InfoSec/status/1162126101868679173
https://twitter.com/ranjit_pahan/status/1126191087331053568
https://twitter.com/nnwakelam/status/1162453221027307525
https://twitter.com/gwendallecoguic/status/1138383809106391040
https://parsiya.net/blog/2019-10-13-quality-of-life-tips-and-tricks-burp-suite/
https://twitter.com/Dinosn/status/1212706039553908737
https://twitter.com/Agarri_FR/status/1217148102366388226
https://twitter.com/fs0c131y/status/1221717980322631681
https://twitter.com/fasthm00/status/1228118057144537088
https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/june-2018/protips-testing-applications-using-burp-and-more
https://portswigger.net/blog/burps-new-crawler
https://twitter.com/jon_bottarini/status/1140700782343278592
https://twitter.com/Unknownuser1806/status/1225698253867405315
https://twitter.com/search?q=Burp%20Extensions%20%23bugbounty&src=typed_query
https://github.com/elespike/burp-cph
https://vdalabs.com/2020/05/08/burpsuite-extensions-some-favorites/
Are you using @Burp_Suite with @firefox and don' want see the http://detectportal.firefox.com requests? Try this steps: https://twitter.com/firefox/status/841843869205598208
https://portswigger.net/blog/burp-suite-tips-from-power-user-and-hackfluencer-stok
✅
Turbo Intruder: Embracing the billion-request attack | PortSwigger Researchportswigger.net
D Ξ Ξ P Λ K @1m4xx0
Oct 10, 2019
#bugbountytips
#bugbounty
#bugbountytip
⚙️
LogoGitHub - Static-Flow/BurpSuite-Team-Extension: This Burpsuite plugin allows for multiple web app testers to share their proxy history with each other in real time. Requests that comes through your Burpsuite instance will be replicated in the history of the other testers and vice-versa!GitHub