API testing with Swurg for Burp Suite

Swurg is a Burp Extender designed to make it easy to parse swagger documentation and create baseline requests. This is a function that penetration testers need if they are being asked to test an API. Our ideal pre-requisites would be: A Postman collection with environments configured and ready to go valid baseline requests. Ideally setup… Continue reading API testing with Swurg for Burp Suite

Using Jython’s PIP to add dependencies to Burp Extenders

Ever wanted to use 3rd party python libraries when making a Burp Extender? I had somehow avoided it until recently. Warning: Be aware before pasting in the commands below that I think they configure your new pip environment and store all dependencies inside a new folder within the current directory. In a nutshell it works… Continue reading Using Jython’s PIP to add dependencies to Burp Extenders

XSS using HTML 5 Event Handlers

I recently had some luck using HTML 5 event handlers to exploit XSS. This post includes some of the outcomes and a bit of how to replicate the steps using Burp Suite's Intruder using some wordlists stuck at the end of this post. The target had attempted to use blacklisting to prevent dangerous tags and… Continue reading XSS using HTML 5 Event Handlers