UNIX includes a command to deal with your cat walking on your keyboard. When your cat is coming, you just type "cat" and press enter, and your cat's input won't mess anything up.

@0xceba Thank you, this extension is awesome and is a huge time saver when testing APIs

@floyd yep, hackvertor globals can also be used to store and reference values in requests. hackvertor is a powerful extension, but there's a few reasons you might consider using Burp Variables if variable support is the functionality you're looking for:
- hackvertor globals are ... global. the globals will persist between your projects so you'll have a single shared list of variables. this may not be your desired behavior since many users use variables to reference identifiers, tokens, and credentials that are unique to a single application
- the hackvertor globals UI is clunky. it takes a lot of clicks to add, modify, or delete a global which is counterproductive for a productivity feature
- Burp Variables is a lightweight extension that does a single thing well. it has a minimal performance impact because it registers only 1 HTTP handler and limits slower API calls to startup and shutdown

I am discovering Read-Only Friday https://isitreadonlyfriday.com/

after a lengthy concept review, code review, and QA process, PortSwigger has published the Burp Variables extension to the BApp Store! if you do API testing from Burp, you should look into this productivity extension which allows you to store and reuse variables in your outgoing requests, similar to other API testing clients like Postman and Insomnia. this is a productivity boon because it gives you single place to update ephemeral credential/token values and it helps you keep track of your identifiers & credentials which minimizes false positives. to learn more:
- install the extension from the BApp Store
- see more details at the BApp Store page: https://portswigger.net/bappstore/27f89b068a3045649d4df77a863209c1
- review the source code at the extension's source repo: https://github.com/0xceba/burp_variables

#burp #burpsuite #burp_suite #pentesting #pentest #bugbounty #bugbountytips #hacking #cybersecurity #infosec

I'm excited to announce Burp Variables v.1.1.6. this version has an updated UI which streamlines how variables are added: they can now be added through the dedicated panel on the Variables tab or via the context menu for requests that come from the message editor. the latter option is convenient when working with new variable names that haven't been memorized yet. download the new release at: https://github.com/0xceba/burp_variables

#burp #burpsuite #burp_suite #pentesting #pentest #bugbounty #bugbountytips #hacking

The late worm avoids the birds.

Burp Variables v1.1.5 has been released. this version features an optimized storage mechanism and import/export functionality to conveniently populate the variables table from disk. download the release at https://github.com/0xceba/burp_variables

#burp #burp_suite #burpsuite #pentesting #pentest #bugbounty #bugbountytips #hacking

if you do a lot web app testing of APIs that use JSON data, you should considering using the extension Prettify JSON Then Send to Comparer. this is a productivity extension that adds a context menu action to pretty print format JSON data before sending it to the Comparer tool. this greatly increases readability of JSON data in Comparer because you're no longer comparing long single lines with the dreaded 💀 horizontal scrollbar 💀. github repo: https://github.com/0xceba/burp_prettify_json_then_send_to_comparer

#burp_suite #burp #burpsuite #pentesting #pentest #bugbounty #bugbountytips #hacking

@cR0w big wildcard fan here

how many explicit import statements from the same subpackage do you include before you switch to a wildcard import? what's your limit? :blobthinking:

Pro-tip if you are searching for anything HTML, CSS or JavaScript related: add "mdn" to your query. This Mozilla project really is a work of love, maintained by hundreds of volunteers @openwebdocs and @MDN staff and contractors. https://developer.mozilla.org/en-US/docs/Learn

I really appreciate public DNS servers that respond to ICMP messages because it helps me to troubleshoot DNS issues. and I doubly appreciate those that respond AND have convenient IP addresses

Submitted another bug report to PortSwigger for a bug that inserts Intruder markers at the wrong character positions when the request is sent from the new GraphQL message editor tab: https://forum.portswigger.net/thread/send-to-intruder-inserts-character-markers-at-incorrect-positions-when-executed-from-the-graphql-message-editor-tab-07398bc6

#burpsuite #burp

Submitted a bug report to PortSwigger for a bug that prevents us from importing project data when it includes Repeater tab groups: https://forum.portswigger.net/thread/burp-suite-s-import-project-file-feature-fails-for-projects-with-repeater-tab-groups-0863225e

#burpsuite #burp

Upgrade your SSRF, CORS & Open Redirect testing with our new URL Validation Bypass cheat sheet, containing all known techniques! https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet

if you do a lot of work from Burp Suite, you must look into my productivity extension Burp Variables: https://github.com/0xceba/burp_variables. Burp Variables extends Burp to support variables, à la other web API testing clients like Postman/Insomnia. being able to store and reuse values in requests is a huge productivity boon during API testing because it:
- gives you a single location to update ephemeral credential and token values which can be referenced across Repeater tabs.
- helps you to keep track of your identifiers and credentials which minimizes false positive findings.

#burpsuite #burp #pentesting #pentest #bugbounty #hacking

Tired of using your own tongue to test 9V batteries???
👅👅👅🔋🔋🔋 ouch!

Honored and humbled to announce my latest product:

research by @gaz on bypassing email domain access controls that was linked in the 2024.7.2 burp release notes:
https://portswigger.net/research/splitting-the-email-atom. includes several case studies

crowdstrike sent a DMCA takedown request to little-known parody site https://clownstrike.lol/ which predictably increased public awareness of the site. the streisand effect strikes (:awesome:) again