We are pleased to announce the launch of the Web Security Academy.  This is a brand new learning resource providing training on web security vulnerabilities, techniques for finding and

PortSwigger are proud to launch our brand new XSS cheatsheet. Our objective was to build the most comprehensive bank of information on bypassing HTML filters and WAFs to achieve XSS, and to present th

HTTP Desync Attacks: Request Smuggling Reborn

A few years ago I discovered a technique to call functions in JavaScript without parentheses using onerror and the throw statement. It works by setting the onerror handler to the function you want to

Burp Suite 2.0 beta is now available to Professional users. This is a major upgrade, with a host of new features, including: A new crawler, able to automatically handle sessions, detect changes in app

Find the top 10 penetration testing tools and extensions available in Burp Suite, the go-to toolkit for pentesters worldwide. Free trial available today.

Burp's current Spider tool has a number of significant limitations that prevent it from working effectively with modern web sites. Its core model is based on outdated assumptions about how web sites w

Burp is getting a brand new REST API, which can be used by other tools to integrate with Burp Suite: In the initial release, the REST API supports launching vulnerability scans and obtaining the resul

The results are in! After an impressive 59 nominations followed by a community vote to pick 15 finalists, a panel consisting of myself and noted researchers Nicolas Grégoire, Soroush Dalili and Filede

This release adds experimental support for using Burp's embedded Chromium browser to perform all navigation while scanning. This new approach will provide a robust basis for future capabilities in Bur

Whilst testing PayPal looking for ways to bypass CSP and mixed content protection I found an interesting behaviour. PayPal was putting a GET parameter called token inside the report-uri directive of t

Modern websites are browsed through a lens of transparent systems built to enhance performance, extract analytics and supply numerous additional services. This almost invisible attack surface has been

Introducing Dastardly - a free, lightweight web application security scanner for your CI/CD pipeline, from the makers of Burp Suite. Secure web development ain't easy Ensuring your code is written sec

Burp Suite is getting a brand new dashboard, which lets you monitor and control its automated activity: The dashboard shows the currently configured tasks, with a summary of their progress and results

The verdict is in! Following 37 nominations whittled down to a shortlist of 15 by a community vote, our panel of experts has conferred and selected the top 10 web hacking techniques of 2017 (and 2016)

In this post I'm going to walk you through how I used behavioural fuzzing to find multiple quirks in Firefox. Normally, when fuzzing the goal is to find a crash indicating memory corruption, but my go

This release provides a range of powerful new enhancements to Burp's HTTP/2 support. This enables you to identify and exploit a number of HTTP/2-exclusive vulnerabilities, including those presented by

Update: voting is now live. Please head over and place your vote. Nominations are now open for the top 10 new web hacking techniques of 2018. Every year countless security researchers share their find

Burp's current Scanner can report a wide range of DOM-based vulnerabilities using static analysis techniques. Static analysis of JavaScript involves parsing the code to construct an abstract syntax tr

This release provides several new features for both manual and automated testing, as well as some major upgrades to the message editor UI. Message inspector The new message inspector is a collapsible

The nominations are in for the Top 10 Web Hacking Techniques of 2017, so it's time to start the community vote. We're inviting everyone to select their personal top 10, and the votes will be used to b

See the latest feature in Burp Suite Pro and Community Edition: the ability to launch Burp's embedded browser, preconfigured to work with Burp Proxy.Download...

This release adds an option for using HTTP/2 and provides several minor improvements and bug fixes. Experimental HTTP/2 support This release provides experimental support for HTTP/2. From the "Project

One limitation of Burp's current Spider tool relates to session handling. It works well with simple cookie-based session handling mechanisms. But it fails in other situations, including many usages of

Many servers now support HTTP/2. This exposes them to potential vulnerabilities that are impossible to test for using tools that only speak HTTP/1. Burp ...

Interested in pushing hacking techniques beyond the current state of the art? Read James Kettle's guide on how to become a web security researcher.

In this article, I’ll demonstrate using Burp Infiltrator to identify an extremely versatile 0day in JetBrains’ TeamCity, a popular continuous integration server written in Java. Burp Infiltrator works

This release updates the look of Burp's UI and adds an option for watching crawls in a headed browser. UI refresh This release gives Burp's UI a make-over, with a cleaner, more modern look.  You

Burp's current Spider tool has a primitive login capability, in that you can configure a username and password that will be submitted in any login forms. You can do a bit better with macros and sessio

This release provides an upgrade to the web cache poisoning scan checks as well as several other minor improvements and bug fixes. New web cache poisoning scan checks Burp Scanner can now identify a v

You might not be aware of the Hackvertor extension I've been working on lately. It features tag based conversion that is far more powerful than the inbuilt decoder in Burp. The idea behind tag based c

Following my presentation and whitepaper on Web Cache Poisoning last month, various companies have deployed defences in an attempt to mitigate cache poisoning attacks. In this post I’ll take a look at

Over the last few days, we've described how Burp's new crawler can deal with a wide variety of challenges presented by modern applications. But crawling applications is only part of the story. Th

A decade ago, we ran the original month of Burp pr0n in the build-up to a major Burp Suite release. Ten years on, it's that time again. We have some significant Burp updates in the pipeline, and

Burp's current Scanner maintains a queue of items that have been sent for auditing, and processes them in turn. Each item is processed in isolation, and its status moves from waiting, to in-progress,

Enables Burp to decode and manipulate JSON web tokens.

This release adds some powerful new Scanner checks based on James Kettle's talk at Black Hat today. For full details of this awesome new research, see our blog post on practical web cache poisoning. B

Learn how to test WebSockets with Burp Suite, in the latest of our video tutorials on Burp Suite essentials. Find out more about Burp Suite at: https://ports...

This week, we'll be publishing a series of blog posts aimed at helping people move from Burp 1.x to Burp 2.0. We'll be looking at various Burp features that work in a different way in Burp 2.0, and he

Speaking to a couple of “thought leader” types this week, I realized that not everyone has fully appreciated the power and innovation of Out-of-band Application Security Testing (OAST). At PortSwigger

23 April 2019 PortSwigger Web Security is one of 201 organizations nationally to be recognized with a prestigious Queen's Award for Enterprise. Announced ...