Of the three main types of XSS, DOM-based XSS is by far the most difficult to find and exploit. But we come bearing good news! PortSwigger just released a new tool for Burp Suite Professional and Burp

In his own words, Stök is "that hacker that your friends told you about". In other words, he's a content creator with over 25 years of experience in the IT industry. He creates education, tutorial, an

In this post we'll show you how to bypass CSP by using an often overlooked technique that can enable password theft in a seemingly secure configuration. What is form hijacking? Form hijacking isn't re

PortSwigger is a leading provider of software and learning on web security. We make Burp Suite, The Daily Swig, and the Web Security Academy.

We have big plans for Burp Suite during 2020, aimed at improving its value to professional testers, software development teams, and businesses with web assets to protect. Here, we’re sharing some key

An opportunity to kick-start their tech career, through financial support and paid work, at PortSwigger - a high-tech North West software business.

At the core of Burp Suite is Burp Scanner - a powerful tool designed to reduce the number of manual steps users have to take to discover vulnerabilities in their targets. Burp Scanner was first releas

For anyone who's used the Web Security Academy before, you'll be pretty familiar with the format. For those of you who haven't had the pleasure, the process goes a little bit like this: Select a set o

Scripted scan checks in Burp Suite Professional are now a thing ...  tl;dr Burp Suite Professional now has a powerful yet simple scripting language that allows you to quickly build on our world c

Last year we made it significantly easier to find DOM XSS, when we introduced a brand new tool called DOM Invader. This year, we've improved DOM Invader to make finding CSPP (client-side prototype pol

We're excited to share a preview of our brand new offices!Set in 200 acres of open parkland, our modern building has been designed just for us to support the...

Dive into Christmas with festive beginner-friendly security challenges released daily throughout December, and win big with over $50,000 worth of prizes!

Watch Burp Suite creator and Web Application Hacker's Handbook author, Dafydd Stuttard, answer questions submitted by Burp users on Twitter. Links to specifi...

The roadmap shown here is out of date. Please see our July 2022 roadmap update. With 2022 now underway, it's about time we gave you the latest on where Burp Suite is heading this year. Here we take a

This is a gif of the exfiltration process (We've increased the speed so you're not waiting around for 1 minute). Read on to discover how this works... CSS Cafe presentation I presented this technique

For too long, web race-condition attacks have focused on a tiny handful of scenarios. Testing for them is inherently unreliable, compounded by known challenges relating to time constraints and network

PortSwigger is a leading provider of software and learning on web security. We make Burp Suite, The Daily Swig, and the Web Security Academy.

We recently published some research on server-side prototype pollution where we went into detail on techniques for detecting this vulnerability black-box. To make your life easier, we've integrated th

In this research paper James Kettle introduces multiple new classes of HTTP/2-exclusive attacks, demonstrated on popular websites and servers.

It's been two years since we unleashed browser powered scanning on the world, and we decided what better way to celebrate than to start again from scratch! It started out as a task, how did it end up

We're nearly at 200 labs on our ever-popular Web Security Academy, so before we hit that magic number we wanted to give you the chance to get your questions answered. This blog post answers your most-

This roadmap has now been updated. Please see our July 2021 roadmap update. We’re all hoping that 2021 will prove to be a better year for humanity. And we’re also planning a great year for Burp Suite!

Two years ago, PortSwigger's director of research James Kettle presented "HTTP Desync Attacks" on-stage at BlackHat USA and kicked off a wave of request smuggling, but at that time HTTP/2 escaped seri

Get yourself fully prepared to take the Burp Suite Certified Practitioner exam with our practice exam.

Scanning from an API definition is now possible in Burp Suite Pro. Thanks for having a little patience 😉#Shorts

Become a Burp Suite Certified Practitioner to demonstrate and prove your web security testing skills.

An overview of all topics, from beginner to expert level, through the Web Security Academy - brought to you by PortSwigger. Create an account to get started.

We caught up with three high-flyers in our Web Security Academy - at the time of interview, they were ranked 2nd, 4th, and 6th out of thousands of users. If you want the full story, including some ins

PortSwigger today announces that The Daily Swig is closing down

Corey Ball is a Cybersecurity Consulting Manager, and author of the forthcoming book Hacking APIs (working title - No Starch Press). As well as being a long-time API hacking enthusiast, Corey’s role g

Since the release of Browser powered scanning back in Burp Suite Professional 2020.8.1 we have had a lot of customers asking us about our motivation for choosing to integrate with Chromium and fo

In this section, we'll explain what blind XXE injection is and describe various techniques for finding and exploiting blind XXE vulnerabilities. What is ...

How Burp Suite's Scanner overcomes the problems of crawling APIs

Dastardly, from Burp Suite is a free, lightweight web application security scanner for your CI/CD pipeline.

Get hints and guidance on becoming a Burp Suite Certified Practitioner, and some exam advice.

When we launched Burp Collaborator back in 2015, PortSwigger deployed a public Collaborator server that anyone could use. This meant that OAST testing with Burp Collaborator was able to work straight

When you're starting out in the world of web security, it can be overwhelming trying to work out where to begin. There are dozens of vulnerability classes, and numerous exploit techniques to learn abo