Best for pentesters and hands-on security professionals. Free up testing time with scalable, automated scanning Automated DAST scanning without limits. Free up testing time with trusted Burp ...

You can set the type of payload that you want to inject into the base request. Burp Intruder provides a range of options for auto-generating different types of ...

Professional By default, attacks are saved in-memory, so they are lost if you close Burp Suite. However, you can save them to your project file. Select Save attack to project file. We recommend that ...

Hackers often turn to web-based tools for help with both protecting against and exploiting vulnerabilities. While vendors often release their own tools for sale, there is also an abundance of free, ...

This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed. Because you don't control the entire XML document you can't define a DTD ...

Follow the steps on this page to set up your own private instance of the Collaborator server. This may be useful in the following situations: Alternatively, you can configure the Collaborator server ...

Burp Intruder is a powerful tool for performing highly customizable, automated attacks against websites. It enables you to configure attacks that send the same request over and over again, inserting ...

You can configure payload processing rules so that Burp Intruder modifies payloads before it inserts them into the request. This is useful for a variety of purposes, such as when you need to: Generate ...

When you send a request to Burp Intruder, a new tab is created containing the request and target details. You can set payload positions anywhere in these fields. These positions determine where Burp ...

In this section, we'll describe various ways in which HTTP request smuggling vulnerabilities can be exploited, depending on the intended functionality and other behavior of the application. In some ...

This lab is vulnerable due to a logic flaw in its password brute-force protection. To solve the lab, brute-force the victim's password, then log in and access their account page. Practise exploiting ...

This page requires JavaScript for an enhanced user experience.