| Authorization issues | Autorize extensionAutoRepeater extension403 Bypasser extension | Automate your API hacking with Autorize |
| Cross-site scripting (XSS) | DOM InvaderIntruder with
appropriate wordlistsHackvertor tags in Burp Repeater, Burp Intruder, and requests sent to Burp ScannerFor Blind XSS, manual interaction (e.g., in Burp Repeater) with Burp Collaborator payloads (or
Taborator with the $collabplz placeholder) | DOM Invader |
| Cross-site request forgery (CSRF) | AutoRepeater extension (base replacements for CSRF-related parameters) | Cross-site request forgery (CSRF) |
| Denial of service (DoS) | - When using all Burp’s tools, observing. The following:
- Responses (e.g., “500 Internal Server Error” or “504 Gateway Timeout” server errors)
- Response time (e.g., in the Start/End response timer column in Burp Logger)
- Tested application logs (e.g., amount of master locks per minute)
Use
denial-of-service mode in Burp Intruder | |
| Edge Side Inclusion (ESI) injection | Active Scan++ extension | Server Side Inclusion/Edge Side Inclusion Injection |
| File upload issues | Upload Scanner extension | Upload Scanner extension tutorials |
| HTTP request smuggling | HTTP Request Smuggler extension | HTTP request smuggling |
| Insecure direct object references (IDOR) | Backslash Powered Scanner extension (iterable input detection)Manual interaction in Burp RepeaterBurp Intruder with
numbers payload type | Testing for IDORs |
| Insecure deserialization | Freddy, Deserialization Bug Finder extensionJava Serial Killer extensionJava Deserialization Scanner extension | |
| IP spoofing | Collaborator Everywhere extensionManual interaction in Burp Repeater | |
| JWT issues | JSON Web Tokens extensionJWT Editor extensionJSON Web Token Attacker (JOSEPH) extension | Working with JWTs in Burp SuiteJWT attacks |
| OAuth/OpenID issues | OAUTH Scan extension | OAuth 2.0 authentication vulnerabilities |
| Open redirection | Burp Intruder with appropriate wordlists and analysis of the Location responseBurp Intruder with the Brute forcer payload type and special character set, such as ,./\;'[]-=()% | Open Redirection - PayloadAllTheThingsOpen Redirect - HackTricks |
| Race conditions | Backslash Powered Scanner extensionTurbo Intruder extensionBurp Repeater with requests sent parallelly in a group | Smashing the state machine: the true potential of web race conditions |
| Rate-limiting bypass | Turbo Intruder extensionIP Rotate extensionBurp Intruder when using differentiated headers/parametersBypass WAF extension | Rate Limit Bypass - HackTricksLab: Bypassing rate limits via race conditionsBypassing API rate limiting using IP rotation in Burp Suite |
| SAML-based authentication | SAML Raider extension | SAML Attacks - HackTricksHow to Hunt Bugs in SAML; a Methodology - Part II |
| Server-side prototype pollution | Server-Side Prototype Pollution Scanner extension | Server-Side Prototype Pollution Scanner |
| SQL Injection | Backslash Powered Scanner extensionThe specific Burp request saved to a text file and passed as a file to the sqlmap tool using the
-r argument. | |
| Server-side request forgery (SSRF) | Burp Intruder with appropriate wordlistsManual interaction with Burp Collaborator payloads (or
Taborator with the $collabplz placeholder) | |
| Server-side template injection (SSTI) | Active Scan++ extension | |