🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Burp in the Big Apple 🍎 PortSwigger is proud to sponsor HAC NYC as part of #APIDays this week. If you're at the event, swing by our stand to say hi! We’ve got exclusive Burp Suite NYC swag to give away! 🗽 #HACNYC #BurpSuite

How to test for reflected XSS in an HTML context with no encoding👇 A quick and easy manual test to see if a search bar is vulnerable to reflected XSS is to use a <u> tag to check if your input is underlined when it is reflected back. If it is, the app is likely vulnerable to

8 command seperators for injecting inject OS commands 👇 Command separators (work on Windows + Unix): 🔸 & 🔸 && 🔸 | 🔸 || Unix-only separators: 🔸 ; 🔸 Newline (0x0a or \n) Inline execution on Unix: 🔸 `injected command` 🔸 $(injected command) Different characters behave

Who doesn't like swag? We're always running Discord-only competitions, some cyber related and some just for the fun of it. If you want to win some cool swag, make sure join our Discord server for your chance to win! See you over there! 🤙 Join now: discord.gg/portswigger

What does this command do and what might you use it for?

WAF filtering parentheses? Here’s how to bypass it 👇 Use a call function that doesn't use parentheses, like this one: 💥 onerror=alert;throw 1 💥 This works because 'onerror=alert' sets alert as the global error handler and then "throw 1" throws an error. That error is caught

Business logic flaws silently ruin secure apps. They’re dangerous, persistent, and hard to detect. Here are 6 best practices to prevent business logic vulnerabilities👇 1️⃣ Understand your domain Developers and testers must understand the business logic driving the

How to use a single use promo code more than once using Burp Suite! In this quick fire "Limit overrun race conditions" lab walkthrough you'll learn to: - Create a Tab Group - Duplicate tabs multiple times - Send Group in Sequence - Send Group in Parallel to win race - Win a

Learn to exploit NoSQL like a pro! 🚀 This module walks you through fuzzing, logic bombs, data exfil via JavaScript and more! Start learning today: portswigger.net/web-security/n…

How to create Tab Groups and duplicate requests in Burp 👇

Anyone know what you'd use this payload for?

Name the vulnerability 👇

Directory traversal lets you read ANY file on a web server! In this video, you’ll learn how attackers exploit file path traversal vulnerabilities (and how to prevent them), including: 🔸 How file path traversal attacks manipulate servers 🔸Techniques used to bypass weak defenses

Want to find HTTP Request Smuggling vulns without manually crafting weird requests? Check out HTTP Request Smuggler, a Burp Suite extension that automates it for you! Learn more: portswigger.net/research/http-…

Did someone say 21 HTTP request smuggling labs isn't enough?

LAB WALKTHROUGH: HTTP Request Smuggling – Confirming a TE. CL vuln via differential responses. Learn how to smuggle a request to the back-end server, so that a subsequent request for / (the web root) triggers a 404 Not Found response. Try this lab now: portswigger.net/web-security/r…

Learning Path: Path traversal In this learning path, you'll explore how to exploit insecure file access to perform path traversal attacks (and how to prevent them down). You’ll learn: 🔸 What path traversal is and how it works 🔸 How to access arbitrary files using traversal

What is OS Command Injection? Watch this now to find out 👇 youtube.com/watch?v=8PDDjC…

How a harmless-looking fallback can become a full-blown XSS 💥 JavaScript libraries often rely on user-supplied configuration objects. A common pattern is: let transport_url = config.transport_url || defaults.transport_url; If config.transport_url is undefined, the default is

Learning Path: API testing In this learning path, you'll learn: 🔸 How to find undocumented or unused API endpoints 🔸 Techniques to discover hidden parameters 🔸 How to test for mass assignment and SSPP 🔸 Methods to prevent vulnerabilities in APIs Start the API Testing