Come to Roma ๐ฎ๐น ๏ฟผin September and attend the only in-person public training session I'll give in 2026! ๐จโ๐ซ
And if you like camping with other hackers (as I do), stay over the weekend for the 3-day long RomHack Camp ๏ฟผ๐๏ธ
romhack.io/training/
Since EA 2026.2, there's a a search bar in Proxy History and it doesn't work exactly like the usual display filter. Let me explain...
- the filter searches in requests, responses and notes
- the search bar looks for the keyword in the table of entries itself (including custom and/or hidden columns)
Out of curiosity, I counted how many configurable hotkeys exist in Burp Pro ๐
In Early Adopter version 2026.1.1, the answer is 168 ๐ค
A bunch of new features in EA 2025.12, including an E2E-encrypted way to share traffic between Pro users portswigger.net/burp/release...
I really have to try this new MultiEncoder ๐ฌ
Burp Hackvertor has a bunch of new shortcuts and functionality. Try them out in Burp. They are activated from a Burp repeater request.
The 2026 online public sessions of my "Mastering Burp Suite Pro" course have been published ๐
- March 24th to 27th, in French ๐ซ๐ท
- April 14th to 17th, in English ๐ฌ๐ง
hackademy.agarri.fr/2026
PS: feel free to ping me if you'd like to temporarily block a seat or are looking for a 10% coupon ๐
Burpโs command palette
Burp now has a command palette (similar to the one in VS Code) ๐ฅณ
portswigger.net/cms/images/4...
Coming to Hackvertor soon...
Big thanks to CoreyD97 for the suggestion!
The corresponding changelog (EA 2025.11): portswigger.net/burp/release...
Burpโs command palette
Burp now has a command palette (similar to the one in VS Code) ๐ฅณ
portswigger.net/cms/images/4...
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
Maybe that the next step will be the possibility to also enable extension-provided checks individually ๐
1) BChecks can be enabled individually
2) The configuration screen reflects settings loaded from the library
Portswigger changed the way the Scanner configuration looks like (at least in Early Adopter releases) and I really like the new layout ๐
If you're looking for a quick tool to copy regex matches from requests AND responses, have a look at github.com/honoki/burp-...
I wrote a small utility to copy unique domains, URLs, paths, filenames or directories from a selection on the Target Map in Burp Suite.
The directories is especially useful in combination with something like ffuf, e.g. for /path/to/folder/file.txt will return the list
/path
/path/to
/path/to/folder
Great news! When creating a scan configuration, all non-default settings are now saved ๐พ
The ugly UX where only opened panes were saved is gone (since at least EA 2025.9.1) ๐๏ธ
A few days ago, @tib3rius.bsky.social published a video where he uses Burp AI features to hack on a vibe-coded web app ๐ช
www.youtube.com/watch?v=lHby...
New video, Decrypting TLS traffic in Wireshark. How to extract TLS keys from Burp, ZAP, and curl and then import them into Wireshark to see the raw traffic.
youtu.be/bSt6E48mGuc
If you're confused by the amount of resources stored in the JAR, here's a hint ๐
Check out "resources/Scanner/jwt_secrets.txt". It contains over 100k passwords used by the passive scanner to decrypt JWT tokens ๐๏ธ
And it works: that's how @evilpacket.net scored a $1500 bug affecting Cursor ๐ฐ
In case you missed it, AWS updated its policy about pentesting, and "Amazon API Gateway" (used by the extension "IP Rotate") isn't allowed anymore
aws.amazon.com/fr/security/...
Hackvertor v2.1.25 has been released and fixes the content-length problem!
Hackvertor v2.1.24 has a major bug where it doesn't update the content-length. Sorry about that. I've fixed it in v2.1.25. I'll try and get it updated on the BApp store ASAP. Gutted I missed this, sorry I'll try to do better in future.
This one-liner shows the details of the most recent EA release of Burp Suite Pro ๐ฌ
curl -s portswigger.net/burp/release... | jq -r '[.ResultSet.Results[] | select(.releaseChannels[0] == "Early Adopter")][:2] | .[] | "=== Version EA v\(.version), \(.releaseDate) ===", "\(.content)"' | html2text
Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...
TIL Peter Weiner is on Linkedin ๐
www.linkedin.com/in/peter-wei...
Did I send him an invitation? OF COURSE!!
Has he accepted it? Not yet, but fingers crossed.
Here's the official doc from Oracle, you'll need in order to fully understand the regexp I posted above
docs.oracle.com/javase/8/doc...
A Burp Suite session handling rule with the "Match and replace" action. The regexp requires the embedded flag "(?-s)" in order to only impact the "User-Agent" header
You never know when an obscure piece of trivia about Java regular expressions may be useful IRL ๐ค
Today, I used the embedded flag "(?-s)" to disable the DOTALL mode and be able to work one a single line ๐ฌ
The goal was to append a string to the User-Agent header, and it now works perfectly ๐
