aeondave/burpsuite
offensive-tools/vuln-scanners/burpsuite/SKILL.md
Burp Suite: integrated web application security testing platform with proxy, scanner, intruder, and repeater. Use when testing web apps by intercepting/modifying HTTP traffic, fuzzing endpoints, exploiting SQLi/XSS/IDOR manually, or running automated active scans. Community free; Pro required for scanner and Turbo Intruder.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill burpsuiteInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 3:50 AM374.0s3 files scanned
SKILL.md
- name:
- burpsuite
- description:
- Burp Suite: integrated web application security testing platform with proxy, scanner, intruder, and repeater. Use when testing web apps by intercepting/modifying HTTP traffic, fuzzing endpoints, exploiting SQLi/XSS/IDOR manually, or running automated active scans. Community free; Pro required for scanner and Turbo Intruder.
- license:
- Commercial (Pro) / Free (Community)
- compatibility:
- Windows / macOS / Linux. Java 11+. Download from portswigger.net/burp.
- author:
- AeonDave
- version:
- 1.1
Burp Suite
Web application security testing platform.
Quick Start
burpsuite
# Set browser proxy: 127.0.0.1:8080
# Install CA cert: browse to http://burp → CA Certificate (or Proxy → Options → Import/Export CA)
# Firefox: FoxyProxy extension for quick toggle
Core Tools
| Tool | Use | |------|-----| | Proxy | Intercept / modify HTTP/S traffic | | Repeater | Replay and modify single requests | | Intruder | Automated fuzzing / brute-force | | Scanner | Active/passive vuln detection (Pro) | | Decoder | Encode/decode URL, Base64, hex, HTML | | Comparer | Diff two HTTP responses or requests | | Extender | Load BApp plugins | | Logger | Full HTTP traffic log (Pro) |
Shortcuts
| Shortcut | Action |
|----------|--------|
| Ctrl+R | Send to Repeater |
| Ctrl+I | Send to Intruder |
| Ctrl+D | Send to Decoder |
| Ctrl+F | Forward intercepted request |
| Ctrl+Z | Drop request |
| Ctrl+S | Save item |
| Ctrl+A | Select all |
Proxy: Key Settings
Proxy → Options:
- Intercept Client Requests: check "URL is in target scope"
- Match and Replace: inject headers, modify values without intercepting every request
Proxy → HTTP History:
- Filter: show only in-scope, exclude images/CSS/JS
- Ctrl+F: search across all history (regex supported)
- Right-click → Add to scope / Send to Intruder/Repeater/Scanner
Match and Replace rules
# Proxy → Options → Match and Replace
# Add rule:
Type: Request header
Match: ^
Replace: X-Forwarded-For: 127.0.0.1
# Type: Response body
# Match: You must be logged in
# Replace: Welcome admin
# (useful for bypassing client-side auth checks)
# Type: Request header, Replace: Authorization: Bearer <stolen_token>
# Auto-injects auth on every request
Scope Configuration
Target → Scope → Include in scope:
Protocol: https
Host: ^target\.com$ # regex supported
Path: ^/api/
# "Use Advanced Scope Control" for regex rules
# Project → Options → Out-of-scope URLs: Drop → avoids noise
Intruder Attack Types
| Type | Use Case | |------|----------| | Sniper | One payload set, one position at a time | | Battering Ram | Same payload in all positions simultaneously | | Pitchfork | One payload per position, parallel lists | | Cluster Bomb | All combinations (cartesian product) |
# Brute-force login:
POST /login → Intruder → Cluster Bomb
§username§ → payload list: users.txt
§password§ → payload list: passwords.txt
# Grep Match: "Invalid credentials" → failed
# Grep Match: "Welcome" → success
# Sort by length to find successful responses
Repeater Workflows
# Manual SQLi test:
GET /item?id=1 → Repeater
Modify: id=1' → check for error
id=1 AND 1=1 → check for normal response
id=1 AND 1=2 → check for different response
# IDOR test:
GET /api/user/123 → Repeater
Change 123 → 124, 125 (other users)
Check response for data leakage
# HTTP Request Smuggling (Pro/manual):
Change Connection: keep-alive
Add Transfer-Encoding: chunked
Craft ambiguous body
Common Workflows
Auth bypass (parameter tampering)
- Intercept login request
- Observe response → session cookie/token
- Forward → capture admin endpoint request
- Replay with modified role/flag parameters
Session token analysis
Sequencer → Token Location: Cookie/Header
Start Live Capture → 10,000+ samples
Analyze → check entropy (should be >100 bits effective entropy)
Active Scanner (Pro)
# Right-click target in Proxy History → Scan
# Or: Dashboard → New Scan → URL → select scan type
# Audit checks: SQL injection, XSS, XXE, SSRF, path traversal, etc.
# Scan configuration:
# Built-in: "Audit coverage - maximum" vs "Audit checks - critical issues only"
# Custom: reduce noise, set concurrency, timeout
Bambda (Java lambda filters, Burp 2023+)
// Filter History to show only 4xx with JSON body:
return requestResponse.response().statusCode() >= 400
&& requestResponse.response().statusCode() < 500
&& requestResponse.response().hasHeader("Content-Type", "application/json");
// Find requests with Authorization header:
return requestResponse.request().hasHeader("Authorization");
// Find responses containing "password" (case-insensitive):
return requestResponse.response().bodyToString().toLowerCase().contains("password");
Extensions (BApp Store)
# Install: Extender → BApp Store
| Extension | Purpose | |-----------|---------| | Autorize | Detect IDOR / broken access control automatically | | JWT Editor | Decode/modify/forge JWT tokens | | Turbo Intruder | High-speed fuzzing (Python, async) | | Active Scan++ | Additional active scan checks | | Param Miner | Discover hidden/unlinked parameters | | 403 Bypasser | Auto-test auth bypass techniques | | Logger++ | Advanced traffic logging | | JS Miner | Extract endpoints from JS files | | Upload Scanner | Test file upload for dangerous types | | Hackvertor | Multi-step encoding/decoding |
Turbo Intruder example
# High-speed race condition test:
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=True)
for i in range(30):
engine.queue(target.req, str(i))
def handleResponse(req, interesting):
if '200' in req.status:
table.add(req)
Resources
| File | When to load |
|------|--------------|
| references/bapp-extensions.md | Plugin selection, Autorize/JWT/ParamMiner config |
| references/intruder-patterns.md | Attack type selection, payload processing, grep rules |
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026