Professional Community

Bad Character Wordlist Generator

This extension is designed for creating wordlists with "bad characters" for penetration testing and bug hunting. It supports encoding options and prefix/suffix customization, or custom wordlist for generating payloads.

Features

  • Generate wordlists containing bad characters.
  • Add custom prefixes and suffixes to payloads.
  • Apply Base64, URL, HTML, Unicode, or Hex encoding characters to payloads.
  • Directly use generated wordlists in Intruder
  • Easily save wordlists to a file or copy them to your clipboard.

Usage

Wordlist generator

  1. Navigate to the BadChar tab.
  2. Click "Generate Wordlist" to create a list of bad characters.
  3. Add a prefix or suffix using the text fields and click "Apply Prefix/Suffix."
  4. Choose an encoding method by clicking the respective button (e.g., "Base64 Encode").
  5. Click "Generate Wordlist", "Apply Prefix/Suffix" or "Clear Wordlist" to refresh your list.

Integration with Intruder

  1. Send a request to Burp Suite Intruder.
  2. In the Payloads menu, choose "Extension-generated".
  3. Select "BadChar" as the generator.
  4. Start the attack.

Author

Author

Hashtag_AMIN

Version

Version

1.0.0

Rating

Rating

Popularity

Popularity

Last updated

Last updated

30 April 2025

Estimated system impact

Estimated system impact

Overall impact: Empty

Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.