Burp Testing Methodologies

These articles explain methodologies for using Burp Suite to test for various kinds of web application vulnerabilities. We plan to add more articles to this topic in the near future.

• The Burp Methodology
• Using Burp to Test for the OWASP Top Ten
• Using Burp to Bypass Client-Side Controls
• Using Burp to Bypass Hidden Form Fields
• Using Burp to Bypass Client Side JavaScript Validation
• Using Burp to Attack Authentication
• Using Burp to Brute Force a Login Page
• Using Burp to Attack Session Management
• Using Burp to Hack Cookies and Manipulate Sessions
• Using Burp to Test Session Token Generation
• Using Burp to Test Session Token Handling
• Using Burp to Test Access Controls
• Using Burp's "Request in Browser" Function to Test for Access Control Issues
• Using Burp to Test for Missing Function Level Access Control
• Using Burp to Test for Cross-Site Request Forgery (CSRF)
• Using Burp to Test for Insecure Direct Object References
• Using Burp to Test for Security Misconfiguration Issues
• Using Burp to Test for Sensitive Data Exposure Issues
• Using Burp to Test for Components with Known Vulnerabilities
• Using Burp to Test for Open Redirections
• Using Burp to Detect SQL Injection Flaws
• Using Burp to Detect SQL Injection Via SQL-Specific Parameter Manipulation
• Using Burp to Exploit SQL Injection Vulnerabilities: The UNION Operator
• Using Burp to Detect Blind SQL Injection Bugs
• Using Burp to Exploit Blind SQL Injection Bugs
• Using Burp to Find Cross-Site Scripting Issues
• Exploiting XSS - Injecting into Direct HTML
• Using Burp to Manually Test for Stored XSS
• Using Burp to Manually Test for Reflected XSS
• Exploiting XSS - Injecting into Tag Attributes
• Exploiting XSS - Injecting into Scriptable Contexts
• Using Burp to find Clickjacking Vulnerabilities
• Using Burp to Test for Code Injection Vulnerabilities
• Using Burp to Test for OS Command Injection Vulnerabilities
• Using Burp to Test for Path Traversal Vulnerabilities
• SQL Injection: Bypassing Common Filters
• SQL Injection in Different Statement Types
• SQL Injection in the Query Structure
• XSS: Defensive Filters
• Signature-Based XSS Filters: Introducing Script Code
• Bypassing Signature-Based XSS Filters: Modifying HTML
• Bypassing Signature-Based XSS Filters: Modifying Script Code
• XSS: Beating HTML Sanitizing Filters
• XSS: Beating HTML Sanitization Filters: Event Handlers
• XSS Filters: Beating Length Limits Using DOM-based Techniques
• XSS Filters: Beating Length Limits Using Shortened Payloads
• XSS Filters: Beating Length Limits Using Spanned Payloads
• Using Burp to Find SQL Injection Flaws
• Using SQL Injection to Bypass Authentication
• Using Burp to Investigate SQL Injection Flaws
• Using Burp with SQLMap