Quick Reference
Burp Suite Quick Reference
Hackers Manifest - hackersmanifest.com
Essential shortcuts, extensions, and configurations for web application testing. Current stable: Burp Suite 2024.x+ (Montoya API only).
OWASP Top 10 Coverage
Modern Web Attack Surface
HTTP/2: Burp 2024+ supports HTTP/2 smuggling and CL.0 / TE.0 desync. Enable Allow HTTP/2 ALPN override in Repeater.
HTTP/2 Rapid Reset (CVE-2023-44487): Test with Turbo Intruder + concurrent stream cancellation.
GraphQL: Install InQL for introspection, query templates, batched-query DoS.
WebSockets: Use the WebSockets History tab + Match and Replace to fuzz WS frames.
Race conditions: Turbo Intruder
engine=Engine.BURP2 with concurrentConnections=30 + last-byte sync (PortSwigger 2023 technique).
Server-side prototype pollution: Active scan check is built-in (Audit checks → Server-side prototype pollution).
⌨️ Global Shortcuts
| Send to Repeater | Ctrl + R |
| Send to Intruder | Ctrl + I |
| Forward Packet | Ctrl + F |
| Drop Packet | Ctrl + D |
| Switch Tab | Ctrl + Shift + T |
| Go/Start Attack | Ctrl + Space |
| URL Encode | Ctrl + U |
| URL Decode | Ctrl + Shift + U |
| Base64 Encode | Ctrl + B |
| Base64 Decode | Ctrl + Shift + B |
🔌 Proxy Configuration
| Default Listener | 127.0.0.1:8080 |
| CA Certificate URL | http://burp |
| Firefox Import | Settings → Privacy → Certificates → Import |
| Chrome Import | Settings → Security → Manage Certs |
| Invisible Proxy | Proxy → Options → Request Handling |
| Upstream Proxy | User Options → Connections |
🎯 Intruder Attack Types
| Sniper | Single payload, one position at a time |
| Battering Ram | Same payload in all positions |
| Pitchfork | Multiple lists, parallel iteration |
| Cluster Bomb | All combinations (cartesian product) |
Sniper: Username enumeration, single param fuzzing
Pitchfork: Credential stuffing (user:pass pairs)
Cluster Bomb: Brute force login
🧩 Essential Extensions
| Turbo Intruder | High-speed fuzzing, race conditions |
| Autorize | Authorization bypass detection |
| Logger++ | Advanced request/response logging |
| Param Miner | Hidden parameter discovery |
| JWT Editor | JWT manipulation & attacks |
| Active Scan++ | Extended scanner checks |
| Retire.js | Vulnerable JS library detection |
| Hackvertor | Encoding/decoding swiss army knife |
🔄 Match & Replace Rules
| Bypass WAF (UA) | User-Agent → Googlebot/2.1 |
| Remove CSP | Content-Security-Policy → (empty) |
| Remove X-Frame | X-Frame-Options → (empty) |
| Force HTTP | https:// → http:// |
| Add Header | ^Host: → Host:\nX-Custom: val |
| Change Method | GET → POST (request first line) |
🔍 Scanner Configuration
| Audit Speed | Fast / Normal / Thorough |
| Scan Type | Passive / Active / Full |
| Crawl Depth | Dashboard → New Scan → Crawl |
| Scope Control | Target → Scope → Include/Exclude |
| Issue Types | Audit → Issues → Configure |
⚡ Turbo Intruder - Race Condition
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=False)
for i in range(30):
engine.queue(target.req, gate='race1')
engine.openGate('race1')
def handleResponse(req, interesting):
table.add(req)Generated from Hackers Manifest | For authorized security testing only | hackersmanifest.com