BurpSuiteHTTPSmuggler

by nccgroup

A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number ...

479 Stars 83 Forks Last release: about 2 years ago (v0.1) GNU Affero General Public License v3.0 13 Commits 1 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

Burp Suite HTTP Smuggler

A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques. This extension has been developed by Soroush Dalili (@irsdl) from NCC Group.

The initial release (v0.1) only supports the Encoding capability that can be quite complicated to be performed manually. See the references for more details.

Next versions will include more techniques and possible bug fixes.

Example Screenshots

AppSec EU 18 - example1

AppSec EU 18 - example2

References:

  • https://appseceurope2018a.sched.com/event/EgXc/waf-bypass-techniques-using-http-standard-and-web-servers-behavior
  • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request-encoding-to-bypass-web-application-firewalls/
  • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet-request-validation-bypass-using-request-encoding/

Released under AGPL v3.0 see LICENSE for more information

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.