This is 3rd part of Automating Burp Suite, where we will try to replace the CSRF token generated from the response body to request the body user_token parameter in DVWA. Check out the next part where we have automated custom header replacement via burp suite extension.

This part is pretty straightforward. Till now you have a basic understanding of Burp Suite Macro. Now let’s jump into creating the automated login in web application.

  1. Run DVWA to on http://localhost/login.php
  2. Select the login request in which username and password parameters are passing.

This is the 4th tutorial where I have developed a Burp Extension using jython and implemented addition on custom header in the request headers derived from response body/response header using Burp Suite Macro.

This custom header extension can be directly invoked and it can be used for automating CSRF tokens or JWT Token in the request headers. There were multiple custom extensions which implemented JWT or Authorisation token but this extension can be customised according to the need. Also this blog will guide you through how to write extensions in Burp Suite using Jython. …

In the part-2 of Automating Burp Suite, we are automating login and performing authenticated scanning using Burp Suite Macro.

Reference Image

While performing penetration testing or during authenticated scan for compliance for any kind of testing of web applications, this authenticated session handling is required. While running scan, Burp Suite crawler by default performs unauthenticated scans. To produce more effective results especially when running Burp’s Spider or Scanner against an application, burp’s session handling functionality helps to continue manual and automated testing while Burp authenticates in the background.

This tutorial demonstrates how to Burp’s session handling rules to ensure authenticated scan when…

Using Burp’s Session Handling Rules with anti-CSRF Tokens

Burp suite allows pentesters to set session-management rules. It is possible to set up session-management rule via Macro. Here we will try to create a Macro for automating the process of capturing CSRF tokens. Then we will try to validate it via repeater and browser tab.

Anti-CSRF tokens are randomly generated tokens that are associated with the user’s current session. They are contained within HTML forms and links associated with sensitive server-side operations. An anti-CSRF token should be included in the request when users perform sensitive operations (e.g. banking transfer). The server should verify the existence and authenticity of this…

This blog is about the misconfiguration issue in the ISP I was using. While working on Shodan, I discovered that ISP has left WiFi modem/router with public IP and default password. Which may lead to the hacking of multiple ISP customers by malicious attackers. I have tried contacting them via Twitter.
None of the users were exploited or troubled. Data is masked and used only for POC and reporting purposes.



There was a login page of the router/modem that will appear at and then I didn’t know the username or password of my router’s console. So being a security…


HTML injection is a type of injection vulnerability that occurs when a user is controlling an input point and can inject arbitrary HTML code into a vulnerable web page.
It was possible to inject <a> tag along with Punycode domain and creating the phishing comment thus used by an attacker to attack any person by making the image public.

Attack Scenario:

The Photo sharing allows comment and photo upload with heart emoticon on the While commenting, it is possible to inject any URL with arbitrary text and it behaves as a hyperlink in the comment. The HTML <a> element (or anchor…

Privacy Violation issue Instagram.


Block feature allows any user to block any other user whom they don’t want to interact or view their profile. There is a separate mute button when a user doesn’t want to block another user but don’t want to view their posts/story/message.

Here while testing I was able to find a way by which user who has blocked another user can still receive the notification which can lead to privacy violation.

Vuln Type:

· Privacy / Authorization


· Android

· Version:


Suppose user A was harassing user B, so user B blocked the harasser. But earlier they…

osTicket is a widely-used open source support ticket system. It seamlessly integrates inquiries created via email, phone and web-based forms into a simple easy-to-use multi-user web interface

How osTicket works for you

  1. Users create tickets via your website, email, or phone.
  2. Incoming tickets are saved and assigned to agents.
  3. Agents help your users resolve their issues

osTicket is an attractive alternative to higher-cost and complex customer support systems; simple, lightweight, reliable, open-source, web-based and easy to set up and use. The best part is, it’s completely free.

  1. CentOS 6
  2. Apache
  3. PHP5.6 or greater
  4. MySQL 5.0 or greater
  1. Update the Server Dependencies
  2. Install LAMP
  3. Install osTicket

This writeup is about a critical broken access control along with unrestricted file upload on the server. This company had a bug bounty program for a very long time. I challenged myself to find bugs in the main application which was already tested multiple times. Here due to non-disclosure policy, the application server is considered as an

This issue was acknowledged but it was neither rewarded nor any further feedback was provided with absolutely no hall of fame.


There was a support page which allowed the creation of tickets by the user and allowed to upload a screenshot for…

While working for browser-based attacks on the URL bar, I learned a way where it was still possible to spoof address bar in safari. None of the previous exploits was working but while trying something similar, the browser was behaving differently. Initially, I was unable to hold the page long enough for the keyboard to appear and then hovering over it to get the virtual keyboard.
So after researching for multiple functions and calling a function inside a function caused enough delay in loading the page.
Tested on Safari on iPhone 5s Updated to iOS 12.3 version(latest version) and iOS 13.
It was…

Divyanshu Shukla

Sr. Security Engineer | DevSecops | Cloud Security | Linux Administrator | Threat Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store